Undisclosed critical infrastructure organization
April 6, 2026
•[ Chinese-nexus intrusions, critical infrastructure, lateral movement ]
Darktrace reported Chinese-nexus intrusions affecting critical infrastructure organizations, with some high-value intrusions involving lateral movement before data exfiltration.
At least one unnamed victim organization
January 1, 2026
•[ social engineering, credential theft, MFA manipulation ]
MuddyWater, an Iran-linked APT associated with Iran's Ministry of Intelligence and Security (MOIS), used Microsoft Teams social engineering against an unnamed victim organization in early 2026. The attackers established remote access, stole credentials, manipulated MFA protections, deployed AnyDesk and DWAgent for persistence, moved laterally, harvested VPN configuration files and other sensitive data, and exfiltrated information. The attackers later sent extortion emails referencing Chaos ransomware and directed the victim to a Chaos leak site, but reporting said no file-encrypting ransomware was deployed, indicating the ransomware framing was likely a false flag for espionage activity.
Undisclosed organization
December 1, 2025
•[ email bombing, Microsoft Teams impersonation, Snow malware ]
UNC6692 used email bombing and Microsoft Teams helpdesk impersonation to deliver the Snow malware suite, moved laterally through the victim environment, reached domain controllers, extracted the Active Directory database and registry hives with FTK Imager, and exfiltrated the files using LimeWire.
Undisclosed European telecommunications company
July 15, 2025
•[ espionage, vulnerability exploitation, malware ]
China-nexus operators breached a telecom by exploiting an edge service (e.g., NetScaler/SharePoint), then established persistence with SnappyBee-family tooling, harvested credentials and moved laterally to support systems for intelligence collection. No service interruption reported; primary effect is covert access and data staging.
Undisclosed European telecommunications organisation
July 3, 2025
•[ espionage, malware, vulnerability exploitation ]
Darktrace reports a China-aligned espionage actor (Salt Typhoon) breached a European telecom by exploiting a Citrix NetScaler Gateway, deploying SnappyBee malware for persistence and data staging. Activity reflects classic intelligence collection rather than service disruption; defenders observed beaconing, credential access, and movement to support systems.
At least one undisclosed government and/or tech company
November 4, 2024
•[ state-sponsored, malware, backdoor ]
Government cybersecurity reporting described PRC state-sponsored actors using BRICKSTORM malware to maintain long-term persistence in victim environments, primarily affecting government services/facilities and IT sector organizations. In a documented case, actors accessed a DMZ web server (with a web shell present), moved laterally using service account credentials, copied Active Directory databases, pivoted into VMware vCenter, accessed domain controllers and an ADFS server, and exported cryptographic keys. BRICKSTORM provided stealthy backdoor access for command-and-control and remote operations and was used for persistence from at least April 2024 through at least September 3, 2025. The specific victim organization name was not disclosed in the reporting.
