ALL POSTS

Key Findings North Korean state-sponsored hackers are running a sophisticated spying campaign against South Korean companies dating back to 2024 Attackers use seemingly harmless LNK shortcut files that trigger hidden PowerShell scripts to steal system data from Windows machines GitHub repositories are being abused as command and control infrastructure to exfiltrate stolen information while bypassing corporate security systems The malware evades detection by checking for secur

Google Disrupts UNC2814 GRIDTIDE Campaign After 53 Breaches Across 42 Countries Key Findings Google, in collaboration with industry partners, disrupted the infrastructure of the suspected China-nexus cyber espionage group UNC2814 UNC2814 breached at least 53 organizations across 42 countries in the Americas, Asia, and Africa The threat actor may have targeted at least 20 additional countries UNC2814 used a novel backdoor called GRIDTIDE that abuses Google Sheets API for comma

Key Findings Threat actors affiliated with China have been attributed to a fresh set of cyber espionage campaigns targeting government and law enforcement agencies across Southeast Asia throughout 2025. The activity cluster, tracked by Check Point Research under the moniker "Amaranth-Dragon," shares links to the APT 41 ecosystem. Targeted countries include Cambodia, Thailand, Laos, Indonesia, Singapore, and the Philippines. The campaigns were timed to coincide with sensitive

Key Findings China-linked advanced persistent threat (APT) group Evasive Panda (also known as Bronze Highland, Daggerfly, and StormBamboo) conducted a cyber espionage campaign targeting victims in Türkiye, China, and India. The group used adversary-in-the-middle (AitM) attacks and DNS poisoning techniques to deliver its signature MgBot backdoor. The attackers leveraged lures that masqueraded as updates for third-party software, such as SohuVA, Baidu's iQIYI Video, IObit Smart

Key Findings The Iranian hacking group known as MuddyWater has been observed deploying a new backdoor called UDPGangster that uses the User Datagram Protocol (UDP) for command-and-control (C2) communication. The cyber espionage activity targeted users in Turkey, Israel, and Azerbaijan. The attack chain involves using spear-phishing tactics to distribute booby-trapped Microsoft Word documents that trigger the execution of a malicious payload once macros are enabled. UDPGangste

Key Findings China-linked APT24 group used supply-chain attacks and multiple techniques over three years to deploy the BadAudio downloader and additional malware payloads The group shifted from broad web compromises to more advanced techniques targeting Taiwan, including repeated supply-chain attacks through a compromised marketing firm and spear-phishing attacks BadAudio is a custom C++ first-stage downloader that pulls an AES-encrypted payload from a fixed C2 server and run