At least one government agency or state-owned enterprise in Southeast Asia
April 10, 2025
•[ data leak, espionage, government ]
The Record, citing Symantecs Threat Hunter Team, reported that the China-linked APT group Billbug (also known as Thrip and Lotus Blossom) compromised multiple government and critical infrastructure organizations in a Southeast Asian country in April 2025. The campaign involved exploitation of legitimate digital certificates and living-off-the-land tools to exfiltrate sensitive documents from government and military networks. No encryption or disruption was reported, and the activity is assessed as political espionage conducted under Chinas Ministry of State Security.
Ukrainian government and military entities
April 1, 2025
•[ malware, data leak, espionage ]
Russian FSB 18th Center for Information Security (Gamaredon) deployed updated GammaSteel malware to exfiltrate sensitive data from Ukrainian government and defense networks in an ongoing espionage campaign; no operational disruption reported.
Deutsche Gesellschaft für Osteuropakunde (DGO)
March 30, 2025
•[ espionage, data leak, state-sponsored attack ]
In late March 2025, German officials reported a cyber-espionage incident targeting the Deutsche Gesellschaft fr Osteuropakunde (DGO), a nonprofit academic association focused on Eastern Europe. Investigators attributed the intrusion to Russias Foreign Intelligence Service (SVR), also known as Midnight Blizzard, APT29, or NOBELIUM. Attackers accessed email servers and internal communications for intelligence-gathering purposes. No data encryption or operational disruption was reported, indicating a stealthy exploitation of application servers.
German Association for Eastern European Studies (DGO)
March 27, 2025
•[ data leak, espionage, government ]
SVR (COZYBEAR) infiltrated email servers of the German Association for Eastern European Studies in late March 2025, exfiltrating correspondence and membership data; the German Interior Ministry formally attributed the intrusion to Russias foreign intelligence service on April 22 2025.
Undisclosed European drone manufacturer
March 25, 2025
•[ phishing, social engineering, malware ]
North Korean operators approached European defense engineers with fake job offers, delivering loaders that sideloaded ScoringMathTea and BinMergeLoader/MISTPEN to exfiltrate proprietary UAV designs and manufacturing know-how. Intelligence-collection focus; campaign targets several firms rather than one discrete victim record.
French government officials
March 9, 2025
•[ espionage, malware, government ]
Apple notified French officials of targeted mercenary-spyware attacks (latest Sep 3, 2025); CERT-FR says this is the fourth wave in 2025; highly targeted espionage against high-profile users; Apple recommends Lockdown Mode and expert assistance; no attribution disclosed.
U.S.–China Business Council
March 7, 2025
•[ espionage, phishing, government ]
China-linked APT41/TA415 impersonated Rep. Moolenaar and USCBC in July 2025 spear-phishing to deliver malware and create remote tunnels to spy on U.S. trade-policy stakeholders; investigations ongoing; success not verified.
Polish Space Agency (Polsa)
March 2, 2025
•[ cyberattack, network intrusion, service disruption ]
The Polish Space Agency (POLSA) went offline after detecting a cyberattack that forced it to disconnect its internal network from the internet to contain the incident. National cybersecurity teams, including CSIRT NASK and CSIRT MON, were engaged to assist in investigating and restoring operations. While POLSA did not disclose specific details, internal sources suggested that email systems were compromised. As a member of the European Space Agency, POLSA temporarily suspended several digital services while ensuring containment, system recovery, and investigation into potential espionage or disruption motives behind the attack.
Undisclosed Taiwan government agencies
March 1, 2025
•[ phishing, malware, espionage ]
Trend Micro and THN describe a March 2025 spear-phishing campaign by China-aligned MirrorFace targeting public institutions in Japan and Taiwan using OneDrive-delivered ZIPs that dropped ROAMINGMOUSE and an upgraded ANEL backdoor; reporting outlines techniques and targeting, not specific victim impact details for a single named org.
Multiple Japanese Targets (MSPs, Cloud Partners)
March 1, 2025
•[ espionage, technology ]
UNC5221 activity included compromises of Japanese managed-service providers as part of the BRICKSTORM espionage operation active in 2025.
Undisclosed Myanmar government organization
March 1, 2025
•[ state-sponsored attack, malware, rootkit ]
Chinese state-linked threat actors deployed a kernel-mode rootkit to conceal ToneShell malware on systems belonging to a Myanmar government organization, enabling stealthy persistent access.
Singapore Cloud / Hosting Providers
March 1, 2025
•[ espionage, technology ]
UNC5221 leveraged Singapore hosting infrastructure for staging and potential local access during the 2025 BRICKSTORM campaign; targeting aligns with Chinese state-linked espionage.
Multiple Netherlands Targets (BPO, MSP Providers)
March 1, 2025
•[ espionage, technology ]
UNC5221 compromised Netherlands-based BPO and MSP providers to gain secondary access to client environments; activity attributed to Chinese cyber-espionage operations.
Multiple U.S. Targets (Law Firms, SaaS, Tech Firms)
March 1, 2025
•[ espionage, malware, technology ]
Chinese APT UNC5221 deployed the BRICKSTORM backdoor to infiltrate U.S. law firms and SaaS providers for intelligence collection. Campaign active from March through September 2025.
Multiple German Targets (Corporate Legal, Professional Services)
March 1, 2025
•[ espionage, technology ]
German professional-services and corporate-law entities were likely compromised by UNC5221 during the 2025 BRICKSTORM espionage campaign exploiting Ivanti edge devices.
Multiple U.K. Targets (Professional Services, Law Firms)
March 1, 2025
•[ espionage, technology ]
UNC5221 targeted British professional-services firms for espionage, part of the broader BRICKSTORM campaign observed globally in 2025.
Digital Realty
March 1, 2025
•[ state-sponsored attack, espionage, vulnerability exploit ]
The Ministry of State Security (MSS)linked group Salt Typhoon infiltrated Digital Realty and other data-center operators in early 2025 by exploiting vulnerabilities in network-appliance infrastructure and stolen credentials. Microsoft attributed the campaign to PRC state-sponsored espionage targeting Western critical-infrastructure providers.
Multiple South Korean government and business entities
February 12, 2025
•[ phishing, espionage ]
Spear-phishing campaign leveraging LNK and PowerShell scripts deployed by North Koreas RGB 3rd Technical Surveillance Bureau (Kimsuky) targeting South Korean government, defense, and cryptocurrency sectors.
Office of the Comptroller of the Currency (OCC)
February 11, 2025
•[ data leak, email compromise, espionage ]
In February 2025, the U.S. Department of the Treasurys Office of the Comptroller of the Currency detected unauthorized access to its Microsoft 365 email environment. The compromise, which persisted for months before discovery, exposed roughly 103 mailboxes and more than 150,000 emails containing sensitive financial supervisory information. No attribution has been made public, but the incident exhibited characteristics of an espionage-focused breach. No encryption, ransom demand, or operational disruption was reported.
Multiple Organizations in Asia
February 6, 2025
•[ espionage, backdoor, credential theft ]
Evasive Panda, a Chinese state-sponsored group operating under the Ministry of State Securitys Guangdong State Security Department / Technical Reconnaissance Bureau, deployed a custom SSH backdoor across enterprise network devices to exfiltrate credentials and maintain long-term covert access in espionage operations identified by Cisco Talos in February 2025.
