Multiple diplomatic and international organizations (particpating in Gaza peace talks)
June 1, 2025
•[ espionage, social, phishing ]
Homeland Justice, an Iranian MOIS-linked group, compromised an Omani Embassy email account and used it to deliver spear-phishing attachments to diplomats and international mediators engaged in Gaza ceasefire negotiations. This was an espionage operation with no service disruption reported. ~72K+ malicious Word emails sent via spear-phishing from a compromised Omani Embassy in Paris account; targeted Egyptian officials, U.S. and Qatari mediators, and organizations such as UN, UNICEF, World Bank, and African Union during Gaza ceasefire talks
Undisclosed Kyrgyzstan organization
June 1, 2025
•[ phishing, malware, state-sponsored ]
A nation-state actor known as Bloody Wolf conducted spearphishing impersonating the Kyrgyz Ministry of Justice to deploy JAR loaders and install NetSupport RAT for persistent access to organizational systems; no data theft was reported.
Farmers Insurance (via third-party vendor)
May 29, 2025
•[ social, phishing, finance ]
Over 1.1 million customers impacted by breach via Salesforce-linked vendor breach. Exfiltration involved social engineering/vishing and malicious OAuth apps, with ShinyHunters and Scattered Spider providing access and exfiltration. Two years of identity protection offered.
Saifuddin Nasution Ismail (WhatsApp account)
May 28, 2025
•[ phishing, account takeover, government ]
WhatsApp account of Malaysias Home Minister hacked in late May 2025 and used via a foreign VPN to send malicious/phishing links to contacts; government confirmed account compromise Jun 2 2025; no evidence of large-scale data theft or system outage.
Undisclosed Tajikistan government agencies
May 22, 2025
•[ espionage, phishing, data collection ]
Researchers reported a Russia-aligned espionage campaign targeting Tajik government, academic, and research entities using phishing lures and macro-enabled docs to collect data.
Keir Giles (UK academic)
May 22, 2025
•[ social engineering, phishing, data leak ]
Targeted social-engineering campaign impersonating U.S. State Department tricked Keir Giles into generating app-specific passwords, allowing a nation-state actor to access his Gmail account data stored on Google servers; no evidence of intrusion into affiliated institutional networks.
Kurdish Government and Media Institutions
May 15, 2025
•[ cyber-espionage, phishing, data leak ]
Iran-linked threat actor MuddyWater (MOIS) conducted cyber-espionage operations against Kurdish government and media infrastructure in Iraq during MayJune 2025 using phishing and web-shells to steal credentials and internal documents; reported Jun 25 2025.
KazMunaiGas
May 5, 2025
•[ social, hack, phishing ]
A spear-phishing campaign disguised as internal HR communications delivered multi-stage malware to KMG employees. Attackers used a compromised business email, LNK downloader, PowerShell (DOWNSHELL), and DLL implant to establish reverse shell access. KMG later labeled it a phishing test.
Government entities (36, Central Asia & APAC)
May 1, 2025
•[ espionage, phishing, malware ]
Phishing lures and Telegram botbased malware were used by the ShadowSilk cluster to compromise 36 government entities across Central Asia and the Asia-Pacific region between May and July 2025. The campaign focused on espionage, enabling unauthorized access and data theft, and was publicly reported in August 2025 by The Hacker News.
Multiple devices at undisclosed telecommunications firm(s)
May 1, 2025
•[ social, hack, phishing ]
UNC1549 (Subtle Snail) compromised multiple devices at an undisclosed telecommunications firm in Canada using LinkedIn job-lures and the MINIBIKE backdoor; Azure-hosted C2 infrastructure was observed. No confirmed data exfiltration volumes or operational disruption reported.
Multiple devices at undisclosed telecommunications firm(s)
May 1, 2025
•[ social, espionage, phishing ]
UNC1549 (Subtle Snail) compromised multiple devices at an undisclosed telecommunications firm in France using LinkedIn job-lures and the MINIBIKE backdoor; Azure-hosted C2 infrastructure was observed. No confirmed data exfiltration volumes or operational disruption reported.
Multiple devices at undisclosed telecommunications firm(s)
May 1, 2025
•[ social, hack, malware ]
UNC1549 (Subtle Snail) compromised multiple devices at an undisclosed telecommunications firm in United Arab Emirates using LinkedIn job-lures and the MINIBIKE backdoor; Azure-hosted C2 infrastructure was observed. No confirmed data exfiltration volumes or operational disruption reported.
Multiple devices at undisclosed telecommunications firm(s)
May 1, 2025
•[ social, hack, malware ]
UNC1549 (Subtle Snail) compromised multiple devices at an undisclosed telecommunications firm in United Kingdom using LinkedIn job-lures and the MINIBIKE backdoor; Azure-hosted C2 infrastructure was observed. No confirmed data exfiltration volumes or operational disruption reported.
Multiple devices at undisclosed telecommunications firm(s)
May 1, 2025
•[ hack, social, malware ]
UNC1549 (Subtle Snail) compromised multiple devices at an undisclosed telecommunications firm in United States of America using LinkedIn job-lures and the MINIBIKE backdoor; Azure-hosted C2 infrastructure was observed. No confirmed data exfiltration volumes or operational disruption reported.
Defense and critical-infrastructure entities in Kazakhstan
May 1, 2025
•[ phishing, data leak, espionage ]
Rare Werewolf APT, a Russia-aligned espionage group, conducted spear-phishing and remote-administration toolbased intrusions in MayJune 2025 targeting defense and critical-infrastructure entities in Kazakhstan, resulting in unauthorized access and data exfiltration.
Defense and critical-infrastructure entities in Ukraine
May 1, 2025
•[ phishing, unauthorized access, data leak ]
Rare Werewolf APT, a Russia-aligned espionage group, conducted spear-phishing and remote-administration toolbased intrusions in MayJune 2025 targeting defense and critical-infrastructure entities in Ukraine, resulting in unauthorized access and data exfiltration.
Defense and critical-infrastructure entities in Armenia
May 1, 2025
•[ phishing, data leak, espionage ]
Rare Werewolf APT, a Russia-aligned espionage group, conducted spear-phishing and remote-administration toolbased intrusions in MayJune 2025 targeting defense and critical-infrastructure entities in Armenia, resulting in unauthorized access and data exfiltration.
Pepe memecoin website
April 12, 2025
•[ website compromise, phishing, malware ]
The official website for the Pepe (PEPE) memecoin was compromised in a front-end attack that redirected visitors to a malicious site. According to Blockaid and Cointelegraph reporting, the compromised front-end contained code associated with the Inferno Drainer family and redirected users to a fake site that injects malicious code intended to drain crypto wallets. Users were advised to avoid interacting with the site while the issue was being addressed; the reporting did not quantify how many users were affected or whether wallet losses occurred.
Jaaved Jaaferi / X (Twitter) account
April 5, 2025
•[ account takeover, phishing, scam ]
On April 5 2025, the verified X (formerly Twitter) account of Indian actor Jaaved Jaaferi was hijacked and used to post cryptocurrency scam and phishing messages. The actor warned followers via Instagram not to engage. Control was restored within hours, and no data theft or cross-platform compromise was reported.
Undisclosed Australian School
March 30, 2025
•[ phishing ]
Hoax school shooting emails were sent after school email accounts were hacked.
