top of page
ALL POSTS
China-Linked FishMonger APT Deploys SprySOCKS Windows Backdoor With Kernel-Level Stealth and UEFI Bootkit Capabilities
Key Findings FishMonger, a China-linked APT group, has ported SprySOCKS backdoor to Windows with two new variants: WIN_DRV and WIN_PLUS WIN_DRV uses kernel drivers to hide network connections, processes, files, and registry keys from user-level detection tools WIN_PLUS exploits the Windows Print Spooler service to blend malicious activity into normal system operations Both variants were deployed against government targets in Honduras, Taiwan, Thailand, and Pakistan between 20
Jun 173 min read
Evolution of Kazuar Botnet: How Russian APT Turla Developed Advanced Persistent Access Capabilities
Key Findings Russia-linked APT group Turla has evolved its Kazuar malware from a traditional backdoor into a modular peer-to-peer botnet designed for stealth and persistent access The upgraded malware uses Kernel, Bridge, and Worker modules to distribute tasks and maintain long-term control over compromised systems Only one elected "leader" node communicates with command-and-control servers while other infected machines operate silently, reducing detection risk Kazuar support
May 173 min read
Ghostwriter Group Escalates Attacks on Ukrainian Government With Geofenced PDF Phishing and Cobalt Strike
Key Findings ESET discovered new Ghostwriter (FrostyNeighbor) activity targeting Ukrainian government organizations in a campaign active since March 2026 The threat actor is linked to the government of Belarus and has operated since at least 2016 under multiple aliases including UNC1151, UAC-0057, and Umbral Bison Attacks begin with spear-phishing emails containing PDFs impersonating Ukrtelecom, Ukraine's main telecommunications provider A geofencing mechanism delivers harmle
May 154 min read
GopherWhisper APT: China-Linked Campaign Deploys Go-Based Malware Against Mongolian Government
KEY FINDINGS ESET discovered GopherWhisper, a previously undocumented China-aligned APT group targeting Mongolian government institutions The group uses a toolkit primarily written in Go, including custom loaders, injectors, and multiple backdoors GopherWhisper abuses legitimate platforms like Discord, Slack, Outlook, and file.io for command-and-control and data exfiltration At least 12 systems within a Mongolian government entity were confirmed infected, with dozens more sus
Apr 262 min read
FIRESTARTER Backdoor Persists on Federal Cisco Security Devices Despite Patches
Key Findings FIRESTARTER backdoor compromised a U.S. federal Cisco Firepower ASA device in September 2025 and persisted even after security patches were applied The malware survives firmware updates and device reboots by embedding itself in the boot sequence, requiring a hard power cycle to remove APT actors exploited CVE-2025-20333 (CVSS 9.9) and CVE-2025-20362 (CVSS 6.5) to gain initial access before deploying FIRESTARTER for persistence Post-exploitation toolkit LINE VIPER
Apr 243 min read
Mustang Panda Deploys Enhanced LOTUSLITE Backdoor Against India and South Korea
Key Findings Mustang Panda, a China-linked hacking group, launched coordinated campaigns in March 2026 targeting India's financial sector and South Korean policy circles The group deployed an updated LOTUSLITE v1.1 backdoor with improved obfuscation techniques and modified command structures Indian banking workers were targeted via fake HDFC Bank support files, while South Korean diplomats received spear-phishing emails impersonating a former US National Security Council offi
Apr 223 min read
Red Menshen APT Deploys Stealthy BPFDoor Implants Across Telecom Networks for Surveillance Operations
Key Findings China-linked threat actor Red Menshen has maintained a long-term espionage campaign targeting telecom networks in the Middle East and Asia since at least 2021 The group deploys BPFDoor, a kernel-level Linux backdoor that operates as a "digital sleeper cell" with no visible listening ports or command-and-control beaconing BPFDoor inspects network traffic inside the kernel using Berkeley Packet Filter functionality, activating only when receiving a specially crafte
Mar 274 min read
Triangulation Operation: the framework known as Coruna
Key Findings Coruna iOS exploit kit uses an updated version of the kernel exploit from Operation Triangulation, a sophisticated 2023 iOS APT campaign The exploit kit includes five full exploit chains and 23 total exploits, targeting iOS 13.0 through 17.2.1 Coruna contains four additional kernel exploits not seen in Triangulation, two developed after the original campaign's discovery Code analysis reveals Coruna was designed with unified architecture rather than patchworked co
Mar 264 min read
Beers with Talos: 2025 Year in Review - Speed, Scale, and Staying Power
Key Findings Exploitation velocity doubled in 2025, with new vulnerabilities weaponized within days while decade-old CVEs remain reliably exploited Identity systems became the primary attack surface, with compromised credentials enabling stealthy lateral movement and environment-wide control Approximately 25% of top exploited vulnerabilities targeted shared frameworks and libraries, amplifying blast radius across industries APT investigations and ransomware operations increas
Mar 232 min read
APT Linked to Russia Uses DRILLAPP Backdoor to Spy on Ukrainian Targets
Key Findings * Russia-linked APT group targets Ukrainian organizations using DRILLAPP backdoor * Utilizes Microsoft Edge debugging to evade detection * Two campaign variants observed in February 2026 * Capability to access file systems, microphone, camera, and screen recordings * Linked to Laundry Bear (UAC-0190/Void Blizzard) APT group Background The DRILLAPP backdoor campaign represents a sophisticated cyber espionage effort targeting Ukrainian entities. Attributed to a Rus
Mar 162 min read
Dindoor Malware Targets U.S. Networks in New MuddyWater Campaign
Key Findings Iran-linked MuddyWater (aka SeedWorm) APT group targeted U.S. organizations, including banks, airports, nonprofits, and a software supplier to the defense and aerospace sectors The group deployed a previously unknown backdoor called Dindoor, which leverages the Deno JavaScript runtime for execution An attempt was made to exfiltrate data from the targeted software company using the Rclone utility to a Wasabi cloud storage bucket A separate Python backdoor called F
Mar 62 min read
Dust Specter APT Targets Iraqi Government Officials with New AI-Assisted Malware
Key Findings Suspected Iran-nexus threat actor, tracked as "Dust Specter", targeted Iraqi government officials in a campaign observed in January 2026. The threat actor used phishing emails impersonating Iraq's Ministry of Foreign Affairs to deliver previously undocumented malware families, including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. The attacks involved two different infection chains, one using a password-protected RAR archive and another consolidating the same fu
Mar 62 min read
Malware Attacks: Russian APT Targets Ukraine with BadPaw and MeowMeow
Key Findings Researchers uncovered a Russian campaign targeting Ukrainian entities with new malware families BadPaw and MeowMeow delivered through phishing emails. The attack chain begins with a phishing email carrying a link to a ZIP archive. When opened, an HTA file displays a Ukrainian-language lure about border crossing appeals while secretly launching the infection chain. The malware uses the .NET Reactor packer to make analysis and reverse engineering harder, showing th
Mar 52 min read
Google GTIG Disrupts China-Linked APT UNC2814, Halting Attacks on 53 Orgs in 42 Countries
Key Findings: Google Threat Intelligence Group (GTIG), Mandiant, and partners disrupted a global espionage campaign by UNC2814, a suspected China-linked cyber espionage group UNC2814 had breached at least 53 organizations across 42 countries, primarily targeting telecommunications and government sectors The group used a novel backdoor called GRIDTIDE that leveraged legitimate Google Sheets API functions for command-and-control GTIG took coordinated action to disrupt UNC2814's
Feb 272 min read
APT Exploits Dell RecoverPoint Zero-Day Since 2024
Key Findings A suspected China-linked APT group, UNC6201, has been exploiting a critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines since mid-2024. The vulnerability, tracked as CVE-2026-22769, has a CVSS score of 10.0 and involves hardcoded credentials that can be abused to gain unauthorized access and root-level persistence. The group has used the flaw to move laterally, maintain persistence, and deploy malware including SLAYSTYLE, BRICKSTORM, and a no
Feb 182 min read
Fancy Bear Returns: APT28 Exploits Office Flaw in "Operation Neusploit"
Key Findings The notorious Russia-linked threat group APT28 (also known as Fancy Bear) has launched a new campaign dubbed "Operation Neusploit" targeting Central and Eastern Europe. The campaign leverages a recently patched Microsoft Office vulnerability, CVE-2026-21509, to deliver custom backdoors against strategic targets in Ukraine, Slovakia, and Romania. The attack uses specially crafted RTF documents as the initial vector, exploiting the vulnerability to initiate a multi
Feb 33 min read
Notepad++ Hosting Breach Tied to China's Lotus Blossom Hackers
Key Findings The Notepad++ hosting infrastructure was compromised, allowing threat actors to hijack update traffic and deliver a previously undocumented backdoor codenamed Chrysalis The attack has been attributed with medium confidence to the China-linked advanced persistent threat (APT) group known as Lotus Blossom (aka Billbug, Bronze Elgin, Lotus Panda, Raspberry Typhoon, Spring Dragon, and Thrip) The compromise occurred at the hosting provider level, not due to vulnerabil
Feb 33 min read
North Korea-Linked APT Exploits Sitecore Zero-Day in Attacks on Asian Critical Infrastructure
Key Findings A China-linked APT group, tracked as UAT-8837, has been targeting critical infrastructure sectors in North America since at least 2025. The threat actor has recently exploited a critical zero-day vulnerability in Sitecore (CVE-2025-53690, CVSS 9.0) to gain initial access to target networks. After obtaining a foothold, UAT-8837 deploys a range of open-source tools to harvest sensitive information, including credentials, security configurations, and Active Director
Jan 162 min read
North Korea-Linked Kimsuky APT Group Responsible for Phishing Attacks, FBI Warns
Key Findings The FBI warns that the North Korea-linked advanced persistent threat (APT) group Kimsuky is targeting governments, think tanks, and academic institutions with "quishing" attacks. Quishing is a social engineering attack that uses malicious QR codes to trick victims into visiting fake websites or downloading malware. Kimsuky has conducted spear-phishing campaigns using QR codes that impersonate trusted figures like foreign advisors, embassy staff, and think tank em
Jan 112 min read
Iranian Infy APT Resurfaces with New Malware Activity Targeting Various Sectors
Key Findings Iranian APT group Infy (aka Prince of Persia) has resurfaced with new malware campaigns after nearly 5 years of dormancy The scale of Infy's current activity is significantly larger than previously assessed The group has targeted victims across Iran, Iraq, Turkey, India, Canada, and parts of Europe Infy's malware arsenal includes updated versions of the Foudre downloader and Tonnerre implant Attack chains have evolved from macro-laced documents to embedded execut
Dec 21, 20252 min read
bottom of page
