Gen Digital
November 3, 2025
•[ spear-phishing, malware, backdoor ]
Gen Digital reported that the North Korea-linked Kimsuky group used spear-phishing emails carrying a fake VPN invoice ZIP archive to compromise at least one South Korean victim and deploy a new HttpTroy backdoor. Execution of the malicious SCR file launches a three-stage chain (dropper, MemLoad loader and HttpTroy DLL) that displays a decoy PDF while silently establishing persistence via a scheduled task masquerading as an AhnLab update. HttpTroy then connects to a remote command-and-control server and gives the attackers full remote-access capabilities, including file transfer, command execution, reverse shell, process control and screenshot capture.
Kansas City National Security Campus network
October 1, 2025
•[ vulnerability exploitation, espionage, nation-state actor ]
CSO reports KCNSC (NNSA nuclear components plant) was infiltrated via unpatched on-prem SharePoint. Microsoft tied the wider wave to China-linked actors, while a KCNSC source suggested a Russian group; DOE later said the department was minimally impacted. Primary effect: covert access/collection, not OT disruption.
Undisclosed European telecommunications company
July 15, 2025
•[ espionage, vulnerability exploitation, malware ]
China-nexus operators breached a telecom by exploiting an edge service (e.g., NetScaler/SharePoint), then established persistence with SnappyBee-family tooling, harvested credentials and moved laterally to support systems for intelligence collection. No service interruption reported; primary effect is covert access and data staging.
Unnamed Jerusalem CCTV streaming provider
June 17, 2025
•[ Espionage, Nation-State Actor, CCTV compromise ]
According to Amazons threat intelligence team, Iranian-linked group MuddyWater provisioned attack infrastructure in mid-May 2025 and then used it on June 17, 2025 to access a compromised server streaming live CCTV footage from Jerusalem. Analysts assess that the group leveraged this access to gather real-time visual intelligence to refine targeting for a June 23 missile attack launched by Iran, in what Amazon terms cyber-enabled kinetic targeting. The case highlights how cyber intrusions against surveillance systems can directly support physical military operations without necessarily causing digital outages or data theft in the traditional sense.
BitoPro Exchange
May 8, 2025
•[ cryptocurrency theft, unauthorized access, money laundering ]
Unauthorized access on May 8 2025 to BitoPro exchange hot wallets resulted in theft of about NT$345 million (US$11.5 million) in cryptocurrency; funds laundered via Tornado Cash, Thorchain, and Wasabi; attribution linked to North Koreas Lazarus Group (APT38); no operational disruption reported.
