Škoda Auto
May 11, 2026
•[ data leak, vulnerability exploitation, unauthorized access ]
Attackers exploited a vulnerability in koda Auto's online shop software and gained temporary unauthorized access to the shop system. koda said customer names, addresses, contact details, order details, account information, and password hashes may have been accessed, but credit card data was not stored in the system. The company took the online shop offline for containment, patched the vulnerability, reviewed security controls, notified authorities, and retained external forensic experts; the specific threat actor was not identified.
Undisclosed Taiwanese government entity
April 30, 2026
•[ espionage, state-sponsored, web shells ]
Shadow-Earth-053, a China-aligned espionage cluster, was reported to have compromised an undisclosed Taiwanese government environment by exploiting unpatched Microsoft Exchange and IIS servers, deploying web shells and ShadowPad, collecting credentials, and exporting mailbox contents.
Undisclosed Malaysian government entity
April 30, 2026
•[ espionage, vulnerability exploitation, unpatched software ]
Shadow-Earth-053, a China-aligned espionage cluster, was reported to have compromised an undisclosed Malaysian government environment by exploiting unpatched Microsoft Exchange and IIS servers, deploying web shells and ShadowPad, collecting credentials, and exporting mailbox contents.
Undisclosed Indian government entity
April 30, 2026
•[ espionage, web shell, ShadowPad ]
Shadow-Earth-053, a China-aligned espionage cluster, was reported to have compromised an undisclosed Indian government environment by exploiting unpatched Microsoft Exchange and IIS servers, deploying web shells and ShadowPad, collecting credentials, and exporting mailbox contents.
Undisclosed Thai government entity
April 30, 2026
•[ espionage, vulnerability exploitation, web shells ]
Shadow-Earth-053, a China-aligned espionage cluster, was reported to have compromised an undisclosed Thai government environment by exploiting unpatched Microsoft Exchange and IIS servers, deploying web shells and ShadowPad, collecting credentials, and exporting mailbox contents.
Undisclosed Polish defense-sector organization
April 30, 2026
•[ espionage, web shells, ShadowPad ]
Shadow-Earth-053, a China-aligned espionage cluster, was reported to have compromised an undisclosed Polish defense-sector organization by exploiting unpatched Microsoft Exchange and IIS servers, deploying web shells and ShadowPad, collecting credentials, and exporting mailbox contents.
Undisclosed Myanmar government entity
April 30, 2026
•[ cyber espionage, vulnerability exploitation, web shells ]
Shadow-Earth-053, a China-aligned espionage cluster, was reported to have compromised an undisclosed Myanmar government environment by exploiting unpatched Microsoft Exchange and IIS servers, deploying web shells and ShadowPad, collecting credentials, and exporting mailbox contents.
Undisclosed United States organization
April 7, 2026
•[ ransomware, cybercrime, data exfiltration ]
Microsoft reported that Storm-1175, a financially motivated cybercrime actor linked to Medusa ransomware, heavily impacted organizations in Australia, the United Kingdom, and the United States by exploiting vulnerable web-facing systems, exfiltrating data, and deploying ransomware. This row represents the undisclosed United States victim component of the country-level coding approach.
Undisclosed Australian organization
April 7, 2026
•[ ransomware, Medusa ransomware, data exfiltration ]
Microsoft reported that Storm-1175, a financially motivated cybercrime actor linked to Medusa ransomware, heavily impacted organizations in Australia, the United Kingdom, and the United States by exploiting vulnerable web-facing systems, exfiltrating data, and deploying ransomware. This row represents the undisclosed Australian victim component of the country-level coding approach.
Eholo Health
March 30, 2026
•[ data leak, vulnerability exploitation, medical records ]
XP95 claimed it stole 165 GB of data from Eholo Health, including more than 1.1 million medical notes and personal information tied to 601,308 users, after exploiting a vulnerability in the company's systems.
The Ukrainian State Hydrology Agency
March 19, 2026
•[ phishing, vulnerability exploitation, XSS ]
BleepingComputer reported that Russia-linked APT28 (GRU) exploited a Zimbra Collaboration Suite vulnerability (CVE-2025-66376) in attacks targeting Ukrainian government entities. Researchers described a phishing operation (Operation GhostMail) where a single HTML email body triggered obfuscated JavaScript exploiting the Zimbra XSS flaw when opened in a vulnerable webmail session. The payload was described as harvesting credentials, session tokens, backup 2FA codes, browser-saved passwords, and mailbox contents going back 90 days, with exfiltration over DNS and HTTPS. One referenced target was the Ukrainian State Hydrology Agency.
LexisNexis Legal & Professional
February 24, 2026
•[ data leak, cloud security breach, vulnerability exploitation ]
FulcrumSec breached LexisNexis Legal & Professional AWS infrastructure through a vulnerable React container and exfiltrated company and customer data. The stolen dataset includes millions of database records and customer account information.
Network devices in at least one Norwegian organization
February 5, 2026
•[ state-sponsored espionage, network device compromise, telecom ]
The Record reported that Norways Police Security Service (PST) disclosed that the Chinese state-sponsored espionage campaign tracked as Salt Typhoon compromised network devices in Norwegian organizations. PST made the disclosure in its 2026 annual threat assessment and said the actor exploited vulnerable network devices, consistent with a broader telecom/critical infrastructure espionage focus described by allied authorities. The article does not identify specific victim organizations or provide incident-level dates/effects for one named target, so it is best treated as campaign-level reporting rather than a single victim event record.
At least one government, military, and technology entity in Ukraine
January 30, 2026
•[ APT, vulnerability exploitation, state-sponsored attack ]
Security researchers reported that state-sponsored advanced persistent threat groups exploited a WinRAR vulnerability in real-world attacks that successfully compromised at least one government, military, and technology organization in Ukraine, using malicious archive files to gain unauthorized access to victim systems.
European Commission
January 30, 2026
•[ cyberattack, data leak, vulnerability exploitation ]
The European Commission disclosed it detected traces of a cyberattack on January 30, 2026 targeting its central infrastructure used to manage staff mobile devices. The Commission said the incident may have resulted in access to staff names and mobile phone numbers for some employees, but it had not found evidence that managed mobile devices themselves were compromised. The Commission stated its response contained and cleaned the system within nine hours. The article notes the Commission did not disclose the initial access method, but the incident appeared linked to attacks exploiting vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM).
An undislosed organization
January 16, 2026
•[ vulnerability exploitation, command-and-control, persistence ]
BleepingComputer reported that threat actors exploited critical SolarWinds Web Help Desk (WHD) vulnerabilities (including CVE-2025-40551 and CVE-2025-26399) in a campaign believed to have started around January 16, 2026, targeting at least three organizations. Attackers used the access to deploy legitimate tools (Zoho ManageEngine Assist, Cloudflare tunnels, Velociraptor) for persistence and command-and-control.
At least one organization in Southeastern Europe
January 8, 2026
•[ cyber espionage, vulnerability exploitation, SSH brute force ]
BleepingComputer reported on Cisco Talos research describing a sophisticated China-nexus actor tracked as UAT-7290 targeting telecommunications providers, historically in South Asia and recently expanded into Southeastern Europe. The group was described as conducting extensive reconnaissance and using one-day exploits plus target-specific SSH brute force to compromise public-facing edge devices for initial access and privilege escalation. Talos reported the actor deploys a primarily Linux-based malware suite (with occasional Windows implants) and establishes Operational Relay Box (ORB) infrastructure that can be used by other China-aligned threat actors. The report is campaign-level and does not enumerate a single named victim breach event date.
Cuban Embassy in Washington D.C.
January 1, 2026
•[ cyberespionage, data exfiltration, email breach ]
China-linked hackers exploited long-unpatched Microsoft Exchange vulnerabilities on the Cuban Embassy in Washington D.C.s email servers beginning in January 2026, accessing and exfiltrating the full inboxes of 68 diplomatic officials, including the ambassador and deputy chief of mission.
Venezuelan Ministry of Foreign Affairs
January 1, 2026
•[ espionage, state-sponsored attack, data breach ]
The same China-linked espionage campaign that compromised the Cuban Embassy in Washington D.C. also reportedly exploited Microsoft Exchange servers used by Venezuelas Ministry of Foreign Affairs and accessed officials email communications during the same January 2026 regional campaign.
Meat processing facility in Los Angeles
December 12, 2025
•[ spearphishing, vulnerability exploitation, critical infrastructure ]
This article reports on a DOJ/CISA warning and related indictments about Russia-linked cyber actors targeting U.S. critical infrastructure, including techniques like spearphishing and exploiting known vulnerabilities.
