Find notable cyber news and cases, enriched with sources, timelines, and signals.

UTA0388 spear-phishing campaign delivering GOVERSHELL

Campaign
First reported
Last updated
Happening score
H score 35
2 unique sources, 2 articles

Summary

Hide ▲

A China-aligned actor, UTA0388, is running a spear-phishing campaign across North America, Asia, and Europe to deliver the GOVERSHELL implant. The operation matters because it uses tailored espionage lures, malicious archives, and DLL side-loading to push an actively developed backdoor.

Related Happenings

OP-512 Microsoft IIS espionage campaign

Campaign
H score52 First: 05.06.2026 15:33 Last: 05.06.2026 15:33 Sources 1

About this happening: **OP-512** is an active **espionage campaign** targeting **Microsoft IIS servers** with a **bespoke web shell framework**, increasing the risk of stealthy remote access on exposed...

TA4922 expanded European phishing-and-malware campaign

Campaign
H score40 First: 04.06.2026 00:45 Last: 04.06.2026 00:45 Sources 1

About this happening: **TA4922** is a **China-linked** cybercrime campaign that has expanded from **East Asia** into **Europe and Africa**, including **the U.K., Germany, Italy, and South Africa**. The...

Atlas RAT and related loaders deployed for remote access and credential theft

Malware Activity
H score33 First: 04.06.2026 00:45 Last: 04.06.2026 00:45 Sources 1

About this happening: **TA4922**, a **China-linked** and likely **financially motivated** malware activity, has expanded beyond **East Asia** into **Europe** and **Africa**. The group uses **Atlas RAT*...

Operation Dragon Weave cyber-espionage campaign

Campaign
H score37 First: 01.06.2026 14:54 Last: 01.06.2026 14:54 Sources 1

About this happening: The **Operation Dragon Weave** campaign is actively targeting **officials and citizens in the Czech Republic and Taiwan** with **spear-phishing ZIP attachments**. The infection ch...

Ghostwriter Prometheus-themed phishing campaign targeting Ukraine government organizations

Campaign
H score33 First: 22.05.2026 19:20 Last: 22.05.2026 19:20 Sources 1

About this happening: A **Ghostwriter** phishing campaign is targeting **Ukraine government organizations** with **Prometheus-themed lures**, increasing the risk of credential theft and follow-on acces...

Timeline

  1. 09.10.2025 20:19 3 articles · 9mo ago

    Volexity attributes UTA0388 spear-phishing campaign to GOVERSHELL

    Initial Disclosure

    Volexity attributes a China-aligned actor codenamed UTA0388 to spear-phishing campaigns targeting North America, Asia, and Europe that deliver the Go-based implant GOVERSHELL. The operation uses tailored lures, fabricated researcher and analyst personas, remotely hosted or self-hosted archive links, and DLL side-loading to launch a backdoor Volexity says overlaps Proofpoint's UNK_DropPitch cluster and succeeds the HealthKick malware family. The campaign set includes five identified GOVERSHELL variants first observed between April 2025 and September 2025, and the actor is assessed to have used OpenAI ChatGPT to generate phishing content in English, Chinese, and Japanese and to support malicious workflows.

    Show sources