Threat Research

A China-linked cyber-espionage campaign attributed to UNC5221 targeted U.S. law firms and technology organizations. The attackers exploited zero-day vulnerabilities, deployed the BRICKSTORM backdoor, and maintained access for over a year to steal sensitive legal, trade, and national security information....

Operation Dragon Weave is a suspected China-linked cyberespionage campaign targeting government officials and citizens in the Czech Republic and Taiwan through spearphishing emails containing malicious ZIP attachments....

In March and April 2026, threat actor TA4922 significantly increased its operational tempo. The team identified a series of campaigns demonstrating a major evolution in the actor's malware tooling. The attacker relied primarily on human resources and business-themed lures to target victims....

Webworm, a China-aligned APT group, has evolved its operations by shifting from traditional malware families toward stealthier custom tools and proxy-based techniques. In 2025, the group introduced new backdoors such as EchoCreep and GraphWorm, which abuse trusted platforms like Discord and Microsoft Graph API for command-and-control communication....

UAT-8302 is a sophisticated China-linked APT group targeting South American government entities since late 2024 and southeastern European agencies in 2025. After gaining access, the group deploys several custom malware families previously associated with other China-nexus threat actors....

A newly identified set of China-aligned campaigns is targeting government entities and critical infrastructure across South, East, and Southeast Asia, plus one NATO member state. This activity is being tracked as SHADOW-EARTH-053....

On March 12, 2026, ThreatLabz identified a malicious ZIP archive that used military-themed documents as bait to target Chinese-speaking users. The operation relied on a tampered SumatraPDF executable to deliver an AdaptixC2 Beacon, which eventually led to the installation of Visual Studio Code on compromised systems....

A threat campaign has published over 200 malicious packages to NPM, using names like “huggingface-cli,” “webflow,” and “codeium.” These packages pose as a new AI coding agent called “Stardrop,” which gives the campaign its name. Detection began on April 9, with an average of 40+ new packages appearing daily....

A threat cluster tracked as UAT-10362 APT is conducting spear-phishing campaigns targeting Taiwanese NGOs and academic institutions, delivering a newly identified malware family called LucidRook. The malware uses a DLL-based stager embedding Lua and Rust components to execute staged payloads, with region-specific checks to target Traditional Chinese environments....

Researchers uncovered multiple cyber-espionage campaigns targeting a Southeast Asian government organization. The investigation traced Stately Taurus activity (June–Aug 2025), involving USB-spread USBFect (HIUPAN) malware deploying a PUBLOAD backdoor....