An undisclosed critical infrastructure company in Zambia
November 1, 2025
•[ espionage, phishing, vulnerability exploitation ]
BleepingComputer summarized Unit 42 research on a state-aligned espionage group tracked as TGR-STA-1030/UNC6619 conducting global operations dubbed Shadow Campaigns. The report said the actor compromised at least 70 government and critical infrastructure organizations across 37 countries and conducted reconnaissance activity targeting government entities connected to 155 countries during NovDec 2025. The article describes initial access via tailored phishing (Mega-hosted archives) and exploitation of multiple known vulnerabilities, use of webshells and tunneling tools, and a custom Linux eBPF rootkit (ShadowGuard), but it does not provide a single discrete victim organization record with a specific primary effect suitable for one CED event entry.
Australian Treasury Department
November 1, 2025
•[ cyber espionage, phishing, Shadow Campaigns ]
BleepingComputer summarized Unit 42 research on a state-aligned espionage group tracked as TGR-STA-1030/UNC6619 conducting global operations dubbed Shadow Campaigns. The report said the actor compromised at least 70 government and critical infrastructure organizations across 37 countries and conducted reconnaissance activity targeting government entities connected to 155 countries during NovDec 2025. The article describes initial access via tailored phishing (Mega-hosted archives) and exploitation of multiple known vulnerabilities, use of webshells and tunneling tools, and a custom Linux eBPF rootkit (ShadowGuard)
Two undisclosed government departments in a South American country
October 22, 2025
•[ vulnerability exploitation, espionage, data leak ]
Actors exploited a patched SharePoint ToolShell flaw to gain initial access at a telecom, harvest credentials, and pivot across AD-joined systems. Activity included beaconing and data staging consistent with telecom espionage. No operational shutdown reported; primary effect is unauthorized access and data collection.
At least one organization in Southeast Asia
October 1, 2025
•[ espionage, APT activity, vulnerability exploitation ]
BleepingComputer summarized Check Point research on a newly tracked actor Amaranth Dragon, linked to China-aligned APT activity, which exploited WinRAR CVE-2025-8088 in espionage operations against government and law enforcement entities in Singapore, Thailand, Indonesia, Cambodia, Laos, and the Philippines. The actor used geofenced infrastructure and a custom loader to deliver encrypted payloads (including Havoc and a newer TGAmaranth RAT using Telegram for C2). Because the article is campaign/threat-research reporting without a discrete, named victim event record and bounded impacts, event_type and event_subtype are coded as NA for CED incident purposes.
Kansas City National Security Campus network
October 1, 2025
•[ vulnerability exploitation, espionage, nation-state actor ]
CSO reports KCNSC (NNSA nuclear components plant) was infiltrated via unpatched on-prem SharePoint. Microsoft tied the wider wave to China-linked actors, while a KCNSC source suggested a Russian group; DOE later said the department was minimally impacted. Primary effect: covert access/collection, not OT disruption.
Undisclosed Financial Institution
September 15, 2025
•[ data leak, nation-state, vulnerability exploitation ]
Anthropic reported that GTG-1002, a China-linked nation-state threat actor, conducted an AI-automated intrusion campaign detected in mid-September 2025; one successful breach involved an undisclosed financial institution where sensitive information was stolen via exploitation of application server infrastructure.
Undisclosed Major Technology Firm
September 15, 2025
•[ data leak, nation-state, AI-automated attack ]
Anthropic reported that GTG-1002, a China-linked nation-state threat actor, conducted an AI-automated intrusion campaign detected in mid-September 2025; one successful breach involved an undisclosed major technology firm where sensitive information was stolen via exploitation of application server infrastructure.
Undisclosed European telecommunications company
July 15, 2025
•[ espionage, vulnerability exploitation, malware ]
China-nexus operators breached a telecom by exploiting an edge service (e.g., NetScaler/SharePoint), then established persistence with SnappyBee-family tooling, harvested credentials and moved laterally to support systems for intelligence collection. No service interruption reported; primary effect is covert access and data staging.
One undisclosed university in the United States
July 15, 2025
•[ espionage, vulnerability exploitation, malware ]
China-linked operators abused CVE-2025-53770 (ToolShell) weeks after Microsofts July patch to gain initial access at a telecom, escalate privileges (e.g., PetitPotam), harvest credentials, and deploy ShadowPad/Zingdoor/KrustyLoader for persistent espionage against telecom and government networks. Primary effect was covert access and collection, not service outage.
Undisclosed European telecommunications organisation
July 3, 2025
•[ espionage, malware, vulnerability exploitation ]
Darktrace reports a China-aligned espionage actor (Salt Typhoon) breached a European telecom by exploiting a Citrix NetScaler Gateway, deploying SnappyBee malware for persistence and data staging. Activity reflects classic intelligence collection rather than service disruption; defenders observed beaconing, credential access, and movement to support systems.
NetVision (Cellcom Israel)
June 17, 2025
•[ phishing, vulnerability exploitation, hacktivism ]
Pro-Palestinian hackers exploited a vulnerability in NetVisions legacy email infrastructure to send forged phishing messages impersonating Israeli government domains; servers used for distribution of malicious emails; no confirmed data theft or ransom demand reported.
Multiple French government and critical infrastructure organizations
April 30, 2025
•[ espionage, data leak, vulnerability exploitation ]
On April 30 2025, Frances national cybersecurity agency (ANSSI) attributed a campaign of at least twelve cyberattacks on French entities to Russias GRU 85th Main Special Service Center (Unit 26165), known as FANCYBEAR. The espionage activity targeted government, media, energy, and critical-infrastructure organizations via exploitation of vulnerable Cisco routers to gain persistence and exfiltrate sensitive data. No operational disruption was reported.
Stubhub
March 6, 2025
•[ vulnerability exploitation, data leak, third-party breach ]
A cybercrime group exploited a URL redirection vulnerability in a third-party contractor system for StubHub to steal around 1,000 digital tickets for major events, including Taylor Swifts Eras Tour. The stolen tickets, valued at approximately $635,000, were resold online for profit. The scheme operated between June 2022 and July 2023 before being uncovered through a coordinated investigation by cybersecurity and law enforcement agencies. Two individuals, Tyrone Rose and Shamara P. Simmons, were arrested and charged with grand larceny, identity theft, and computer tampering in connection with the operation.
