Foreign embassies in Moscow (multiple missions)
July 31, 2025
•[ espionage, malware, government ]
FSB-linked APT Secret Blizzard (Turla) used ISP-level access in Russia to deliver espionage malware against multiple foreign embassies in Moscow; campaign disclosed by Microsoft. Data stolen likely includes diplomatic emails/credentials; exact volume not reported.
One undisclosed university in the United States
July 15, 2025
•[ espionage, vulnerability exploitation, malware ]
China-linked operators abused CVE-2025-53770 (ToolShell) weeks after Microsofts July patch to gain initial access at a telecom, escalate privileges (e.g., PetitPotam), harvest credentials, and deploy ShadowPad/Zingdoor/KrustyLoader for persistent espionage against telecom and government networks. Primary effect was covert access and collection, not service outage.
Undisclosed European telecommunications company
July 15, 2025
•[ espionage, vulnerability exploitation, malware ]
China-nexus operators breached a telecom by exploiting an edge service (e.g., NetScaler/SharePoint), then established persistence with SnappyBee-family tooling, harvested credentials and moved laterally to support systems for intelligence collection. No service interruption reported; primary effect is covert access and data staging.
Wiley Rein LLP
July 12, 2025
•[ espionage, unauthorized access, state-sponsored attack ]
Firm notified clients that Microsoft 365 accounts of certain personnel were accessed in an apparent intelligence-gathering operation; suspected China-affiliated group.
Undisclosed European telecommunications organisation
July 3, 2025
•[ espionage, malware, vulnerability exploitation ]
Darktrace reports a China-aligned espionage actor (Salt Typhoon) breached a European telecom by exploiting a Citrix NetScaler Gateway, deploying SnappyBee malware for persistence and data staging. Activity reflects classic intelligence collection rather than service disruption; defenders observed beaconing, credential access, and movement to support systems.
Undisclosed Ukrainian local government entity
July 1, 2025
•[ espionage, webshell, intrusion ]
Symantec observed multi-week summer 2025 espionage intrusion against a Ukrainian local government network using LocalOlive webshell and dual-use Windows tools; no operational disruption reported.
International Criminal Court (ICC)
June 30, 2025
•[ cyberattack, espionage ]
ICC reported a cyberattack detected and contained.Impact and data access undisclosed. This follows a 2023 espionage incident.
Unnamed Jerusalem CCTV streaming provider
June 17, 2025
•[ Espionage, Nation-State Actor, CCTV compromise ]
According to Amazons threat intelligence team, Iranian-linked group MuddyWater provisioned attack infrastructure in mid-May 2025 and then used it on June 17, 2025 to access a compromised server streaming live CCTV footage from Jerusalem. Analysts assess that the group leveraged this access to gather real-time visual intelligence to refine targeting for a June 23 missile attack launched by Iran, in what Amazon terms cyber-enabled kinetic targeting. The case highlights how cyber intrusions against surveillance systems can directly support physical military operations without necessarily causing digital outages or data theft in the traditional sense.
United States National Guard (select components)
June 15, 2025
•[ espionage, nation-state ]
SecurityWeek reported that China-linked Salt Typhoon compromised National Guard systems in an espionage operation; details limited.
The Washington Post
June 13, 2025
•[ data leak, espionage, email compromise ]
A targeted intrusion discovered on June 13 2025 compromised a limited number of Washington Post journalist email accounts, exposing internal correspondence and attachments. The publication stated no subscriber or HR data was affected. Investigation remains ongoing with indications of potential state-sponsored activity.
Catwatchful
June 9, 2025
•[ espionage, sqlinjection, technology ]
In June 2025, spyware maker Catwatchful suffered a data breach that exposed over 60k customer records. The breach was due to a SQL injection vulnerability that enabled email addresses and plain text passwords to be extracted from the system.
Multiple diplomatic and international organizations (particpating in Gaza peace talks)
June 1, 2025
•[ espionage, social, phishing ]
Homeland Justice, an Iranian MOIS-linked group, compromised an Omani Embassy email account and used it to deliver spear-phishing attachments to diplomats and international mediators engaged in Gaza ceasefire negotiations. This was an espionage operation with no service disruption reported. ~72K+ malicious Word emails sent via spear-phishing from a compromised Omani Embassy in Paris account; targeted Egyptian officials, U.S. and Qatari mediators, and organizations such as UN, UNICEF, World Bank, and African Union during Gaza ceasefire talks
WhatsApp/Apple
June 1, 2025
•[ espionage, malware, technology ]
A zero-click spyware campaign exploited WhatsApp and Apple zero-day flaws, infecting fewer than 200 civil society individuals globally between June and August 2025. Attackers likely state-sponsored.
Undisclosed organizations in China
May 27, 2025
•[ cyberattacks, espionage ]
China publicly accused individuals allegedly linked to Taiwans military of cyberattacks and espionage against Chinese entities.
Undisclosed Tajikistan government agencies
May 22, 2025
•[ espionage, phishing, data collection ]
Researchers reported a Russia-aligned espionage campaign targeting Tajik government, academic, and research entities using phishing lures and macro-enabled docs to collect data.
Independent film makers
May 21, 2025
•[ espionage, malware, government ]
While detained in May 2025, filmmakers phones were allegedly infected with FlexiSPY; forensic analysis ties installation to police custody (May 21). Devices were returned July 10. CPJ/Citizen Lab publicly detailed findings on Sept 1012; The Standard reported the allegations Sept 10.
Kurdish forces
May 14, 2025
•[ espionage, vulnerability, zero-day ]
Turkey-linked espionage operators exploited a zero-day in Output Messenger to surveil Iraq-based Kurdish forces, collecting communications and device data; Microsoft attributed the activity to a Turkey-aligned group focused on intelligence collection.
Government entities (36, Central Asia & APAC)
May 1, 2025
•[ espionage, phishing, malware ]
Phishing lures and Telegram botbased malware were used by the ShadowSilk cluster to compromise 36 government entities across Central Asia and the Asia-Pacific region between May and July 2025. The campaign focused on espionage, enabling unauthorized access and data theft, and was publicly reported in August 2025 by The Hacker News.
Multiple devices at undisclosed telecommunications firm(s)
May 1, 2025
•[ social, espionage, phishing ]
UNC1549 (Subtle Snail) compromised multiple devices at an undisclosed telecommunications firm in France using LinkedIn job-lures and the MINIBIKE backdoor; Azure-hosted C2 infrastructure was observed. No confirmed data exfiltration volumes or operational disruption reported.
Defense and critical-infrastructure entities in Kazakhstan
May 1, 2025
•[ phishing, data leak, espionage ]
Rare Werewolf APT, a Russia-aligned espionage group, conducted spear-phishing and remote-administration toolbased intrusions in MayJune 2025 targeting defense and critical-infrastructure entities in Kazakhstan, resulting in unauthorized access and data exfiltration.
