LiteLLM
March 24, 2026
•[ supply chain attack, malware, credential theft ]
TeamPCP used compromised release access to publish malicious LiteLLM versions to PyPI, embedding code that exfiltrated secrets and established persistence on systems that installed the poisoned packages.
An undislcosed organization
March 12, 2026
•[ ransomware, social engineering, data theft ]
IBM X-Force described a case where a threat actor remained on a compromised server for more than a week and stole data during an Interlock ransomware intrusion. The attack began with ClickFix social engineering and later deployed a PowerShell backdoor called Slopoly (likely AI-assisted), alongside other components such as NodeSnake and InterlockRAT. The article is a case-study/campaign description and does not name the victim organization or quantify the affected records beyond describing persistence and data theft.
An undislosed organization
February 11, 2026
•[ ransomware, persistence, evasion ]
BleepingComputer reported that a member of the Crazy ransomware gang abused legitimate employee monitoring software and the SimpleHelp remote support tool to maintain persistence, evade detection, and prepare for ransomware deployment in victim networks.
Undisclosed U.S. organization
February 1, 2026
•[ cyber espionage, APT, backdoor ]
HackRead reported that researchers linked a campaign observed in early February 2026 to Iran-aligned APT MuddyWater, described as operating under Irans Ministry of Intelligence and Security. The report stated attackers infiltrated networks of several U.S. organizations across sectors (including banking and aviation) and an Israeli software development services operation, maintaining persistence and using a new custom backdoor called Dindoor to remotely issue commands and sustain access. The article describes espionage tradecraft and persistence but does not list specific victims or confirm specific data stolen.
An undislosed organization
January 16, 2026
•[ vulnerability exploitation, command-and-control, persistence ]
BleepingComputer reported that threat actors exploited critical SolarWinds Web Help Desk (WHD) vulnerabilities (including CVE-2025-40551 and CVE-2025-26399) in a campaign believed to have started around January 16, 2026, targeting at least three organizations. Attackers used the access to deploy legitimate tools (Zoho ManageEngine Assist, Cloudflare tunnels, Velociraptor) for persistence and command-and-control.
Undisclosed UK Construction Firm
January 1, 2026
•[ malware, botnet, cryptojacking ]
eSentire TRU finds that a UK construction firm discovered Prometei malware on a Windows Server in January 2026. Researchers assessed initial access likely occurred via Remote Desktop Protocol using guessed weak/default credentials. Once inside, Prometei established persistence (service UPlugPlay and file sqhost.exe), downloaded an encrypted payload (zsvc.exe), routed traffic through TOR, and used Mimikatz (labelled miWalk) to steal passwords across the network. The report described Prometei as a Russia-linked botnet used for Monero mining and credential theft, and did not describe customer data exposure or service shutdown.
Gen Digital
November 3, 2025
•[ spear-phishing, malware, backdoor ]
Gen Digital reported that the North Korea-linked Kimsuky group used spear-phishing emails carrying a fake VPN invoice ZIP archive to compromise at least one South Korean victim and deploy a new HttpTroy backdoor. Execution of the malicious SCR file launches a three-stage chain (dropper, MemLoad loader and HttpTroy DLL) that displays a decoy PDF while silently establishing persistence via a scheduled task masquerading as an AhnLab update. HttpTroy then connects to a remote command-and-control server and gives the attackers full remote-access capabilities, including file transfer, command execution, reverse shell, process control and screenshot capture.
Undisclosed European telecommunications organisation
July 3, 2025
•[ espionage, malware, vulnerability exploitation ]
Darktrace reports a China-aligned espionage actor (Salt Typhoon) breached a European telecom by exploiting a Citrix NetScaler Gateway, deploying SnappyBee malware for persistence and data staging. Activity reflects classic intelligence collection rather than service disruption; defenders observed beaconing, credential access, and movement to support systems.
At least one undisclosed government and/or tech company
November 4, 2024
•[ state-sponsored, malware, backdoor ]
Government cybersecurity reporting described PRC state-sponsored actors using BRICKSTORM malware to maintain long-term persistence in victim environments, primarily affecting government services/facilities and IT sector organizations. In a documented case, actors accessed a DMZ web server (with a web shell present), moved laterally using service account credentials, copied Active Directory databases, pivoted into VMware vCenter, accessed domain controllers and an ADFS server, and exported cryptographic keys. BRICKSTORM provided stealthy backdoor access for command-and-control and remote operations and was used for persistence from at least April 2024 through at least September 3, 2025. The specific victim organization name was not disclosed in the reporting.
