Les Automotive
March 17, 2025
•[ supply chain attack, malware ]
Supply-chain compromise at vendor led dealership sites to serve malicious clickfix.
Apple Customers
March 9, 2025
•[ hack, malware, technology ]
The French government says Apple sent out threat notifications to customers alerting them to spyware attacks earlier in September.
French government officials
March 9, 2025
•[ espionage, malware, government ]
Apple notified French officials of targeted mercenary-spyware attacks (latest Sep 3, 2025); CERT-FR says this is the fourth wave in 2025; highly targeted espionage against high-profile users; Apple recommends Lockdown Mode and expert assistance; no attribution disclosed.
Szpital MSWiA (Ministry of Interior Hospital) Kraków
March 8, 2025
•[ ransomware, malware, healthcare ]
Cyberattack on the Ministry of Interior hospital in Krakw encrypted administrative and medical IT systems, fully paralyzing patient care and access to records. Hospital departments began restoring systems by March 11, indicating ~3 days of disruption. No data exfiltration or perpetrator identified.
United Arab Emirates Government Entities
March 4, 2025
•[ malware, backdoor ]
Researchers reported Sosano backdoor used against UAE aviation and transport organizations.
Multiple U.S. Targets (Law Firms, SaaS, Tech Firms)
March 1, 2025
•[ espionage, malware, technology ]
Chinese APT UNC5221 deployed the BRICKSTORM backdoor to infiltrate U.S. law firms and SaaS providers for intelligence collection. Campaign active from March through September 2025.
Undisclosed Taiwan government agencies
March 1, 2025
•[ phishing, malware, espionage ]
Trend Micro and THN describe a March 2025 spear-phishing campaign by China-aligned MirrorFace targeting public institutions in Japan and Taiwan using OneDrive-delivered ZIPs that dropped ROAMINGMOUSE and an upgraded ANEL backdoor; reporting outlines techniques and targeting, not specific victim impact details for a single named org.
Undisclosed Myanmar government organization
March 1, 2025
•[ state-sponsored attack, malware, rootkit ]
Chinese state-linked threat actors deployed a kernel-mode rootkit to conceal ToneShell malware on systems belonging to a Myanmar government organization, enabling stealthy persistent access.
Undisclosed Thailand government organization
March 1, 2025
•[ malware ]
Researchers identified the use of a signed kernel-mode driver to hide ToneShell malware activity on systems of a Thai government organization, allowing covert long-term access.
Goshen Medical Center
February 15, 2025
•[ ransomware, leak, malware ]
BianLian-attributed intrusion at Goshen Medical Center; files accessed on 02/15/2025, detected 03/04/2025; 456,385 affected with PHI/PII including SSNs and DL numbers; listed on BianLians leak site in March; no outage confirmed.
Cocospy
February 14, 2025
•[ hack, malware, technology ]
In February 2025, the spyware service Cocospy suffered a data breach along with sibling spyware service, Spyic. The Cocospy breach alone exposed almost 1.8M customer email addresses which were provided to HIBP, and reportedly also enabled unauthorised access to captured messages, photos, call logs, and more. The data was provided to HIBP by a source who requested it be attributed to "zathienaephi@proton.me".
Kosovo Central Election Commission (KQZ)
February 11, 2025
•[ malware, infostealer ]
Cybersecurity experts observed that the official CEC website was infected with Lumma stealer via fake CAPTCHA payloads, distributing unauthorized links and malware to visitors. The site was targeted during and after elections, with evidence of malware distribution. No actor attribution was confirmed.
Users of Indian banking mobile apps
February 11, 2025
•[ malware, phishing, data leak ]
Android malware campaign disguised as Indian bank apps, distributed via phishing links and fake APKs to install FinStealer; exfiltration of banking credentials and personal information confirmed by CYFIRMA and other researchers.
Multiple Organizations in South Korea
February 6, 2025
•[ cryptomining, malware, trojan ]
ASEC analysis shows CoinMiner/XMRig variants delivered through trojanized removable media using DLL sideloading and PowerShell to mine cryptocurrency on compromised endpoints across Korea (the Republic of)n organizations.
PrivatBank
February 6, 2025
•[ phishing, malware, data leak ]
A criminal group identified as UAC-0006 used phishing emails with password-protected attachments to deliver SmokeLoader malware targeting PrivatBank customers. The campaign aimed to steal credentials and financial data, active since November 2024.
Users of Steam game PirateFi
February 6, 2025
•[ malware, data leak ]
Free-to-play game PirateFi on Steam removed after being discovered to install Vidar infostealer; victims urged by Valve to scan or reformat their systems.
University end-users via cloned site
February 5, 2025
•[ malvertising, phishing, malware ]
Malvertising campaign cloning a German university website to distribute a fake Cisco AnyConnect installer which installed NetSupport RAT on victim machines.
Russian Organizations Across Various Industries
February 5, 2025
•[ malware, phishing, data leak ]
Nova Infostealer malware campaign targeting Russian organizations across multiple industries collected credentials and files via phishing and malicious installers.
Russian Industrial Facilities
February 5, 2025
•[ infostealer, phishing, malware ]
Nova Infostealer was deployed by the threat group NGC4020 in Russian industrial facilities, stealing host credentials and files from infected endpoints through phishing and malicious installer packages.
Tata Technologies
January 31, 2025
•[ ransomware, malware, technology ]
Tata Technologies Ltd. suspends some of its IT services following a ransomware attack that impacted the company network.
