Singapore Cloud / Hosting Providers
March 1, 2025
•[ espionage, technology ]
UNC5221 leveraged Singapore hosting infrastructure for staging and potential local access during the 2025 BRICKSTORM campaign; targeting aligns with Chinese state-linked espionage.
Multiple Japanese Targets (MSPs, Cloud Partners)
March 1, 2025
•[ espionage, technology ]
UNC5221 activity included compromises of Japanese managed-service providers as part of the BRICKSTORM espionage operation active in 2025.
Digital Realty
March 1, 2025
•[ state-sponsored attack, espionage, vulnerability exploit ]
The Ministry of State Security (MSS)linked group Salt Typhoon infiltrated Digital Realty and other data-center operators in early 2025 by exploiting vulnerabilities in network-appliance infrastructure and stolen credentials. Microsoft attributed the campaign to PRC state-sponsored espionage targeting Western critical-infrastructure providers.
Undisclosed Taiwan government agencies
March 1, 2025
•[ phishing, malware, espionage ]
Trend Micro and THN describe a March 2025 spear-phishing campaign by China-aligned MirrorFace targeting public institutions in Japan and Taiwan using OneDrive-delivered ZIPs that dropped ROAMINGMOUSE and an upgraded ANEL backdoor; reporting outlines techniques and targeting, not specific victim impact details for a single named org.
Undisclosed Myanmar government organization
March 1, 2025
•[ state-sponsored attack, malware, rootkit ]
Chinese state-linked threat actors deployed a kernel-mode rootkit to conceal ToneShell malware on systems belonging to a Myanmar government organization, enabling stealthy persistent access.
Multiple South Korean government and business entities
February 12, 2025
•[ phishing, espionage ]
Spear-phishing campaign leveraging LNK and PowerShell scripts deployed by North Koreas RGB 3rd Technical Surveillance Bureau (Kimsuky) targeting South Korean government, defense, and cryptocurrency sectors.
Office of the Comptroller of the Currency (OCC)
February 11, 2025
•[ data leak, email compromise, espionage ]
In February 2025, the U.S. Department of the Treasurys Office of the Comptroller of the Currency detected unauthorized access to its Microsoft 365 email environment. The compromise, which persisted for months before discovery, exposed roughly 103 mailboxes and more than 150,000 emails containing sensitive financial supervisory information. No attribution has been made public, but the incident exhibited characteristics of an espionage-focused breach. No encryption, ransom demand, or operational disruption was reported.
Multiple Organizations in Asia
February 6, 2025
•[ espionage, backdoor, credential theft ]
Evasive Panda, a Chinese state-sponsored group operating under the Ministry of State Securitys Guangdong State Security Department / Technical Reconnaissance Bureau, deployed a custom SSH backdoor across enterprise network devices to exfiltrate credentials and maintain long-term covert access in espionage operations identified by Cisco Talos in February 2025.
163.com Users
February 4, 2025
•[ phishing, espionage ]
The Taiwanese-linked espionage group GreenSpot APT (aka PoisonVine / APT-Q-20) created spoofed 163.com domains and fake download pages to harvest email credentials from users in mainland China, Hong Kong, and Taiwan. Hunt.io attributed the campaigns infrastructure to Taiwan but no government department link has been identified.
Fanpage.it / Francesco Cancellato
January 31, 2025
•[ spyware, espionage, zero-click ]
Francesco Cancellato, editor-in-chief of Fanpage.it, was targeted with the Israeli-made Graphite spyware developed by Paragon Solutions, delivered via WhatsApp zero-click exploit. Citizen Lab and CPJ linked the campaign to a likely state client of Paragon, with political-espionage motives tied to Fanpages undercover investigation exposing neo-fascist youth elements within Italys ruling party. No confirmed infection or data exfiltration publicly reported.
ipany (VPN software developed by a South Korean company)
January 22, 2025
•[ espionage, technology ]
Researchers from ESET link a previously undocumented China-aligned advanced persistent threat (APT) group named PlushDaemon to a supply chain attack targeting ipany a South Korean virtual private network (VPN) provider.
Embassies, lawyers, government-backed banks, and think tanks in Kyrgyzstan
January 21, 2025
•[ espionage, government ]
Researchers at Seqrite discover a previously undocumented threat actor dubbed Silent Lynx, linked to cyber attacks targeting various entities in Kyrgyzstan and Turkmenistan.
Multiple organizations in the Crypto Space
January 15, 2025
•[ espionage, financial, finance ]
Researchers at SecurityScorecard uncovered Operation 99, a campaign by the Lazarus Group, North Koreas state-sponsored hacking unit, targeting software developers looking for freelance Web3 and cryptocurrency work.
Government bodies in Kazakhstan
January 13, 2025
•[ espionage, government ]
Researchers at Sekoia attribute the Russia-linked threat actors from APT28 to an ongoing cyber espionage campaign targeting Kazakhstan as part of the Kremlin's efforts to gather economic and political intelligence in Central Asia.
Committee on Foreign Investment in the United States (CFIUS)
January 10, 2025
•[ espionage, government ]
Silk Typhoon Chinese state-backed threat actors reportedly breach the Committee on Foreign Investment in the United States (CFIUS), a Treasury Department office that reviews foreign investments for national security risks.
Organizations, businesses, and individuals in Japan
January 8, 2025
•[ espionage, government ]
Japan's National Police Agency (NPA) and National Center of Incident Readiness and Strategy for Cybersecurity (NCSC) accuse a China-linked threat actor named MirrorFace of orchestrating a persistent attack campaign targeting organizations, businesses, and individuals in the country since 2019.
Unnamed high-profile Ukrainian entities
January 2, 2025
•[ espionage, malware, government ]
{"richText":[{"font":{"size":11,"color":{"theme":1},"name":"Aptos Narrow"},"text":"ESET observed coordination where "},{"font":{"bold":true,"size":11,"color":{"theme":1},"name":"Aptos Narrow"},"text":"Gamaredon tools (PteroGraphin/PteroOdd/PteroPaste)"},{"font":{"size":11,"color":{"theme":1},"name":"Aptos Narrow"},"text":" deployed or restarted "},{"font":{"bold":true,"size":11,"color":{"theme":1},"name":"Aptos Narrow"},"text":"Turlas Kazuar"},{"font":{"size":11,"color":{"theme":1},"name":"Aptos Narrow"},"text":" on Ukrainian systems during "},{"font":{"bold":true,"size":11,"color":{"theme":1},"name":"Aptos Narrow"},"text":"FebApr 2025"},{"font":{"size":11,"color":{"theme":1},"name":"Aptos Narrow"},"text":", marking the first documented collaboration between these FSB-linked groups; focus is "},{"font":{"bold":true,"size":11,"color":{"theme":1},"name":"Aptos Narrow"},"text":"espionage access"},{"font":{"size":11,"color":{"theme":1},"name":"Aptos Narrow"},"text":" rather than disruption."}]}
Undisclosed law firm in Canada
January 1, 2025
•[ espionage ]
EarthKapre, also known as RedCurl, is a highly sophisticated cyber espionage group known for its advanced operations, primarily targeting private-sector organizations with a focus on corporate espionage. The target of this attack is an organization within the Law Firms & Legal Services industry.
Thai Government Officials
December 13, 2024
•[ espionage, malware, government ]
Researchers at Netskope discover a campaign targeting Thai government officials through DLL side-loading to deliver a previously undocumented backdoor dubbed Yokai.
Undisclosed Large U.S. Organization
December 5, 2024
•[ espionage ]
Researchers from Broadcom/Symantec reveal that a large U.S. organization was targeted by Chinese cyber-espionage actors.
