Undisclosed Indian government or infrastructure organisation(s)
September 1, 2025
•[ espionage, malware, credential theft ]
Pakistan-linked APT36 used themed lures and HTML/shortcut droppers to deliver cross-platform implants on Windows and BOSS Linux systems used by Indian government organizations, enabling credential theft, persistence and covert collection. Activity is espionage-oriented with no reported service outage.
Ordine dei Giornalisti del Lazio
September 1, 2025
•[ ransomware, malware, government ]
A sophisticated ransomware attack targeted the IT infrastructure and internet access of the Lazio Journalists Order in Rome affecting over 20 000 members. The group DragonForce is suspected and authorities and data protection bodies are involved.
At least one undisclosed government entity in the MENA region
September 1, 2025
•[ espionage, malware, government ]
Reporting indicates a sustained espionage wave using updated Phoenix implants against government entities, with goals of persistence and data collection rather than overt disruption; activity aligns with prior MuddyWater TTPs and region-focused intelligence objectives.
Undisclosed Belgian Diplomatic Entities
September 1, 2025
•[ cyber-espionage, phishing, malware ]
China-linked UNC6384 conducted a cyber-espionage campaign beginning Sept 2025 against Belgian diplomatic entities using EU/NATO-themed phishing emails with malicious .LNK attachments exploiting ZDI-CAN-25373 to deploy PlugX via DLL side-loading. Arctic Wolf Labs attributed the activity to UNC6384.
Waterford Surgical Center
September 1, 2025
•[ ransomware, malware, healthcare ]
Safepay ransomware group attacked Waterford Surgical Center on September 1, 2025, claiming access to internal systems and exfiltration of sensitive patient and payment data. No disclosure of affected numbers.
Undisclosed Hungarian Diplomatic Entities
September 1, 2025
•[ cyber-espionage, phishing, malware ]
China-linked UNC6384 conducted a cyber-espionage campaign beginning Sept 2025 against Hungarian diplomatic entities using EU/NATO-themed phishing emails with malicious .LNK attachments exploiting ZDI-CAN-25373 to deploy PlugX via DLL side-loading. Arctic Wolf Labs attributed the activity to UNC6384.
At least one Russian government agency or aviation company
September 1, 2025
•[ phishing, malicious advertising, malware ]
HeartlessSoul has targeted Russian government agencies, aerospace firms, aviation companies, and drone operators since at least September 2025 using phishing emails with infected attachments, malicious advertising, fake aviation-software download sites, fake SourceForge projects, and malware disguised as legitimate software. Public reporting indicates the campaign was successful against one or more victims and resulted in the exfiltration of GIS, satellite, GPS, terrain, digital geographic relief, and other proprietary geospatial data.
Kerrville Independent School District
August 29, 2025
•[ ransomware, malware, education ]
Qilin ransomware group infiltrated Kerrville ISD systems, accessed and copied sensitive personnel and student information. District secured its network, reported to FBI, and provided credit protection to affected individuals.
Jaguar Land Rover
August 29, 2025
•[ ransomware, malware, manufacturing ]
Jaguar Land Rover faced a severe disruption to retail and production operations after a ransomware attack forced the automaker to shut down systems proactively.
Github
August 26, 2025
•[ hack, leak, malware ]
Malicious versions of Nx packages on npm deployed AI-powered "telemetry.js" malware to harvest credentials and secrets via AI-assistant agents. Data exfiltrated to public GitHub repos. Widespread impact on developer workstations and CI systems.
Maryland Transit Administration (MDOT)
August 26, 2025
•[ ransomware, malware, government ]
Attack by Rhysida ransomware group disrupted Maryland Transit Administrations MobilityLink systems and exfiltrated internal and personal data. Group demanded 30 BTC ransom.
Miljödata
August 25, 2025
•[ ransomware, leak, malware ]
In August 2025, the Swedish system supplier Miljdata was the victim of a ransomware attack. Following the attack, data was subsequently published on the dark web and included 870k unique email addresses across various compromised files. Data also included names, phone numbers, physical addresses, dates of birth and government-issued personal identity numbers.
Elche City Council
August 25, 2025
•[ ransomware, malware, government ]
Ransomware attack crippled the Elche City Councils operations, affecting Finance, Social Services, and the Mayor's Office; ~1,500 devices were shut down. Emergency manual protocols were activated. A full recovery plan is underway with 4.5 million allocated.
Nevada State Government (multiple agencies)
August 24, 2025
•[ ransomware, malware, government ]
State described a ransomware-based attack discovered Aug 24 that forced two-day office closures and knocked multiple agency websites/phones offline; CIO confirmed some state data was exfiltrated, but nature/volume unknown; no actor has claimed responsibility.
Miljödata (IT supplier for municipalities)
August 23, 2025
•[ ransomware, leak, malware ]
Suspected ransomware attack against Swedish IT supplier Miljdata disrupted critical services for ~200 municipalities starting August 23, 2025. Systems were encrypted, and attackers threatened to leak stolen personal and medical data unless paid 1.5 BTC.
Government, tech, academic & telecom entities; global
August 22, 2025
•[ espionage, malware, government ]
CrowdStrike reports that multiple Chinese-linked groupsMurky Panda, Genesis Panda, and Glacial Pandahave exploited vulnerabilities (e.g., Citrix CVE-2023-3519, Commvault CVE-2025-3928) to deploy the CloudedHope malware for covert espionage against cloud, telecom, government, tech, academic, legal, and professional services organizations worldwide.
EastIdahoNews.com
August 20, 2025
•[ social, malware, technology ]
Fake virus scanner pop-ups served via third-party ads disrupted user experienceno evidence of data theft or system compromise.
Pittsburgh Gastroenterology Associates
August 20, 2025
•[ ransomware, malware, healthcare ]
On August 20, 2025, the Sinobi ransomware group hacked Pittsburgh Gastroenterologys internal systems, exfiltrating sensitive medical and personal information. The practice is involved in notifications and legal investigations following the breach.
Motility Software Solutions
August 19, 2025
•[ ransomware, malware, technology ]
Motility Software Solutions detected suspicious activity on Aug 19 2025 and confirmed ransomware deployment and data theft impacting about 760,000 individuals. Stolen data included names, birthdates, drivers license numbers, and SSNs. No threat actor attribution was disclosed.
Middletown, Ohio Municipal Services
August 17, 2025
•[ ransomware, malware, government ]
Middletown, Ohio suffered a cyberattacklikely ransomwarethat began around Aug 17, 2025. Multiple city service systems remained offline for weeks; some employee information may have been affected (per preliminary findings), but no definitive evidence of data exfiltration. No actor has been identified.
