Verticals Targeted: Financial, Government
Regions Targeted: Southern Europe
Related Families: None
Verticals Targeted: Cryptocurrency, Financial
Regions Targeted: Not specified
Related Families: SUGARLOADER, WAVESHAPER, HYPERCALL, HIDDENCALL, SILENCELIFT, DEEPBREATH, CHROMEPUSH
Executive Summary
A targeted intrusion into a FinTech entity in the cryptocurrency sector was attributed to UNC1069, a North Korea-nexus financially motivated threat actor. The operation deployed seven unique malware families on a macOS host through sophisticated social engineering involving a compromised Telegram account, a spoofed Zoom meeting, a reported deepfake video, and a ClickFix technique to initiate infection.
Verticals Targeted: Government, Telecommunications, Finance, Aerospace
Regions Targeted: North America, South America, Africa, Europe, Asia
Related Families: Diaoyu Loader, ShadowGuard, Cobalt Strike, VShell
Executive Summary
A sophisticated state-aligned cyberespionage operation attributed to TGR-STA-1030 (also tracked as UNC6619) has been discovered, operating from Asia. It has compromised government and critical infrastructure entities across 37 countries over the past year while conducting reconnaissance against government infrastructure in 155 countries. The group's “Shadow Campaigns” leverage phishing, N-day exploitations, and advanced tooling to prioritize intelligence collection on economic partnerships, trade, and diplomatic activities.
Verticals Targeted: Not specified
Regions Targeted: Central and Eastern Europe
Related Families: MiniDoor, Covenant Grunt, PixyNetLoader
Executive Summary
Operation Neusploit is a campaign attributed with high confidence to the Russia-linked Fancy Bear group, which exploits the zero-day vulnerability CVE-2026-21509 in Microsoft RTF files to deploy backdoors and email stealers targeting users in Central and Eastern Europe. The multi-stage infection chain delivers MiniDoor for email exfiltration from Outlook and PixyNetLoader leading to a Covenant Grunt implant for C2.
Verticals Targeted: Cryptocurrency, Financial, Industrial, Manufacturing, Defense, Aerospace, Logistics, Shipping
Regions Targeted: United States, Canada, South Korea, India, Europe, Japan, Italy
Related Families: Multiple families per each threat actor
Executive Summary
Labyrinth Chollima operations have segmented into three distinct entities since 2018: Golden Chollima and Pressure Chollima, focused on cryptocurrency theft, and the core Labyrinth Chollima group, oriented toward espionage. Despite operational separation, the groups share tools, infrastructure, and tradecraft rooted in common malware frameworks, reflecting coordinated resource management within North Korea's cyber apparatus.
Verticals Targeted: Gambling, Government
Regions Targeted: China, Philippines, Broader Asia
Related Families: HOLODONUT, MKDOOR
Executive Summary
Researchers have identified PeckBirdy, a versatile JScript-based C2 framework, deployed since 2023 in campaigns linked to China-aligned APT actors. This framework supports multiple execution environments via living-off-the-land binaries and delivers modular backdoors in operations targeting gambling operations and government entities.
Verticals Targeted: Government, Policy-Focused Organizations
Regions Targeted: US
Related Families: None