Former Mossad Chief Tamir Pardo
March 25, 2026
•[ data leak, espionage, email breach ]
Handala published material from the personal Gmail account of former Mossad chief Tamir Pardo, and later reporting said the leak included business correspondence and a draft letter addressed to a CIA chief.
At least one member of the Ukrainian armed forces
March 16, 2026
•[ espionage, spyware, phishing ]
The Record reported researchers attributed a new espionage campaign targeting Ukrainian organizations to the Russia-linked group Laundry Bear (Void Blizzard), active since at least 2024. The campaign used spyware embedded in documents themed around Starlink satellite terminals and a well-known Ukrainian charity. The article is campaign reporting (multiple targets) and does not provide a single named victim incident with bounded impact metrics.
Israeli surveillance cameras
March 10, 2026
•[ espionage, security cameras, password security ]
Israels National Cyber Directorate stated it had identified dozens of Iranian breaches into security cameras for espionage purposes since the start of the regional war. The directorate said it was alerting hundreds of camera owners and urged the public to change passwords and update software to reduce both national and personal security risk.
Tehran traffic cameras
March 3, 2026
•[ hacking, surveillance, espionage ]
DataBreaches summarized reporting alleging Israeli intelligence hacked or accessed a very large portion of Tehrans traffic camera network over multiple years to track senior Iranian officials, including Ayatollah Ali Khamenei. The reporting claimed real-time camera data (including cameras around Khameneis compound) was encrypted and transmitted to servers in Israel and used to build pattern of life intelligence, such as where security teams parked vehicles.
Undisclosed Qatari organization
March 1, 2026
•[ DLL hijacking, PlugX, backdoor malware ]
HackRead summarized Check Point Research describing a China-linked campaign beginning March 1, 2026 that used conflict-themed lures and DLL hijacking to install PlugX backdoor malware against targets in Qatar. The report described lures disguised as war news and a separate energy-sector lure delivering a Rust loader and ultimately Cobalt Strike, with the goal of espionage against Qatars military and oil/gas interests.
At least one US government official
January 19, 2026
•[ spearphishing, espionage, DLL sideloading ]
HackRead summarized Acronis research describing an espionage-oriented spearphishing campaign targeting U.S. government entities using Venezuela-related news as bait. The described chain used a lure archive and DLL sideloading to load a backdoor dubbed LOTUSLITE, enabling remote access actions such as file collection and command execution on compromised systems. The article stated the researchers attributed the activity with moderate confidence to the China-backed group Mustang Panda (aka HoneyMyte).
Congressional Staff email platform
January 11, 2026
•[ cyber intrusion, state-backed hacking, email compromise ]
TechStory reported that a cyber intrusion linked to the China-associated group known as Salt Typhoon compromised email systems used by staff supporting multiple powerful U.S. House committees (including foreign affairs, intelligence, and defense-related panels). The report said the intrusions were detected in December 2025, but investigators were still determining how long access persisted, what data was viewed or extracted, and whether any lawmakers personal accounts were affected. U.S. agencies and House offices were described as offering limited public comment while investigations continued, and China was reported as denying allegations of state-backed hacking.
At least one Telecom company in South Asia
January 8, 2026
•[ espionage, malware, threat intelligence ]
The Hacker News summarized Cisco Talos research attributing espionage-focused intrusions to a China-nexus actor tracked as UAT-7290. The campaign reportedly targets telecom entities in South Asia and Southeastern Europe, performing extensive reconnaissance followed by compromise activity that can lead to deployment of malware families including RushDrop, DriveSwitch, and SilentRaid. The article is threat-intelligence reporting focused on actor behavior, tooling, and geographic targeting, and it does not provide a bounded, single victim incident record with confirmed impact metrics (e.g., downtime or specific data stolen) for one named organization.
At least one government official
January 1, 2026
•[ espionage, phishing, surveillance tools ]
A Mustang Panda espionage campaign (late Dec 2025 to mid-Jan 2026) using fake diplomatic briefing documents to trick high-level targets into installing surveillance tools. It does not provide a single named victim organization with a confirmed primary effect suitable for one incident record; it is campaign-level reporting.
Undetermined government and diplomatic entities (Oman, Morocco, Palestinian Authority)
December 12, 2025
•[ malware, information theft, espionage ]
The Record summarized threat-intelligence reporting alleging a Hamas-affiliated group (called Ashen Lepus) used malware-laden documents to compromise multiple government and diplomatic entities tied to Oman, Morocco, and the Palestinian Authority, including a malware strain referred to as AshTag used for information theft.
China Xinchuang Initiative (at least one affiliated organization)
December 9, 2025
•[ phishing, malware, espionage ]
Security researchers reported a spear-phishing and malware campaign attributed to APT32 that successfully compromised at least one organization within Chinas Xinchuang Initiative IT ecosystem, resulting in unauthorized access for espionage purposes.
At least one policy expert on Iran
November 5, 2025
•[ phishing, credential theft, espionage ]
The Hacker News, citing a Proofpoint investigation, describes a newly identified threat cluster dubbed UNK_SmudgedSerpent conducting credential phishing and remote access operations against more than twenty Iran focused subject matter experts at a U.S. based foreign policy think tank between June and August 2025, amid heightened IranIsrael tensions. Attackers impersonated prominent policy figures and used benign email conversations to lure victims to fake Microsoft Teams and OnlyOffice login pages hosted on health themed domains that captured account credentials. In some cases the operation progressed to deploying legitimate remote monitoring tools such as PDQ Connect and ISL Online for hands on keyboard access, supporting longer term espionage against the target institution and aligning with tactics used by established Iranian cyber intelligence groups.
An undisclosed critical infrastructure company in Zambia
November 1, 2025
•[ espionage, phishing, vulnerability exploitation ]
BleepingComputer summarized Unit 42 research on a state-aligned espionage group tracked as TGR-STA-1030/UNC6619 conducting global operations dubbed Shadow Campaigns. The report said the actor compromised at least 70 government and critical infrastructure organizations across 37 countries and conducted reconnaissance activity targeting government entities connected to 155 countries during NovDec 2025. The article describes initial access via tailored phishing (Mega-hosted archives) and exploitation of multiple known vulnerabilities, use of webshells and tunneling tools, and a custom Linux eBPF rootkit (ShadowGuard), but it does not provide a single discrete victim organization record with a specific primary effect suitable for one CED event entry.
Two undisclosed government departments in a South American country
October 22, 2025
•[ vulnerability exploitation, espionage, data leak ]
Actors exploited a patched SharePoint ToolShell flaw to gain initial access at a telecom, harvest credentials, and pivot across AD-joined systems. Activity included beaconing and data staging consistent with telecom espionage. No operational shutdown reported; primary effect is unauthorized access and data collection.
National Time Service Center
October 20, 2025
•[ espionage, state-sponsored attack ]
China accuses U.S. NSA of cyber-espionage against NTSC timing systems
Russian IT service provider
October 15, 2025
•[ data leak, espionage, apt ]
China-linked Jewelbug infiltrated Russian IT provider for months, exfiltrating repositories and data
MAYA Systems Ltd.
October 12, 2025
•[ data leak, hacktivism, espionage ]
An Iran-linked hacktivist group known as Cyber Toufan claimed responsibility for breaching Israeli defense contractor MAYA Systems in October 2025, stealing and releasing files allegedly showing Iron Beam laser-defense system designs and other IDF technologies. Israeli authorities have not verified the authenticity of the leaked materials.
Francesco Gaetano Caltagirone
October 9, 2025
•[ spyware, espionage, government ]
Report that Graphite spyware was used to spy on the businessman; tool sold to governments.
Williams & Connolly
October 8, 2025
•[ espionage, state-sponsored attack, data leak ]
Breach of U.S. law firm with major political clients linked to Chinese espionage campaign.
Kansas City National Security Campus network
October 1, 2025
•[ vulnerability exploitation, espionage, nation-state actor ]
CSO reports KCNSC (NNSA nuclear components plant) was infiltrated via unpatched on-prem SharePoint. Microsoft tied the wider wave to China-linked actors, while a KCNSC source suggested a Russian group; DOE later said the department was minimally impacted. Primary effect: covert access/collection, not OT disruption.
