All Intelligence

Campaigns

Threat actor campaigns, intrusion sets, and coordinated attack activity.

81 items

VulnerabilitiesMalwareCampaignsSupply ChainPolicyTools
criticalCampaignActive

UNC6671's BlackFile Campaign: Vishing and AiTM as a Vector to Cloud Extortion at Scale

UNC6671 operates BlackFile, an extortion campaign using sophisticated vishing and adversary-in-the-middle techniques to bypass MFA and compromise Microsoft 365 and Okta environments, exfiltrating corporate data for extortion. The attack chain circumvents traditional perimeter defences by targeting human authentication vectors rather than technical infrastructure.

Microsoft 365, Okta, Cloud environments
mediumCampaignActive

Aggregated Security Digest: Multiple Vectors from Cloud Gaming Breaches to Legislative Pressure

SecurityWeek reports on multiple concurrent security issues including an Nvidia cloud gaming data breach, Canvas LMS compromise by ShinyHunters following FBI warning, Android 17 hardening, and automotive/enterprise vulnerabilities. The clustering suggests defenders face distributed pressure across consumer, educational, and enterprise sectors.

Nvidia, Canvas LMS, Android +2
highCampaignActive

Chinese-linked FamousSparrow expands targeting to Azerbaijani energy sector via Microsoft Exchange exploitation

A Chinese-affiliated threat actor designated FamousSparrow conducted a multi-wave intrusion against an Azerbaijani oil and gas company between December 2025 and February 2026, exploiting Microsoft Exchange vulnerabilities as an initial access vector. This represents a notable shift in the group's targeting geography and suggests persistent interest in critical infrastructure.

Microsoft Exchange, Azerbaijani oil and gas sector
highCampaignActive

Sustained Multi-Sector Phishing Campaign Targets 500+ Organisations Across Critical Infrastructure

A years-long phishing campaign has compromised over 500 organisations across aviation, energy, infrastructure, logistics, public administration, and technology sectors. The extended campaign duration and cross-sector targeting suggest either a sophisticated threat actor or multiple coordinated groups with sustained operational capability.

Aviation sector organisations, Critical infrastructure operators, Energy sector organisations +3
highCampaignContained

Juvenile actor breaches French administrative identity system, highlighting insider threat and data commodification risks

A 15-year-old was detained for allegedly stealing and selling data from France Titres (ANTS), the agency managing national identity and administrative documents. The incident demonstrates how young threat actors with technical capability can compromise high-value government systems and monetise sensitive personal data.

France Titres (ANTS), French Ministry of Interior
highCampaignActive

Scattered Spider operator arrested in Finland: implications for distributed social engineering campaigns

A 19-year-old dual US-Estonian national arrested in Finland faces federal charges for membership in Scattered Spider, a prolific collective known for social engineering and financial fraud targeting critical sectors. The arrest demonstrates law enforcement coordination across jurisdictions but does not significantly disrupt the group's operational capacity.

Financial services, Technology sectors, Healthcare organisations
highCampaignActive

GopherWhisper's Go-Based Backdoor Infrastructure Signals Shift Toward Living-Off-The-Land Tactics in Chinese State Espionage

A China-linked APT group identified as GopherWhisper is conducting targeted campaigns against government entities using multiple Go-based backdoors combined with legitimate service abuse to evade detection. The group's reliance on custom loaders and injectors suggests a maturing operational capability focused on persistence and evasion.

Government agencies (specific sectors not disclosed)
highCampaignActive

BlackFile extortion gang weaponises vishing at scale against retail and hospitality

BlackFile, a financially motivated threat actor, has orchestrated a coordinated campaign of data theft and extortion attacks against retail and hospitality organisations since February 2026, combining social engineering with data exfiltration. The group's use of vishing as a primary attack vector suggests a shift toward human-centric compromise rather than technical vulnerability exploitation.

Retail sector organisations, Hospitality sector organisations
highCampaignActive

Teams as attack surface: threat actors weaponise Microsoft's collaboration platform for helpdesk impersonation and lateral movement

Microsoft has observed threat actors increasingly abusing external Teams channels to impersonate helpdesk staff, deceive users into credential disclosure, and establish footholds for lateral movement within enterprise networks. The attack exploits Teams' legitimacy and ubiquity to bypass social engineering defences.

Microsoft Teams, Enterprise organisations using Microsoft 365
highCampaignActive

Gentlemen ransomware gang escalates infrastructure through SystemBC botnet integration

Gentlemen ransomware operators have integrated SystemBC proxy malware into their attack chain, leveraging a botnet of over 1,570 corporate hosts to obfuscate command-and-control communications and expand operational resilience. This represents a maturation of the gang's infrastructure and signals they are adopting commodity malware to increase attack surface.

Corporate networks (estimated 1,570+ victims)
highCampaignActive

MSP sector faces escalating phishing-driven attacks; incident response strategies lag behind threat evolution

Phishing remains the primary attack vector for most cybercriminals, and managed service providers are struggling to implement integrated security and recovery strategies proportionate to current threat velocity. MSPs must evolve beyond reactive patching to include workable incident response and business continuity frameworks.

Managed Service Providers (MSPs), Corporate clients of MSPs
highCampaignActive

Underground Carding Networks Standardise Vendor Vetting: Operationalising Trust in Stolen Payment Data Markets

Cybercrime forums now circulate structured guides teaching threat actors how to evaluate carding shops through data quality metrics, seller reputation scoring, and shop longevity assessment. This professionalisation of underground marketplaces reduces friction in stolen payment data transactions and increases the operational security of organised crime networks.

Payment card holders, Financial institutions, Carding shop operators
highCampaignActive

Operation PowerOFF disrupts DDoS-for-hire ecosystem, exposing 75,000 botnet operators across 21 countries

Law enforcement and private sector security research identified and disrupted 75,000 DDoS botnet operators and took down 53 infrastructure domains in a coordinated operation spanning 21 countries. This represents significant progress against organised DDoS-as-a-service providers but signals the need for sustained pressure on the ecosystem.

DDoS-for-hire operators, Botnet infrastructure
highCampaignResolved

German Law Enforcement Unmasks REvil and GandCrab Operator: Attribution and the Limits of Operational Security

German authorities have publicly identified Daniil Maksimovich Shchukin, a 31-year-old Russian national, as the operator behind the REvil and GandCrab ransomware groups. The disclosure represents a significant attribution success but raises questions about law enforcement coordination and timing given the geopolitical context.

REvil victims (2019-2021), GandCrab victims (2019-2021), German organisations (130+ incidents)
criticalCampaignContained

Six-month DPRK social engineering campaign nets $285M from Drift DEX, exposing sustained targeting of crypto infrastructure

North Korean threat actors conducted a methodical six-month social engineering operation against Drift, a Solana-based decentralised exchange, culminating in a $285 million theft in April 2026. The campaign demonstrates DPRK's shift toward patient, targeted infiltration of high-value cryptocurrency platforms rather than opportunistic attacks.

Drift (Solana DEX)
criticalCampaignActive

Automated credential harvesting via React2Shell exploitation in Next.js applications represents shift toward industrialised supply-chain attacks

Threat actors are conducting large-scale automated attacks exploiting CVE-2025-55182 (React2Shell) in vulnerable Next.js applications to harvest credentials at scale. This represents a shift from opportunistic patching cycles to industrialised credential theft targeting the JavaScript framework ecosystem.

CVE-2025-55182
Next.js, React applications
highCampaignContained

Operation Alice dismantles 373K fake CSAM scam infrastructure, exposing predatory fraud economy

International law enforcement shut down 373,000 dark web sites distributing fake child sexual abuse material (CSAM) packages, disrupting a fraud scheme that victimizes both potential offenders seeking illegal content and defrauds them. This represents a significant takedown of deceptive criminal commerce infrastructure.

Dark web marketplaces, Tor infrastructure, Anonymous payment systems
highCampaignActive

Russian Intelligence Phishing Campaign Targets CMA User Accounts - Encryption Circumvention Through Social Engineering

Russian intelligence services are conducting widespread phishing campaigns targeting commercial messaging application accounts of U.S. government officials, military personnel, and journalists. Attackers have successfully compromised thousands of individual accounts to access messages and contact lists, demonstrating a shift from targeting application encryption to exploiting user-level account security.

Commercial Messaging Applications (generic - specific vendors not named in excerpt), Current and former U.S. government officials, U.S. military personnel +2
criticalCampaignContained

Destructive Microsoft Entra-based attack on Stryker demonstrates cloud identity compromise as primary attack vector for device-level destruction

Stryker suffered a destructive cyberattack that remotely wiped tens of thousands of employee devices through compromised Microsoft cloud credentials, requiring no malware payload and leveraging legitimate administrative access to cloud infrastructure.

Stryker Corporation, Microsoft Entra (Azure AD), Intune or similar MDM platforms
highCampaignContained

Opportunistic Probing of Critical Infrastructure: Poland's Nuclear Research Centre Targeted in Broader Campaign

Poland's National Centre for Nuclear Research (NCBJ) was targeted by cyberattackers who attempted to compromise its IT infrastructure, but intrusion detection systems successfully identified and blocked the attack before any material impact occurred. This incident underscores persistent adversarial interest in critical infrastructure sectors, particularly those with strategic national importance.

National Centre for Nuclear Research (NCBJ), Polish Critical Infrastructure
criticalCampaignActive

INC Ransomware Expands Oceania Healthcare Targeting, Signals Regional Focus Shift

INC ransomware group is conducting sustained attacks against healthcare infrastructure across Australia, New Zealand, and Tonga, disrupting emergency services and government operations. This regional concentration indicates either a deliberate geographic pivot or emerging local infection vectors.

Australian Government Agencies, New Zealand Healthcare Facilities, Emergency Clinics (Oceania) +1
highCampaignActive

Social Engineering Campaign Targets Developer Credentials via Fake Recruitment – Supply Chain Risk Vector

Threat actors execute a sophisticated social engineering campaign impersonating recruiters from crypto and AI companies, delivering backdoors (OtterCookie, FlexibleFerret) through fake coding assessments to steal developer credentials, API tokens, and source code. This represents a high-impact supply chain attack vector targeting a critical workforce demographic.

Software developers, Crypto industry, AI/ML companies +1
criticalCampaignActive

State-Sponsored IoT Exploitation: Israeli Targeting of Iranian Critical Infrastructure via Traffic Camera Network

Israel allegedly exploited Iranian traffic camera systems to conduct surveillance and assist in targeted assassination of Iranian leadership. This demonstrates advanced state-actor capability to weaponize civilian IoT infrastructure for kinetic operations.

Iranian traffic camera network, IoT/CCTV infrastructure, Critical infrastructure (transportation)