Webworm multi-country targeting campaign against government and enterprise victims
Campaign
Summary
Hide ▲
Show ▼
Webworm is running a multi-country targeting campaign against government agencies and enterprises, expanding the risk of persistent access across several regions. The operation has been active since at least 2022 and continued into 2025, with victims spanning IT services, aerospace, and electric power. Its shift toward stealthier tooling and custom backdoors makes the campaign harder to detect and disrupt.
Related Happenings
UAT-7810 expands LapDogs ORB network to provide covert routing infrastructure
Threat Actor Meta
H score29
First: 08.07.2026 17:30
Last: 08.07.2026 17:30
Sources 1
About this happening:
**UAT-7810** expanded its **LapDogs ORB network**, adding covert routing capacity that helps other hackers hide traffic origin and reach **high-value targets**. The infrastructure...
UAT-7810 expands LapDogs ORB network to provide covert routing infrastructure
Threat Actor MetaAbout this happening: **UAT-7810** expanded its **LapDogs ORB network**, adding covert routing capacity that helps other hackers hide traffic origin and reach **high-value targets**. The infrastructure...
Scattered Spider reclassified as a decentralized collective of independent clusters
Threat Actor Meta
H score26
First: 07.07.2026 17:00
Last: 07.07.2026 17:00
Sources 1
About this happening:
**Scattered Spider** has been reclassified as a **decentralized cybercrime collective**, changing how its persistence and resilience are understood. The shift suggests **independe...
Scattered Spider reclassified as a decentralized collective of independent clusters
Threat Actor MetaAbout this happening: **Scattered Spider** has been reclassified as a **decentralized cybercrime collective**, changing how its persistence and resilience are understood. The shift suggests **independe...
CL-STA-1062 Southeast Asia critical infrastructure campaign using TinyRCT
Campaign
H score18
First: 26.06.2026 13:30
Last: 26.06.2026 13:30
Sources 1
About this happening:
A **China-linked** campaign by **CL-STA-1062** is targeting **government entities** and **critical infrastructure** across **Southeast Asia**, with activity reaching **state-owned...
CL-STA-1062 Southeast Asia critical infrastructure campaign using TinyRCT
CampaignAbout this happening: A **China-linked** campaign by **CL-STA-1062** is targeting **government entities** and **critical infrastructure** across **Southeast Asia**, with activity reaching **state-owned...
Vo1d botnet campaign targeting unofficial Android-based TV boxes
Campaign
H score88
First: 18.06.2026 20:37
Last: 18.06.2026 20:37
Sources 1
About this happening:
**NetNut** used the **Popa botnet** and deceptive SDKs on **off-brand Android-based smart TVs**, streaming media boxes, and unofficial apps to turn home connections into **residen...
Vo1d botnet campaign targeting unofficial Android-based TV boxes
CampaignAbout this happening: **NetNut** used the **Popa botnet** and deceptive SDKs on **off-brand Android-based smart TVs**, streaming media boxes, and unofficial apps to turn home connections into **residen...
Latest development: 03.07.2026 12:35
Google disabled all Google accounts used by NetNut for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing the compromised SDKs. The FBI’s seizure banner appeared on netnut.com while netnut.io briefly remained accessible, and Google said the coordinated actions caused significant degradation to NetNut’s proxy network and business operations.
FishMonger multi-country government espionage campaign
Campaign
H score33
First: 16.06.2026 17:30
Last: 16.06.2026 17:30
Sources 1
About this happening:
**FishMonger** ran a **multi-country espionage campaign** against **government bodies** in **Honduras, Taiwan, Thailand and Pakistan** across **2023 and 2024**. The activity point...
FishMonger multi-country government espionage campaign
CampaignAbout this happening: **FishMonger** ran a **multi-country espionage campaign** against **government bodies** in **Honduras, Taiwan, Thailand and Pakistan** across **2023 and 2024**. The activity point...
Timeline
-
20.05.2026 15:51 2 articles · 1mo ago
Webworm multi-country targeting campaign against government and enterprise victims
Initial DisclosureThe campaign was first publicly documented in **September 2022** and was already assessed as active by that point. Early activity centered on **government agencies and enterprises** in **Russia**, **Georgia**, and **Mongolia**.
Show sources
- Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API — thehackernews.com — 20.05.2026 15:51
- Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API — thehackernews.com — 20.05.2026 15:51