APT

China Linked Ink Dragon Hacks Governments Using ShadowPad and FINALDRAFT Malware

A China aligned cyber espionage group tracked as Ink Dragon has intensified its operations against government organizations, with a noticeable focus on European targets since July 2025. The campaign remains active and continues to impact entities across Southeast Asia and South America. Security researchers at Check Point Research are monitoring the activity cluster, which is […]

China Linked Ink Dragon Hacks Governments Using ShadowPad and FINALDRAFT Malware Read More »

Amazon Exposes Years Long GRU Cyber Campaign Targeting Energy and Cloud Infrastructure

Amazon has released new threat intelligence findings detailing a years long cyber campaign linked to a Russian state sponsored actor that targeted Western critical infrastructure between 2021 and 2025. The activity primarily affected energy sector organizations, critical infrastructure providers in North America and Europe, and companies operating cloud hosted network environments. According to Amazon, the

Amazon Exposes Years Long GRU Cyber Campaign Targeting Energy and Cloud Infrastructure Read More »

WIRTE Uses AshenLoader Sideloading to Deploy the AshTag Espionage Backdoor

An advanced persistent threat (APT) group known as WIRTE has been linked to cyberattacks targeting government and diplomatic entities across the Middle East since 2020. The group deploys a previously undocumented malware suite called AshTag, designed for espionage and intelligence collection. Palo Alto Networks Unit 42 is tracking this cluster under the codename Ashen Lepus.

WIRTE Uses AshenLoader Sideloading to Deploy the AshTag Espionage Backdoor Read More »

North Korea Linked Actors Exploit React2Shell to Deliver New EtherRAT Malware

A threat group linked to North Korea has begun exploiting the critical React2Shell security flaw in React Server Components to distribute a previously undocumented remote access trojan named EtherRAT. According to a new report from Sysdig, this malware uses Ethereum smart contracts for command and control resolution, deploys five separate persistence methods on Linux systems,

North Korea Linked Actors Exploit React2Shell to Deliver New EtherRAT Malware Read More »

Four Threat Clusters Using CastleLoader as GrayBravo Expands Its Malware Service Infrastructure

Cybersecurity researchers have identified four separate threat clusters using a malware loader called CastleLoader, reinforcing earlier assessments that this tool operates under a malware-as-a-service (MaaS) model, providing capabilities to multiple cybercriminal groups. The operator behind CastleLoader has been designated GrayBravo by Recorded Future’s Insikt Group, previously tracked as TAG-150. According to an analysis published by

Four Threat Clusters Using CastleLoader as GrayBravo Expands Its Malware Service Infrastructure Read More »

MuddyWater Uses UDPGangster Backdoor in Targeted Campaign Across Turkey, Israel, and Azerbaijan

In a newly identified cyber espionage operation, the Iranian aligned group MuddyWater has been found using a previously unknown backdoor named UDPGangster. The malware relies on the User Datagram Protocol (UDP) to manage command and control traffic, a choice that helps attackers avoid traditional network monitoring defenses. Security analysts at Fortinet FortiGuard Labs report that

MuddyWater Uses UDPGangster Backdoor in Targeted Campaign Across Turkey, Israel, and Azerbaijan Read More »

Chinese Hackers Begin Exploiting the Newly Revealed React2Shell Vulnerability

Two China linked hacking groups have started weaponizing the newly revealed React Server Components vulnerability within hours of its public disclosure. The security flaw, tracked as CVE-2025-55182 with a maximum CVSS score of 10.0, allows unauthenticated remote code execution and has been patched in React versions 19.0.1, 19.1.2, and 19.2.1. AWS Detects Rapid Exploitation Attempts

Chinese Hackers Begin Exploiting the Newly Revealed React2Shell Vulnerability Read More »

CISA Reports Chinese Hackers Leveraging BRICKSTORM for Persistent U.S. System Access

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has disclosed the use of a sophisticated backdoor, BRICKSTORM, by state-sponsored Chinese threat actors to maintain long-term access to compromised systems across the United States. CISA described BRICKSTORM as a highly advanced implant designed for VMware vSphere and Windows environments. It allows attackers to gain stealthy access,

CISA Reports Chinese Hackers Leveraging BRICKSTORM for Persistent U.S. System Access Read More »

Lazarus APT’s Remote-Worker Operations Caught Live on Camera

A collaborative investigation led by Mauro Eldritch, founder of BCA LTD, alongside NorthScan and ANY.RUN, has unveiled one of North Korea’s most persistent infiltration tactics: a network of remote IT workers linked to the Lazarus Group’s Famous Chollima division. For the first time, researchers observed the operators live, capturing their activity on what they believed

Lazarus APT’s Remote-Worker Operations Caught Live on Camera Read More »

China Linked APT31 Conducts Stealthy Cyberattacks on Russian IT via Cloud Services

A long running cyber espionage operation linked to the China based advanced persistent threat group APT31 has quietly infiltrated multiple Russian information technology companies between 2024 and 2025. According to researchers Daniil Grigoryan and Varvara Koloskova from Positive Technologies, the attackers focused on contractors and integrators that provide services to Russian government agencies, remaining unnoticed

China Linked APT31 Conducts Stealthy Cyberattacks on Russian IT via Cloud Services Read More »