Threat Research

Researchers uncovered multiple cyber-espionage campaigns targeting a Southeast Asian government organization. The investigation traced Stately Taurus activity (June–Aug 2025), involving USB-spread USBFect (HIUPAN) malware deploying a PUBLOAD backdoor....

UAT-7290 is a sophisticated threat actor active since at least 2022, focused on gaining initial access and conducting espionage against high-value telecommunications and critical infrastructure targets in South Asia....

The report details a 2025 cyber-espionage campaign by the SideWinder APT group, which targeted diplomatic entities across South Asia, including a European embassy in New Delhi and institutions in Sri Lanka, Pakistan, and Bangladesh....

The Confucius group is a long-standing cyber-espionage actor active mainly in South Asia, particularly targeting Pakistan. Since its discovery in 2013, the group has evolved significantly, shifting from early tools like document stealers (e.g., WooperStealer) to more advanced tactics, including Python-based backdoors such as AnonDoor....

Our team identified an ongoing campaign, active since 2022, targeting telecommunications and manufacturing sectors in Central and South Asia, delivering a new PlugX variant. This variant shares features with both RainyDay and Turian backdoors, including DLL sideloading via legitimate apps and the XOR-RC4-RtlDecompressBuffer encryption technique....

In March 2025, we identified an SEO poisoning campaign, likely operated by a Chinese-speaking threat actor, dubbed “Operation Rewrite.” This activity cluster, tracked as CL-UNK-1037, overlaps with known campaigns like “Group 9” and “DragonRank.” Attackers used a malicious IIS module called BadIIS to hijack web traffic via compromised servers....

In March 2025, Intelligence Group uncovered a PRC-linked UNC6384 campaign targeting diplomats in Southeast Asia, aligning with China's cyber espionage goals. The threat actor hijacked captive portals to deliver a signed downloader, STATICPLUGIN, which deployed the PlugX backdoor in memory....

TA397 (also known as Bitter) is an espionage-focused threat group with a consistent track record of targeting entities in South Asia. Although commonly linked to India, the basis for this attribution has not been thoroughly documented....

On May 15th, email security tools detected a sophisticated spear-phishing campaign targeting CFOs and finance executives at banks, energy firms, insurance companies, and investment groups across Europe, Africa, Canada, the Middle East, and South Asia. This multi-stage attack aimed to deliver NetBird, a legitimate WireGuard-based remote access tool, onto victims’ systems....

CL-STA-0048 is an espionage campaign targeting high-value organizations in South Asia, including a telecommunications company. The attackers, likely from China, use advanced techniques such as Hex Staging, DNS exfiltration, and SQLcmd for data theft. The campaign aims to steal personal and sensitive information, focusing on government employees....