Threat Research

APT28, a Russian state-sponsored threat group also known as Fancy Bear or UAC-0001, is conducting a sophisticated espionage campaign against European military and government entities. The operation primarily targets maritime and transportation organizations in Poland, Slovenia, Turkey, Greece, the UAE, and Ukraine....

In January 2026, Uncovered an in-the-wild campaign dubbed Operation Neusploit targeting Central and Eastern Europe. The attackers used malicious Microsoft RTF files to exploit CVE-2026-21509 and deploy backdoors via a multi-stage infection chain....

Between February and September 2025, multiple credential-harvesting campaigns were attributed to BlueDelta, a Russian state-sponsored threat group linked to the GRU. These operations expand on BlueDelta’s ongoing credential-theft activity previously documented in Insikt Group’s December 2025 report. During 2025, BlueDelta targeted a limited but distinct set of victims....

PHALT#BLYX is a multi-stage malware campaign targeting the hospitality sector that relies on click-fix social engineering, fake CAPTCHAs, and fake BSOD pages delivered via Booking.com–themed phishing lures....

Operation highlights how the Chinese-linked threat actor Ink Dragon is expanding and refining its cyber-espionage campaigns. The group has shifted increased attention toward European government targets while maintaining activity in Southeast Asia and South America....

In August 2025, an intrusion targeting an Asian subsidiary of a major European manufacturer was investigated and assessed as likely carried out by the North Korea–linked group UNC2970, aligning with Operation DreamJob. The attack began with a targeted WhatsApp message to a project engineer and used variants of the BURNBOOK loader and MISTPEN backdoor....

North Korea-linked Lazarus Group has launched a new wave of Operation DreamJob, targeting European defense companies involved in unmanned aerial vehicle (UAV) development. The campaign uses trojanized open-source GitHub projects and the ScoringMathTea malware to steal proprietary data and manufacturing know-how....

As of mid-September 2025, GOLD SALEM has named 60 victims, placing it mid-tier among active ransomware groups. Its targets range from small entities to major multinational firms across North America, Europe, and South America. Consistent with typical ransomware behavior, the group has mostly avoided victims in China and Russia....

On September 15, attackers launched a targeted phishing campaign to compromise NPM maintainer accounts and inject malicious code into popular JavaScript packages. The attack enabled supply chain compromise, affecting key packages used in application development and cryptography....

EvilAI disguises itself as legitimate productivity or AI tools, using professional interfaces and valid digital signatures to avoid detection. It has spread globally, with the greatest impact seen in Europe, the Americas, and the AMEA region. Targeted sectors include manufacturing, government/public services, and healthcare....