Silk Typhoon cloud espionage campaign against North American organizations
Campaign
Summary
Hide ▲
Show ▼
Silk Typhoon has run a cloud-relationship espionage campaign since 2023, using third-party SaaS and cloud providers to reach downstream targets across North America. The operation has focused on high-profile organizations in government, technology, academic, legal, and professional services. The shift from direct intrusion to abusing trusted provider relationships makes detection harder and broadens downstream risk.
Related Happenings
Sha1-Hulud supply-chain campaign expands secret theft across npm and GitHub
Campaign
First: 02.01.2026 16:19
Last: 02.01.2026 16:19
Sources 1
About this happening:
**Shai-Hulud** is a **self-replicating npm supply-chain worm** that first appeared in **September 2025** and spread by stealing **developer secrets** and **GitHub tokens** from co...
Sha1-Hulud supply-chain campaign expands secret theft across npm and GitHub
CampaignAbout this happening: **Shai-Hulud** is a **self-replicating npm supply-chain worm** that first appeared in **September 2025** and spread by stealing **developer secrets** and **GitHub tokens** from co...
Latest development: 26.01.2026 16:02
Koi Security found PackageGate flaws in pnpm, vlt, Bun, and NPM that let a malicious `.npmrc` override the git binary path during Git repository installs, bypass `--ignore-scripts=true` and trigger full code execution. Bun patched the flaws in version 1.3.5, vlt fixed them after Koi's report, pnpm released fixes for CVE-2025-69263 and CVE-2025-69264, and NPM closed the report as "works as expected."
Microsoft hardens Microsoft 365 and Office 2024 by disabling ActiveX and blocking legacy-auth access
Defensive Guidance
First: 11.12.2025 18:00
Last: 11.12.2025 18:00
Sources 1
About this happening:
Microsoft hardened **Microsoft 365** and **Office 2024** by disabling **all ActiveX controls** and tightening defaults to block **legacy authentication** access to **SharePoint**,...
Microsoft hardens Microsoft 365 and Office 2024 by disabling ActiveX and blocking legacy-auth access
Defensive GuidanceAbout this happening: Microsoft hardened **Microsoft 365** and **Office 2024** by disabling **all ActiveX controls** and tightening defaults to block **legacy authentication** access to **SharePoint**,...
Widespread malicious OAuth app prevalence across Microsoft 365 tenants
Target Trend
First: 20.10.2025 17:00
Last: 20.10.2025 17:00
Sources 1
About this happening:
Researchers found **malicious OAuth apps** were present across a measurable share of **Microsoft 365 / Azure tenants**, indicating a persistent identity-abuse risk rather than iso...
Widespread malicious OAuth app prevalence across Microsoft 365 tenants
Target TrendAbout this happening: Researchers found **malicious OAuth apps** were present across a measurable share of **Microsoft 365 / Azure tenants**, indicating a persistent identity-abuse risk rather than iso...
RedNovember-Storm-2077-TAG-100 alliance reshapes ransomware ecosystem operations
Threat Actor Meta
First: 24.09.2025 19:36
Last: 24.09.2025 19:36
Sources 1
About this happening:
**Recorded Future** has reclassified **TAG-100** as **RedNovember**, clarifying a **Chinese state-sponsored** espionage actor also tracked by **Microsoft** as **Storm-2077**. The...
RedNovember-Storm-2077-TAG-100 alliance reshapes ransomware ecosystem operations
Threat Actor MetaAbout this happening: **Recorded Future** has reclassified **TAG-100** as **RedNovember**, clarifying a **Chinese state-sponsored** espionage actor also tracked by **Microsoft** as **Storm-2077**. The...
UNC5221 BRICKSTORM espionage campaign targeting U.S. legal, SaaS, BPO, and technology firms
Campaign
First: 24.09.2025 17:33
Last: 24.09.2025 17:33
Sources 1
About this happening:
**UNC5221** is running a **BRICKSTORM** espionage campaign that has maintained access in victim networks for an average of **393 days** and has been active since **March 2025**. G...
UNC5221 BRICKSTORM espionage campaign targeting U.S. legal, SaaS, BPO, and technology firms
CampaignAbout this happening: **UNC5221** is running a **BRICKSTORM** espionage campaign that has maintained access in victim networks for an average of **393 days** and has been active since **March 2025**. G...
Timeline
-
22.08.2025 23:52 1 articles · 9mo ago
Silk Typhoon cloud espionage campaign against North American organizations
Initial DisclosureCrowdStrike detailed a Silk Typhoon campaign in which the actor, also known as Hafnium and Murky Panda and linked to China's Ministry of State Security (MSS), used third-party cloud-based software and service providers since 2023 to spy on high-profile organizations in government, technology, academic, legal, and professional services across North America. The activity included compromised application registration secrets, a trusted Microsoft cloud solution provider with an "admin agent" user, and stolen emails from a victim tenant, while an early blog-post reference to CVE-2025-3928 in Commvault Web Server was later removed.
Show sources
- Silk Typhoon Attacks North American Orgs in the Cloud — www.darkreading.com — 22.08.2025 23:52