Iranian Hacktivist Group Claims Wiper Attack on Stryker

Amazon has disrupted a years-long Russian state-sponsored campaign targeting Western critical infrastructure, including energy sector organizations and cloud-hosted network infrastructure. The campaign, attributed to the GRU-affiliated APT44 group, initially leveraged vulnerabilities in WatchGuard Firebox and XTM, Atlassian Confluence, and Veeam to gain initial access. However, starting in 2025, APT44 shifted its tactics to target misconfigured network edge devices, reducing their exposure and resource expenditure. The group targeted enterprise routers, VPN concentrators, network management appliances, and cloud-based project management systems to harvest credentials and establish persistent access. Amazon's intervention led to the disruption of the campaign, highlighting the ongoing threat posed by state-sponsored cyber actors. APT44, also known as FROZENBARENTS, Sandworm, Seashell Blizzard, and Voodoo Bear, has been active since at least 2021. The group exploited vulnerabilities in WatchGuard Firebox and XTM (CVE-2022-26318), Atlassian Confluence (CVE-2021-26084, CVE-2023-22518), and Veeam (CVE-2023-27532) to compromise network edge devices. The campaign involved credential replay attacks and targeted energy, technology/cloud services, and telecom service providers across North America, Western and Eastern Europe, and the Middle East. Amazon's threat intelligence team identified and notified affected customers, disrupting active threat actor operations. Additionally, APT28, another GRU-affiliated group, has been conducting a sustained credential-harvesting campaign targeting users of UKR[.]net, a webmail and news service popular in Ukraine. The campaign, observed between June 2024 and April 2025, involves deploying UKR[.]net-themed login pages on legitimate services like Mocky to entice recipients into entering their credentials and 2FA codes. Links to these pages are embedded within PDF documents distributed via phishing emails, often shortened using services like tiny[.]cc or tinyurl[.]com. In some cases, APT28 uses subdomains created on platforms like Blogger (*.blogspot[.]com) to launch a two-tier redirection chain leading to the credential harvesting page. The campaign is part of a broader set of phishing and credential theft operations targeting various institutions in pursuit of Russia's strategic objectives. APT28's recent campaign targeted Turkish renewable energy scientists with a climate change policy document from a real Middle Eastern think tank. The group used phishing emails themed to match their intended targets and written in the targets' native tongues. Victims were redirected to a login page mimicking a legitimate online service after following a link in a phishing email. APT28 used regular hosted services rather than custom tools and infrastructure for their attacks. The targets included an IT integrator based in Uzbekistan, a European think tank, a military organization in North Macedonia, and scientists and researchers associated with a Turkish energy and nuclear research organization. The campaign was highly selective and consistent with GRU collection priorities, aligning with geopolitical, military, or strategic intelligence objectives. APT28 has been targeting organizations associated with energy research, defense collaboration, and government communication in a new credential-harvesting campaign. The group used phishing pages impersonating Microsoft Outlook Web Access (OWA), Google, and Sophos VPN portals. Victims were redirected to legitimate domains after entering their credentials. APT28 relied heavily on free hosting and tunneling services such as Webhook.site, InfinityFree, Byet Internet Services, and Ngrok to host phishing content, capture user data, and manage redirections. In February 2025, APT28 deployed a Microsoft OWA phishing page and used the ShortURL link-shortening service for the first-stage redirection. The group employed a webhook relying on HTML to load a PDF lure document in the browser for two seconds before redirecting the victim to a second webhook hosting the spoofed OWA login page. In July, APT28 deployed a spoofed OWA login portal containing Turkish-language text and targeting Turkish scientists and researchers. In June, APT28 deployed a spoofed Sophos VPN password reset page hosted on InfinityFree infrastructure. In September, APT28 hosted two spoofed OWA expired password pages on an InfinityFree domain. In April, Recorded Future discovered a spoofed Google password reset page in Portuguese, hosted on a free apex domain from Byet Internet Services. APT28 abused Ngrok's free service to connect servers behind a firewall to a proxy server and expose that server to the internet without changing firewall rules. APT28's ability to adapt its infrastructure and rebrand credential-harvesting pages suggests it will continue to abuse free hosting, tunneling, and link-shortening services to reduce operational costs and obscure attribution. Recently, APT28 exploited CVE-2026-21509, a recently patched vulnerability in multiple versions of Microsoft Office. The attacks involved malicious DOC files themed around EU COREPER consultations in Ukraine and impersonated the Ukrainian Hydrometeorological Center. The malicious document triggers a WebDAV-based download chain that installs malware via COM hijacking, a malicious DLL (EhStoreShell.dll), shellcode hidden in an image file (SplashScreen.png), and a scheduled task (OneDriveHealth). The scheduled task execution leads to the termination and restart of the explorer.exe process, ensuring the loading of the EhStoreShell.dll file. This DLL executes shellcode from the image file, which launches the COVENANT software (framework) on the computer. COVENANT uses the Filen (filen.io) cloud storage service for command-and-control (C2) operations. APT28 used three more documents in attacks against various EU-based organizations, indicating that the campaign extends beyond Ukraine. APT28 has also been linked to the exploitation of CVE-2026-21513, a high-severity security feature bypass in the MSHTML Framework, as a zero-day before it was patched in February 2026. The vulnerability allows an attacker to bypass security features by manipulating browser and Windows Shell handling, leading to potential code execution. The group used a malicious Windows Shortcut (LNK) file that embeds an HTML file to exploit CVE-2026-21513, initiating communication with the domain wellnesscaremed[.]com. The exploit leverages nested iframes and multiple DOM contexts to manipulate trust boundaries, bypassing Mark-of-the-Web (MotW) and Internet Explorer Enhanced Security Configuration (IE ESC). The technique allows execution of malicious code outside the browser sandbox via ShellExecuteExW. The vulnerable code path can be triggered through any component embedding MSHTML, suggesting additional delivery mechanisms beyond LNK-based phishing should be expected. APT28, also known as Fancy Bear, Forest Blizzard, Strontium, and Sednit, has been using a custom variant of the open-source Covenant post-exploitation framework for long-term espionage operations. Since April 2024, APT28 has used two implants named BeardShell and Covenant in their attacks. BeardShell leverages the legitimate cloud storage service Icedrive for command-and-control (C2) communication and can execute PowerShell commands in a .NET runtime environment. BeardShell uses a unique obfuscation technique previously seen in Xtunnel, a network-pivoting tool that APT28 used in the 2010s. APT28 has modified the Covenant framework with deterministic implant identifiers tied to host characteristics, modified execution flow to evade behavioral detection, and new cloud-based communication protocols. Since July 2025, APT28 has used the Filen cloud provider with Covenant, previously using Koofr and pCloud services. Covenant is used as the primary implant, and BeardShell serves as the fallback tool. ESET believes that APT28's advanced malware development team returned to activity in 2024, giving the threat group new long-term espionage capabilities. The technical similarities with 2010-era malware indicate continuity in the threat group's development team. APT28 has been observed using a pair of implants dubbed BEARDSHELL and COVENANT to facilitate long-term surveillance of Ukrainian military personnel. The two malware families have been put to use since April 2024. APT28's malware arsenal consists of tools like BEARDSHELL and COVENANT, along with another program codenamed SLIMAGENT that's capable of logging keystrokes, capturing screenshots, and collecting clipboard data. SLIMAGENT was first publicly documented by the Computer Emergency Response Team of Ukraine (CERT-UA) in June 2025. SLIMAGENT has its roots in XAgent, another implant used by APT28 in the 2010s to facilitate remote control and data exfiltration. This is based on code similarities discovered between SLIMAGENT and previously unknown samples deployed in attacks targeting governmental entities in two European countries as far back as 2018. It's assessed that the 2018 artifacts and the 2024 SLIMAGENT sample originated from XAgent, with ESET's analysis uncovering overlaps in the keylogging between SLIMAGENT and an XAgent sample detected in the wild in late 2014. SLIMAGENT emits its espionage logs in the HTML format, with the application name, the logged keystrokes, and the window name in blue, red, and green, respectively. Also deployed in connection with SLIMAGENT is another backdoor referred to as BEARDSHELL that's capable of executing PowerShell commands on compromised hosts. It uses the legitimate cloud storage service Icedrive for command-and-control (C2). A noteworthy aspect of the malware is that it utilizes a distinctive obfuscation technique referred to as opaque predicate, which is also found in XTunnel (aka X-Tunnel), a network traversal and pivoting tool used by APT28 in the 2016 Democratic National Committee (DNC) hack. The tool provides a secure tunnel to an external C2 server. A third major piece of the threat actor's toolkit is COVENANT, an open-source .NET post-exploitation framework that has been "heavily" modified to support long-term espionage and to implement a new cloud-based network protocol that abuses the Filen cloud storage service for C2 since July 2025. Previously, APT28's COVENANT variant was said to have used pCloud (in 2023) and Koofr (in 2024-2025). This is not the first time the adversarial collective has embraced the dual-implant strategy. In 2021, Trellix revealed that APT28 deployed Graphite, a backdoor that employed OneDrive for C2, and PowerShell Empire in attacks targeting high-ranking government officials overseeing national security policy and individuals in the defense sector in Western Asia.

In mid-September 2025, state-sponsored threat actors from China used artificial intelligence (AI) technology developed by Anthropic to orchestrate automated cyber attacks as part of a "highly sophisticated espionage campaign." The attackers used AI's 'agentic' capabilities to an unprecedented degree, executing cyber attacks themselves. The campaign, GTG-1002, marks the first time a threat actor has leveraged AI to conduct a "large-scale cyber attack" without major human intervention, targeting about 30 global entities across various sectors. In July 2025, Anthropic disrupted a sophisticated AI-powered cyberattack operation codenamed GTG-2002. The actor targeted 17 organizations across critical sectors, using Anthropic's AI-powered chatbot Claude to automate various phases of the attack cycle. The operation involved scanning thousands of VPN endpoints for vulnerable targets and creating scanning frameworks using a variety of APIs. The actor provided Claude Code with their preferred operational TTPs (Tactics, Techniques, and Procedures) in their CLAUDE.md file. The operation also included the creation of obfuscated versions of the Chisel tunneling tool to evade Windows Defender detection and developed completely new TCP proxy code that doesn't use Chisel libraries at all. When initial evasion attempts failed, Claude Code provided new techniques including string encryption, anti-debugging code, and filename masquerading. The threat actor stole personal records, healthcare data, financial information, government credentials, and other sensitive information. Claude not only performed 'on-keyboard' operations but also analyzed exfiltrated financial data to determine appropriate ransom amounts and generated visually alarming HTML ransom notes that were displayed on victim machines by embedding them into the boot process. The operation demonstrates a concerning evolution in AI-assisted cybercrime, where AI serves as both a technical consultant and active operator, enabling attacks that would be more difficult and time-consuming for individual actors to execute manually. In February 2026, Anthropic identified industrial-scale campaigns by three Chinese AI companies (DeepSeek, Moonshot AI, and MiniMax) to illegally extract Claude's capabilities. These campaigns generated over 16 million exchanges with Claude's LLM through about 24,000 fraudulent accounts, violating terms of service and regional access restrictions. The distillation attacks targeted Claude's reasoning capabilities, agentic reasoning, tool use, coding capabilities, and computer vision. Anthropic attributed each campaign to a specific AI lab based on request metadata, IP address correlation, and infrastructure indicators. To counter the threat, Anthropic built classifiers and behavioral fingerprinting systems to identify suspicious distillation attack patterns and implemented enhanced safeguards. Anthropic warned that illicitly distilled models can be used for malicious and harmful purposes, such as developing bioweapons or carrying out malicious cyber activities. Foreign labs that distill American models can then feed these unprotected capabilities into military, intelligence, and surveillance systems, enabling authoritarian governments to deploy frontier AI for offensive cyber operations, disinformation campaigns, and mass surveillance. Anthropic does not currently offer commercial access to Claude in China or to subsidiaries of Chinese companies located outside of the country for security reasons.

Chinese state-sponsored APT actors have **dramatically escalated cyber operations against Taiwan and expanded into Southeast Asia**, with Taiwan’s National Security Bureau (NSB) reporting **960,620,609 intrusion attempts** in 2025—a **6% year-over-year increase** and **112.5% surge since 2023**. The **energy sector** faced a **tenfold spike in attacks**, while **emergency/hospital systems** saw a **54% rise**, including **ransomware deployments** disrupting operations in at least **20 hospitals** and stolen medical data sold on dark web forums. In **February 2026**, Singapore’s Cyber Security Agency (CSA) confirmed that **UNC3886**—a China-nexus APT group—executed a **deliberate cyber espionage campaign** against all four of Singapore’s major telecommunications operators (**M1, SIMBA Telecom, Singtel, StarHub**). The actors **weaponized a zero-day exploit** to bypass perimeter defenses, deployed **rootkits for persistence**, and exfiltrated **technical network data**, though no personal customer data was compromised. Singapore’s **Operation CYBER GUARDIAN**—the country’s **largest and longest-running anti-cyber threat effort**—successfully disrupted UNC3886’s access, engaged **over 100 investigators from six agencies**, and expanded monitoring to **banking, transport, and healthcare sectors** to prevent lateral movement. This campaign underscores the PRC’s **growing focus on Southeast Asian critical infrastructure** alongside its long-standing operations in Taiwan and North America. The campaigns, attributed to **BlackTech, Flax Typhoon, Mustang Panda, APT41, and UNC3886**, leverage **hardware/software vulnerabilities, DDoS, social engineering, and supply-chain compromises**, often correlating with **PLA military drills, political events, and visits by Taiwanese officials**. Taiwan’s NSB is now collaborating with **30+ countries** on joint investigations, while advisories from **CISA, NSA, and allies** warn of a shift from espionage to **potential disruptive capabilities**. Earlier phases targeted **U.S. government agencies (CBO, Treasury, CFIUS)**, **European telecoms**, and global critical infrastructure via exploits in **Cisco, Ivanti, Palo Alto, and Citrix devices**.

The Play ransomware group, tracked as Storm-2460, is using the PipeMagic backdoor to exploit CVE-2025-29824, a critical Windows Common Log File System (CLFS) elevation-of-privilege vulnerability. This flaw allows attackers to gain system-level privileges on compromised systems. The campaign targets various sectors across multiple geographies, including IT, financial, and real estate in the US, Europe, South America, and the Middle East. The backdoor mimics ChatGPT Desktop to evade detection and maintain persistence within infected systems. The vulnerability was patched in April, but unpatched systems remain at risk. Microsoft and Kaspersky have observed ongoing activity, with PipeMagic showing sustained interest in Saudi Arabian and Brazilian manufacturing sectors. The backdoor's modular design allows for updates and lateral movement within targeted networks. PipeMagic was first documented in 2022 as part of RansomExx ransomware attacks targeting industrial companies in Southeast Asia. In 2024, threat actors exploited CVE-2017-0144, a remote code execution flaw in Windows SMB, to infiltrate victim infrastructure. Earlier this April, Microsoft attributed the exploitation of CVE-2025-29824 and the deployment of PipeMagic to Storm-2460.