Verticals Targeted: Cryptocurrency, Financial
Regions Targeted: Not specified
Related Families: SUGARLOADER, WAVESHAPER, HYPERCALL, HIDDENCALL, SILENCELIFT, DEEPBREATH, CHROMEPUSH
Verticals Targeted: Government, Telecommunications, Finance, Aerospace
Regions Targeted: North America, South America, Africa, Europe, Asia
Related Families: Diaoyu Loader, ShadowGuard, Cobalt Strike, VShell
Executive Summary
A sophisticated state-aligned cyberespionage operation attributed to TGR-STA-1030 (also tracked as UNC6619) has been discovered, operating from Asia. It has compromised government and critical infrastructure entities across 37 countries over the past year while conducting reconnaissance against government infrastructure in 155 countries. The group's “Shadow Campaigns” leverage phishing, N-day exploitations, and advanced tooling to prioritize intelligence collection on economic partnerships, trade, and diplomatic activities.
Verticals Targeted: Not specified
Regions Targeted: Central and Eastern Europe
Related Families: MiniDoor, Covenant Grunt, PixyNetLoader
Executive Summary
Operation Neusploit is a campaign attributed with high confidence to the Russia-linked Fancy Bear group, which exploits the zero-day vulnerability CVE-2026-21509 in Microsoft RTF files to deploy backdoors and email stealers targeting users in Central and Eastern Europe. The multi-stage infection chain delivers MiniDoor for email exfiltration from Outlook and PixyNetLoader leading to a Covenant Grunt implant for C2.
Verticals Targeted: Cryptocurrency, Financial, Industrial, Manufacturing, Defense, Aerospace, Logistics, Shipping
Regions Targeted: United States, Canada, South Korea, India, Europe, Japan, Italy
Related Families: Multiple families per each threat actor
Executive Summary
Labyrinth Chollima operations have segmented into three distinct entities since 2018: Golden Chollima and Pressure Chollima, focused on cryptocurrency theft, and the core Labyrinth Chollima group, oriented toward espionage. Despite operational separation, the groups share tools, infrastructure, and tradecraft rooted in common malware frameworks, reflecting coordinated resource management within North Korea's cyber apparatus.
Verticals Targeted: Gambling, Government
Regions Targeted: China, Philippines, Broader Asia
Related Families: HOLODONUT, MKDOOR
Executive Summary
Researchers have identified PeckBirdy, a versatile JScript-based C2 framework, deployed since 2023 in campaigns linked to China-aligned APT actors. This framework supports multiple execution environments via living-off-the-land binaries and delivers modular backdoors in operations targeting gambling operations and government entities.
Verticals Targeted: Government, Policy-Focused Organizations
Regions Targeted: US
Related Families: None
Executive Summary
China nexus threat actors launched a targeted espionage campaign against US government and policy-related entities, delivering a custom backdoor named LOTUSLITE via politically themed spear-phishing lures centered on US-Venezuela relations. The campaign prioritizes reliable espionage capabilities over technical sophistication, with moderate-confidence attribution to Mustang Panda based on shared delivery patterns, infrastructure, and operational behaviors.
Verticals Targeted: None specified
Regions Targeted: None specified
Related Families: None