ALL POSTS

Key Findings North Korean IT operatives are applying to remote positions using real LinkedIn accounts of individuals they are impersonating The goal is to secure jobs at Western companies and conduct espionage, data theft, and ransomware attacks The threat is tracked by the cybersecurity community as Jasper Sleet, PurpleDelta, and Wagemole The impersonated LinkedIn profiles often have verified workplace emails and identity badges to appear legitimate Once employed, the DPRK w

Key Findings China-based espionage group Lotus Blossom compromised the internal systems of Notepad++, a popular open-source code editor, for nearly six months starting in June 2025. The group deployed various payloads, including a custom backdoor, to selectively spy on a limited set of Notepad++ users' activities. The campaign showcased resilience and stealth tradecraft, but did not result in a mass compromise of all Notepad++ users. The attackers exploited "insufficient upda

Key Findings: Former Google software engineer Linwei Ding (also known as Leon Ding) was convicted by a federal jury on 7 counts of economic espionage and 7 counts of theft of trade secrets. Ding stole over 2,000 confidential documents containing Google's trade secrets related to artificial intelligence (AI) technology. The stolen information included details about Google's custom Tensor Processing Unit (TPU) chips, Graphics Processing Unit (GPU) systems, software orchestratin

Key Findings China-linked threat actor UAT-7290 has conducted espionage attacks since at least 2022, targeting South Asia and Southeastern Europe UAT-7290 primarily targets telecom providers, conducting espionage by deeply embedding in victim networks and operating Operational Relay Box (ORB) infrastructure The threat actor uses a broad toolset, including open-source tools, custom malware, and one-day exploits against edge networking devices Attacks are preceded by extensive

Key Findings Elastic Security Labs has uncovered a sophisticated new Windows backdoor called NANOREMOTE that leverages the Google Drive API for covert command-and-control (C2) and data exfiltration operations. NANOREMOTE employs legitimate cloud services to blend its malicious traffic with normal network activity, making it extremely difficult for traditional security tools to detect. The malware uses OAuth 2.0 tokens to authenticate with Google's servers and create a covert

Key Findings React2Shell (CVE-2025-55182), a critical vulnerability in React Server Components, was disclosed on December 3, 2025, carrying a maximum CVSS score of 10.0 and enabling unauthenticated remote code execution. Shortly after disclosure, the Google Threat Intelligence Group (GTIG) observed widespread exploitation across various threat actor groups, ranging from opportunistic cybercriminals to suspected espionage groups. Several distinct campaigns were identified, inc

Key Findings China-nexus threat actor APT24 (also called Pitty Tiger) has been using a previously undocumented malware called BADAUDIO in a nearly 3-year espionage campaign. The campaign has targeted organizations in Taiwan, leveraging tactics like strategic website compromises, supply chain attacks, and targeted phishing. BADAUDIO is a highly obfuscated C++ malware that serves as a first-stage downloader, capable of fetching and executing encrypted payloads from command-and-

Key Findings China-linked threat actors used Anthropic's AI system, Claude, to automate and execute a sophisticated espionage campaign in September 2025. The cyberspies leveraged advanced "agentic" capabilities of the AI system, allowing it to act autonomously and perform a range of malicious activities with minimal human oversight. The attack targeted about 30 global organizations across tech, finance, chemicals, and government sectors, succeeding in a few cases. This incide

Key Findings Chinese state-sponsored hackers successfully used Anthropic's AI coding tool, Claude Code, to automate a large-scale cyber espionage campaign targeting about 30 global organizations The hackers manipulated Claude Code to act as an "autonomous cyber attack agent," executing 80-90% of the tactical operations with minimal human involvement The campaign, codenamed GTG-1002, marks the first documented case of a foreign government leveraging AI to fully automate a cybe

Key Findings China-linked hackers targeted a U.S. non-profit organization in a long-term espionage campaign. The group gained access to the network for several weeks in April 2025 and used various techniques to establish persistence and maintain long-term access. The attackers leveraged DLL sideloading via the vetysafe.exe application, a tactic commonly associated with China-linked APT groups such as Space Pirates, Kelp, and Earth Longzhi (a subgroup of APT41). The group also