Operations & Campaigns
Explore documented attack campaigns, coordinated threat actor operations, and the geopolitical dynamics behind them.
-
Malicious npm package posing as OpenClaw installer deploys RAT, steals macOS credentials
Researchers say a malicious npm package named @openclaw-ai/openclawai masqueraded as an OpenClaw installer, deployed a remote access trojan, and stole sensitive data from macOS systems after being uploaded by a user named openclaw-ai on March 3, 2026.
-
APT28 used BEARDSHELL and COVENANT to spy on Ukrainian military personnel
ESET says the Russian state-sponsored group APT28 has used two implants called BEARDSHELL and COVENANT since April 2024 to conduct long-term surveillance of Ukrainian military personnel.
-
Iran-linked MuddyWater targets U.S. networks with new Dindoor backdoor
Broadcom’s Symantec and Carbon Black Threat Hunter Team say the Iran-linked MuddyWater group embedded itself inside several U.S. organizations, including banks, airports, a non-profit, and the Israeli arm of a software company, using a newly identified backdoor named Dindoor.
-
China-linked UAT-9244 used TernDoor, PeerTime, and BruteEntry in South American telecom attacks
Cisco Talos says China-linked threat actor UAT-9244 has targeted telecommunications providers in South America since 2024, using the TernDoor, PeerTime, and BruteEntry implants across Windows, Linux, and edge devices in a campaign it says is closely associated with FamousSparrow.
-
Aeternum C2 Botnet Abuses Polygon Blockchain to Hide Malware Commands and Evade Takedowns
Security researchers have uncovered a new botnet loader called Aeternum C2 that stores encrypted command-and-control instructions on the Polygon blockchain, making traditional takedown efforts significantly harder and signaling a new evolution in resilient malware infrastructure.
-
UAT-10027 Targets U.S. Healthcare with Dohdoor Malware Using DoH C2
Researchers have uncovered a previously undocumented cyber campaign tracked as UAT-10027 targeting U.S. healthcare and education organizations with a new backdoor called Dohdoor that uses DNS-over-HTTPS to evade detection and deploy Cobalt Strike beacons.
-
CyberStrikeAI: Chinese-Linked AI Attack Platform Compromises 600+ FortiGate Devices Across 55 Countries
An open-source AI-native offensive security tool called CyberStrikeAI, developed by a Chinese coder with ties to the Ministry of State Security, has been deployed by a Russian-speaking threat actor to compromise over 600 FortiGate appliances across 55 countries. Team Cymru tracked 21 unique servers running the platform, revealing a sharp acceleration in AI-augmented offensive cyber…
-
Iranian Revolution 2026: Complete Intelligence Briefing — Protests, War, Cyber Operations, and the Fall of Khamenei
Comprehensive intelligence briefing on the Iranian Revolution of 2026 — from the December 2025 protest eruption and regime massacres, through Operation Epic Fury and Operation Roaring Lion, the assassination of Khamenei, the Strait of Hormuz crisis, five Iranian cyber threat clusters, AWS data center strikes, and the global fallout. Continuously updated. Last updated March 3,…
-
Critical Ivanti Vulnerability Exploited Since Last Summer in Attacks
Critical Ivanti EPMM vulnerability actively exploited since last summer.
-
D-Knife Spyware: China-Linked APT Hijacks Routers for Cyber Espionage
Unveiling the D-Knife spyware campaign, a sophisticated China-linked APT operation hijacking internet routers for persistent surveillance and data exfiltration. Discover its techni