UNC2814 Campaign Targeting Telecom and Government Networks

Threat actors are increasingly favoring stealthy persistence and evasion techniques to silently exfiltrate data for extortion. According to Picus Security's Red Report 2026, attackers are blending in with legitimate traffic and operating through trusted processes to stay hidden from network defenders. Process injection remains the top malicious technique, enabling attackers to hide malicious code inside legitimate applications. Additionally, attackers are routing command-and-control (C2) traffic through high-reputation services like OpenAI and AWS to evade detection. The use of 'data encrypted for impact' has dropped by 38% annually, indicating a shift towards silent data exfiltration. The report also highlights sophisticated evasion techniques such as LummaC2 infostealer malware, which uses trigonometry to detect sandbox environments and avoid detonation. Virtualization/sandbox evasion is now the fourth most prevalent MITRE ATT&CK technique observed.

Threat actors have exploited a zero-day vulnerability in Sitecore Experience Manager (XM) and Experience Platform (XP) to deliver WeepSteel malware. The flaw, tracked as CVE-2025-53690, affects versions prior to 9.0 and was exploited using a sample machine key from outdated deployment guides. The attack involved ViewState deserialization, internal reconnaissance, and the deployment of various open-source tools for persistence and lateral movement. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch the vulnerability by September 25, 2025. The vulnerability has a CVSS score of 9.0, indicating critical severity. The China-linked threat group Ink Dragon has been observed turning misconfigured servers in European government networks into relay nodes to hide its cyber-espionage activity. Ink Dragon probes public-facing websites for weaknesses, including configuration issues in Microsoft's IIS web server and SharePoint. Once a foothold is established, the group moves quietly through the environment, collecting credentials and using Remote Desktop for lateral movement. Ink Dragon maps the environment in detail, controls policy settings, and deploys long-term access tools across high-value systems. The group uses compromised organizations to support operations elsewhere, deploying a customized IIS-based module to turn public-facing servers into relay points. Ink Dragon has updated its tooling, including a new version of the FinalDraft backdoor built for long-term access and to blend into Microsoft cloud activity. A second China-linked group, RudePanda, has entered some of the same European government networks and exploited the same exposed server vulnerability. A threat actor likely aligned with China, tracked as UAT-8837, has been targeting critical infrastructure sectors in North America since at least last year. UAT-8837 is primarily tasked with obtaining initial access to high-value organizations. The group deploys open-source tools to harvest sensitive information such as credentials, security configurations, and domain and Active Directory (AD) information. UAT-8837 exploits a critical zero-day vulnerability in Sitecore (CVE-2025-53690, CVSS score: 9.0) to obtain initial access. The group disables RestrictedAdmin for Remote Desktop Protocol (RDP) to ensure credentials and other user resources aren't exposed to compromised remote hosts. UAT-8837 downloads several artifacts including GoTokenTheft, EarthWorm, DWAgent, SharpHound, Impacket, GoExec, Rubeus, and Certipy to enable post-exploitation. The group exfiltrated DLL-based shared libraries related to the victim's products, raising the possibility of future trojanization and supply chain compromises.

Amazon has disrupted a years-long Russian state-sponsored campaign targeting Western critical infrastructure, including energy sector organizations and cloud-hosted network infrastructure. The campaign, attributed to the GRU-affiliated APT44 group, initially leveraged vulnerabilities in WatchGuard Firebox and XTM, Atlassian Confluence, and Veeam to gain initial access. However, starting in 2025, APT44 shifted its tactics to target misconfigured network edge devices, reducing their exposure and resource expenditure. The group targeted enterprise routers, VPN concentrators, network management appliances, and cloud-based project management systems to harvest credentials and establish persistent access. Amazon's intervention led to the disruption of the campaign, highlighting the ongoing threat posed by state-sponsored cyber actors. APT44, also known as FROZENBARENTS, Sandworm, Seashell Blizzard, and Voodoo Bear, has been active since at least 2021. The group exploited vulnerabilities in WatchGuard Firebox and XTM (CVE-2022-26318), Atlassian Confluence (CVE-2021-26084, CVE-2023-22518), and Veeam (CVE-2023-27532) to compromise network edge devices. The campaign involved credential replay attacks and targeted energy, technology/cloud services, and telecom service providers across North America, Western and Eastern Europe, and the Middle East. Amazon's threat intelligence team identified and notified affected customers, disrupting active threat actor operations. Additionally, APT28, another GRU-affiliated group, has been conducting a sustained credential-harvesting campaign targeting users of UKR[.]net, a webmail and news service popular in Ukraine. The campaign, observed between June 2024 and April 2025, involves deploying UKR[.]net-themed login pages on legitimate services like Mocky to entice recipients into entering their credentials and 2FA codes. Links to these pages are embedded within PDF documents distributed via phishing emails, often shortened using services like tiny[.]cc or tinyurl[.]com. In some cases, APT28 uses subdomains created on platforms like Blogger (*.blogspot[.]com) to launch a two-tier redirection chain leading to the credential harvesting page. The campaign is part of a broader set of phishing and credential theft operations targeting various institutions in pursuit of Russia's strategic objectives. APT28's recent campaign targeted Turkish renewable energy scientists with a climate change policy document from a real Middle Eastern think tank. The group used phishing emails themed to match their intended targets and written in the targets' native tongues. Victims were redirected to a login page mimicking a legitimate online service after following a link in a phishing email. APT28 used regular hosted services rather than custom tools and infrastructure for their attacks. The targets included an IT integrator based in Uzbekistan, a European think tank, a military organization in North Macedonia, and scientists and researchers associated with a Turkish energy and nuclear research organization. The campaign was highly selective and consistent with GRU collection priorities, aligning with geopolitical, military, or strategic intelligence objectives. APT28 has been targeting organizations associated with energy research, defense collaboration, and government communication in a new credential-harvesting campaign. The group used phishing pages impersonating Microsoft Outlook Web Access (OWA), Google, and Sophos VPN portals. Victims were redirected to legitimate domains after entering their credentials. APT28 relied heavily on free hosting and tunneling services such as Webhook.site, InfinityFree, Byet Internet Services, and Ngrok to host phishing content, capture user data, and manage redirections. In February 2025, APT28 deployed a Microsoft OWA phishing page and used the ShortURL link-shortening service for the first-stage redirection. The group employed a webhook relying on HTML to load a PDF lure document in the browser for two seconds before redirecting the victim to a second webhook hosting the spoofed OWA login page. In July, APT28 deployed a spoofed OWA login portal containing Turkish-language text and targeting Turkish scientists and researchers. In June, APT28 deployed a spoofed Sophos VPN password reset page hosted on InfinityFree infrastructure. In September, APT28 hosted two spoofed OWA expired password pages on an InfinityFree domain. In April, Recorded Future discovered a spoofed Google password reset page in Portuguese, hosted on a free apex domain from Byet Internet Services. APT28 abused Ngrok's free service to connect servers behind a firewall to a proxy server and expose that server to the internet without changing firewall rules. APT28's ability to adapt its infrastructure and rebrand credential-harvesting pages suggests it will continue to abuse free hosting, tunneling, and link-shortening services to reduce operational costs and obscure attribution. Recently, APT28 exploited CVE-2026-21509, a recently patched vulnerability in multiple versions of Microsoft Office. The attacks involved malicious DOC files themed around EU COREPER consultations in Ukraine and impersonated the Ukrainian Hydrometeorological Center. The malicious document triggers a WebDAV-based download chain that installs malware via COM hijacking, a malicious DLL (EhStoreShell.dll), shellcode hidden in an image file (SplashScreen.png), and a scheduled task (OneDriveHealth). The scheduled task execution leads to the termination and restart of the explorer.exe process, ensuring the loading of the EhStoreShell.dll file. This DLL executes shellcode from the image file, which launches the COVENANT software (framework) on the computer. COVENANT uses the Filen (filen.io) cloud storage service for command-and-control (C2) operations. APT28 used three more documents in attacks against various EU-based organizations, indicating that the campaign extends beyond Ukraine.

Chinese state-sponsored APT actors have **dramatically escalated cyber operations against Taiwan and expanded into Southeast Asia**, with Taiwan’s National Security Bureau (NSB) reporting **960,620,609 intrusion attempts** in 2025—a **6% year-over-year increase** and **112.5% surge since 2023**. The **energy sector** faced a **tenfold spike in attacks**, while **emergency/hospital systems** saw a **54% rise**, including **ransomware deployments** disrupting operations in at least **20 hospitals** and stolen medical data sold on dark web forums. In **February 2026**, Singapore’s Cyber Security Agency (CSA) confirmed that **UNC3886**—a China-nexus APT group—executed a **deliberate cyber espionage campaign** against all four of Singapore’s major telecommunications operators (**M1, SIMBA Telecom, Singtel, StarHub**). The actors **weaponized a zero-day exploit** to bypass perimeter defenses, deployed **rootkits for persistence**, and exfiltrated **technical network data**, though no personal customer data was compromised. Singapore’s **Operation CYBER GUARDIAN**—the country’s **largest and longest-running anti-cyber threat effort**—successfully disrupted UNC3886’s access, engaged **over 100 investigators from six agencies**, and expanded monitoring to **banking, transport, and healthcare sectors** to prevent lateral movement. This campaign underscores the PRC’s **growing focus on Southeast Asian critical infrastructure** alongside its long-standing operations in Taiwan and North America. The campaigns, attributed to **BlackTech, Flax Typhoon, Mustang Panda, APT41, and UNC3886**, leverage **hardware/software vulnerabilities, DDoS, social engineering, and supply-chain compromises**, often correlating with **PLA military drills, political events, and visits by Taiwanese officials**. Taiwan’s NSB is now collaborating with **30+ countries** on joint investigations, while advisories from **CISA, NSA, and allies** warn of a shift from espionage to **potential disruptive capabilities**. Earlier phases targeted **U.S. government agencies (CBO, Treasury, CFIUS)**, **European telecoms**, and global critical infrastructure via exploits in **Cisco, Ivanti, Palo Alto, and Citrix devices**.

APT36, also known as Transparent Tribe, is targeting both Windows and BOSS Linux systems in ongoing attacks against Indian government and defense entities. The campaign, active since June 2025, involves phishing emails delivering malicious .desktop files disguised as PDFs. The malware facilitates data exfiltration, persistent espionage access, and includes anti-debugging and anti-sandbox checks. The malware also targets the Kavach 2FA solution used by Indian government agencies. The attack leverages the .desktop file's 'Exec=' field to execute a sequence of shell commands that download and run a Go-based ELF payload. The payload establishes persistence through cron jobs and systemd services, and communicates with a C2 server via a WebSocket channel. The technique allows APT36 to evade detection by abusing a legitimate Linux feature that is not typically monitored for threats. The campaign demonstrates APT36's evolving tactics, becoming more evasive and sophisticated. The campaign uses dedicated staging servers for malware distribution, transitioning from cloud storage platforms. The malware includes multiple persistence methods and supports commands for file browsing, collection, and remote execution. The campaign is part of a broader trend of targeted activity by South and East Asian threat actors, reflecting a trend toward purpose-built malware and infrastructure. Indian government entities have been targeted in two campaigns codenamed Gopher Strike and Sheet Attack. Gopher Strike leveraged phishing emails to deliver PDF documents with a blurred image and a fake Adobe Acrobat Reader DC update dialog. The campaign uses server-side checks to prevent automated URL analysis tools from fetching the ISO file, ensuring delivery only to intended targets in India. The malicious payload is a Golang-based downloader called GOGITTER, which creates a VBScript file to fetch commands from C2 servers. GOGITTER sets up persistence using a scheduled task to run the VBScript file every 50 minutes. GOGITTER downloads a ZIP file from a private GitHub repository and executes a lightweight Golang-based backdoor called GITSHELLPAD. GITSHELLPAD polls the C2 server every 15 seconds for commands and supports six different commands including cd, run, upload, and download. The results of command execution are stored in a file called "result.txt" and uploaded to the GitHub account. The threat actor also downloads RAR archives containing utilities to gather system information and drop GOSHELL, a bespoke Golang-based loader. GOSHELL's size was artificially inflated to approximately 1 gigabyte to evade detection by antivirus software. GOSHELL only executes on specific hostnames by comparing the victim's hostname against a hard-coded list. APT36 and SideCopy are launching cross-platform RAT campaigns against Indian entities using malware families like Geta RAT, Ares RAT, and DeskRAT. The campaigns use phishing emails with malicious attachments or download links to deliver the malware, which provides persistent remote access, system reconnaissance, data collection, and command execution. Geta RAT supports various commands including system information collection, process enumeration, credential gathering, and file operations. Ares RAT is a Python-based RAT that can run commands issued by the threat actor. DeskRAT is delivered via a rogue PowerPoint Add-In file with embedded macros. The campaigns target Indian defense, government, and strategic sectors, demonstrating a well-resourced, espionage-focused threat actor deliberately targeting these sectors through defense-themed lures, impersonated official documents, and regionally trusted infrastructure.