Afghanistan Ministry of Finance
May 29, 2026
•[ spear-phishing, malware, XenoRAT ]
SideCopy, a suspected Pakistan-linked threat group, targeted Afghanistan's Ministry of Finance and provincial revenue and finance directorates with spear-phishing emails containing a malicious ZIP/LNK file in Pashto. When executed, the malware chain installed XenoRAT, enabling long-term remote access, spying on infected computers, and additional malicious activity.
At least one Ukrainian government organization
March 1, 2026
•[ spear-phishing, malware, cyber espionage ]
Ghostwriter, also tracked as FrostyNeighbor, UNC1151, UAC-0057, TA445, PUSHCHA, Storm-0257, and related names, conducted a March 2026 spear-phishing campaign against Ukrainian government organizations. The campaign used malicious PDF lures impersonating Ukrtelecom, geofenced delivery to Ukrainian IP addresses, JavaScript PicassoLoader, host fingerprinting, and selective delivery of Cobalt Strike Beacon. Although no specific Ukrainian government agency was publicly named, reporting described successful compromise activity against Ukrainian government targets; no stolen data volume was reported.
Gen Digital
November 3, 2025
•[ spear-phishing, malware, backdoor ]
Gen Digital reported that the North Korea-linked Kimsuky group used spear-phishing emails carrying a fake VPN invoice ZIP archive to compromise at least one South Korean victim and deploy a new HttpTroy backdoor. Execution of the malicious SCR file launches a three-stage chain (dropper, MemLoad loader and HttpTroy DLL) that displays a decoy PDF while silently establishing persistence via a scheduled task masquerading as an AhnLab update. HttpTroy then connects to a remote command-and-control server and gives the attackers full remote-access capabilities, including file transfer, command execution, reverse shell, process control and screenshot capture.
At least one Belgian diplomat
October 31, 2025
•[ cyber-espionage, spear-phishing, vulnerability ]
Arctic Wolf Labs and other researchers detailed a Chinese state-aligned cyber-espionage campaign in which UNC6384 targeted European diplomatic entities, notably in Hungary and Belgium, between September and October 2025. The group sent spear-phishing emails referencing real EU and NATO events that carried malicious Windows shortcut (.LNK) files exploiting the ZDI-CAN-25373 (CVE-2025-9491) vulnerability to execute obfuscated PowerShell, unpack a signed Canon utility and side-load a PlugX remote access trojan. The resulting implants, communicating over HTTPS to attacker-controlled domains, provide long-term access for reconnaissance, keylogging, command execution and collection of sensitive diplomatic documents and credentials aligned with PRC strategic intelligence priorities.
KakaoTalk account of a South Korea–based counselor
September 5, 2025
•[ spear-phishing, malware, credential theft ]
According to research by Genians reported by BleepingComputer, a North Korean activity cluster linked to APT37 and KONNI targets South Koreans via spear-phishing emails that spoof national agencies and deliver signed MSI installers. Once executed, the chain installs a remote access toolkit that steals Google and Naver account credentials, giving attackers full
