At least one organization in Southeast Asia
October 1, 2025
•[ espionage, APT activity, vulnerability exploitation ]
BleepingComputer summarized Check Point research on a newly tracked actor Amaranth Dragon, linked to China-aligned APT activity, which exploited WinRAR CVE-2025-8088 in espionage operations against government and law enforcement entities in Singapore, Thailand, Indonesia, Cambodia, Laos, and the Philippines. The actor used geofenced infrastructure and a custom loader to deliver encrypted payloads (including Havoc and a newer TGAmaranth RAT using Telegram for C2). Because the article is campaign/threat-research reporting without a discrete, named victim event record and bounded impacts, event_type and event_subtype are coded as NA for CED incident purposes.
At least one undisclosed government entity in the MENA region
September 1, 2025
•[ espionage, malware, government ]
Reporting indicates a sustained espionage wave using updated Phoenix implants against government entities, with goals of persistence and data collection rather than overt disruption; activity aligns with prior MuddyWater TTPs and region-focused intelligence objectives.
Undisclosed Indian government or infrastructure organisation(s)
September 1, 2025
•[ espionage, malware, credential theft ]
Pakistan-linked APT36 used themed lures and HTML/shortcut droppers to deliver cross-platform implants on Windows and BOSS Linux systems used by Indian government organizations, enabling credential theft, persistence and covert collection. Activity is espionage-oriented with no reported service outage.
Government, tech, academic & telecom entities; global
August 22, 2025
•[ espionage, malware, government ]
CrowdStrike reports that multiple Chinese-linked groupsMurky Panda, Genesis Panda, and Glacial Pandahave exploited vulnerabilities (e.g., Citrix CVE-2023-3519, Commvault CVE-2025-3928) to deploy the CloudedHope malware for covert espionage against cloud, telecom, government, tech, academic, legal, and professional services organizations worldwide.
Multiple critical infrastructure sectors (via Cisco devices)
August 20, 2025
•[ espionage, technology ]
FBI and Cisco warn of ongoing Russian FSB Center 16 campaign exploiting CVE-2018-0171 in Cisco Smart Install, compromising thousands of network devices across critical infrastructure globally for reconnaissance and persistent access.
Foreign embassies in Moscow (multiple missions)
July 31, 2025
•[ espionage, malware, government ]
FSB-linked APT Secret Blizzard (Turla) used ISP-level access in Russia to deliver espionage malware against multiple foreign embassies in Moscow; campaign disclosed by Microsoft. Data stolen likely includes diplomatic emails/credentials; exact volume not reported.
One undisclosed university in the United States
July 15, 2025
•[ espionage, vulnerability exploitation, malware ]
China-linked operators abused CVE-2025-53770 (ToolShell) weeks after Microsofts July patch to gain initial access at a telecom, escalate privileges (e.g., PetitPotam), harvest credentials, and deploy ShadowPad/Zingdoor/KrustyLoader for persistent espionage against telecom and government networks. Primary effect was covert access and collection, not service outage.
Undisclosed European telecommunications company
July 15, 2025
•[ espionage, vulnerability exploitation, malware ]
China-nexus operators breached a telecom by exploiting an edge service (e.g., NetScaler/SharePoint), then established persistence with SnappyBee-family tooling, harvested credentials and moved laterally to support systems for intelligence collection. No service interruption reported; primary effect is covert access and data staging.
Wiley Rein LLP
July 12, 2025
•[ espionage, unauthorized access, state-sponsored attack ]
Firm notified clients that Microsoft 365 accounts of certain personnel were accessed in an apparent intelligence-gathering operation; suspected China-affiliated group.
Undisclosed European telecommunications organisation
July 3, 2025
•[ espionage, malware, vulnerability exploitation ]
Darktrace reports a China-aligned espionage actor (Salt Typhoon) breached a European telecom by exploiting a Citrix NetScaler Gateway, deploying SnappyBee malware for persistence and data staging. Activity reflects classic intelligence collection rather than service disruption; defenders observed beaconing, credential access, and movement to support systems.
Undisclosed Ukrainian local government entity
July 1, 2025
•[ espionage, webshell, intrusion ]
Symantec observed multi-week summer 2025 espionage intrusion against a Ukrainian local government network using LocalOlive webshell and dual-use Windows tools; no operational disruption reported.
International Criminal Court (ICC)
June 30, 2025
•[ cyberattack, espionage ]
ICC reported a cyberattack detected and contained.Impact and data access undisclosed. This follows a 2023 espionage incident.
Unnamed Jerusalem CCTV streaming provider
June 17, 2025
•[ Espionage, Nation-State Actor, CCTV compromise ]
According to Amazons threat intelligence team, Iranian-linked group MuddyWater provisioned attack infrastructure in mid-May 2025 and then used it on June 17, 2025 to access a compromised server streaming live CCTV footage from Jerusalem. Analysts assess that the group leveraged this access to gather real-time visual intelligence to refine targeting for a June 23 missile attack launched by Iran, in what Amazon terms cyber-enabled kinetic targeting. The case highlights how cyber intrusions against surveillance systems can directly support physical military operations without necessarily causing digital outages or data theft in the traditional sense.
United States National Guard (select components)
June 15, 2025
•[ espionage, nation-state ]
SecurityWeek reported that China-linked Salt Typhoon compromised National Guard systems in an espionage operation; details limited.
The Washington Post
June 13, 2025
•[ data leak, espionage, email compromise ]
A targeted intrusion discovered on June 13 2025 compromised a limited number of Washington Post journalist email accounts, exposing internal correspondence and attachments. The publication stated no subscriber or HR data was affected. Investigation remains ongoing with indications of potential state-sponsored activity.
Catwatchful
June 9, 2025
•[ espionage, sqlinjection, technology ]
In June 2025, spyware maker Catwatchful suffered a data breach that exposed over 60k customer records. The breach was due to a SQL injection vulnerability that enabled email addresses and plain text passwords to be extracted from the system.
Multiple diplomatic and international organizations (particpating in Gaza peace talks)
June 1, 2025
•[ espionage, social, phishing ]
Homeland Justice, an Iranian MOIS-linked group, compromised an Omani Embassy email account and used it to deliver spear-phishing attachments to diplomats and international mediators engaged in Gaza ceasefire negotiations. This was an espionage operation with no service disruption reported. ~72K+ malicious Word emails sent via spear-phishing from a compromised Omani Embassy in Paris account; targeted Egyptian officials, U.S. and Qatari mediators, and organizations such as UN, UNICEF, World Bank, and African Union during Gaza ceasefire talks
WhatsApp/Apple
June 1, 2025
•[ espionage, malware, technology ]
A zero-click spyware campaign exploited WhatsApp and Apple zero-day flaws, infecting fewer than 200 civil society individuals globally between June and August 2025. Attackers likely state-sponsored.
Undisclosed organizations in China
May 27, 2025
•[ cyberattacks, espionage ]
China publicly accused individuals allegedly linked to Taiwans military of cyberattacks and espionage against Chinese entities.
Undisclosed Tajikistan government agencies
May 22, 2025
•[ espionage, phishing, data collection ]
Researchers reported a Russia-aligned espionage campaign targeting Tajik government, academic, and research entities using phishing lures and macro-enabled docs to collect data.
