Campaigns

Threat actor campaigns, intrusion sets, and coordinated attack activity.

27 items

Vulnerabilities Malware Campaigns Supply Chain Policy Tools

INC Ransomware Expands Oceania Healthcare Targeting, Signals Regional Focus Shift

INC ransomware group is conducting sustained attacks against healthcare infrastructure across Australia, New Zealand, and Tonga, disrupting emergency services and government operations. This regional concentration indicates either a deliberate geographic pivot or emerging local infection vectors.

12 March 2026Australian Government Agencies, New Zealand Healthcare Facilities, Emergency Clinics (Oceania) +1

highCampaignActive

Social Engineering Campaign Targets Developer Credentials via Fake Recruitment – Supply Chain Risk Vector

Threat actors execute a sophisticated social engineering campaign impersonating recruiters from crypto and AI companies, delivering backdoors (OtterCookie, FlexibleFerret) through fake coding assessments to steal developer credentials, API tokens, and source code. This represents a high-impact supply chain attack vector targeting a critical workforce demographic.

12 March 2026Software developers, Crypto industry, AI/ML companies +1

criticalCampaignActive

Convergence of State and Commercial Exploit arsenals reveals systemic zero-day vulnerability ecosystem

Google TAG documented APT29 (Russian state-backed group) using identical exploits to commercial surveillance vendors Intellexa and NSO Group, indicating either shared vulnerability intelligence networks, exploit procurement chains, or concerning overlap in offensive capabilities between state and commercial actors.

11 March 2026APT29 (Cozy Bear), NSO Group, Intellexa +1

criticalCampaignActive

State-Sponsored IoT Exploitation: Israeli Targeting of Iranian Critical Infrastructure via Traffic Camera Network

Israel allegedly exploited Iranian traffic camera systems to conduct surveillance and assist in targeted assassination of Iranian leadership. This demonstrates advanced state-actor capability to weaponize civilian IoT infrastructure for kinetic operations.

11 March 2026Iranian traffic camera network, IoT/CCTV infrastructure, Critical infrastructure (transportation)

criticalCampaignEmerging

AI Exploitation in Cyberattacks: Escalation of Threat Actor Capabilities

Hackers are increasingly leveraging artificial intelligence (AI) to enhance and accelerate cyberattacks, making them more sophisticated, scalable, and harder to detect. This trend poses a significant risk to organizations as AI tools lower the technical barriers for attackers.

8 March 2026Microsoft, All industries

criticalCampaignActive

Phishing Campaign Targets LastPass Users with Fake Support Emails

Attackers are sending fake LastPass support emails to steal user vault passwords, posing a critical security risk.

5 March 2026LastPass

highCampaignEmerging

UK Warns of Escalating Iranian Cyber Threats Amid Regional Tensions

UK authorities warn of increased Iranian cyberattack risks targeting British organizations due to Middle East tensions.

3 March 2026

criticalCampaignActive

Cyberstalking and Extortion Ring Targets Hundreds of Women

A 22-year-old Alabama man has pleaded guilty to hacking, cyberstalking, and extorting hundreds of women by hijacking their social media accounts.

3 March 2026Social Media Platforms (Unknown specific vendor)

criticalCampaignActive

Phishing Campaign Exploits Fake Google Security Page with PWA for Credential Theft

Attackers are using a fake Google Account security page to deliver a Progressive Web App (PWA) that steals credentials, MFA codes, and proxies traffic through victims' browsers. This campaign poses a significant risk due to its ability to bypass multi-factor authentication.

3 March 2026Google Users

highCampaignActive

Europol Disrupts Child-Targeted Cybercrime Group The Com

Europol's Project Compass operation has led to the arrest of 30 individuals linked to The Com, a cybercrime group targeting children and teenagers. This coordinated international effort highlights the growing threat of child-targeted online exploitation.

28 February 2026

highCampaignActive

Chinese State-Sponsored Espionage Campaign Targets Telecom and Government Networks

Chinese cyberspies have breached multiple telecom companies and government agencies using SaaS API calls to hide malicious traffic, indicating a sophisticated state-sponsored espionage campaign.

26 February 2026Telecommunications companies, Government agencies

criticalCampaignActive

Fake Next.js Job Interview Tests Exploit Developers' Devices

Attackers created malicious GitHub repositories mimicking legitimate Next.js projects and job interview materials to infect developers' devices with backdoors.

26 February 2026Next.js developers, GitHub users

highCampaignActive

Spain Targets Hacktivist Group in Government DDoS Campaign

Spanish authorities arrested four individuals linked to a hacktivist group suspected of conducting DDoS attacks on government websites, highlighting the growing threat of hacktivism against critical infrastructure.

24 February 2026Spanish government ministries, public institutions

highCampaignActive

Ransomware Attack Shuts Down Major US School District Systems

A ransomware attack forced one of the largest US school districts to cancel classes and revert to offline operations, exposing student and staff personal data and highlighting the continued targeting of education.

20 January 2026US public school district, students, staff +1

highCampaignResolved

Major Cloud Provider Suffers Multi-Region Outage Due to Configuration Error

A misconfigured identity management update at a major cloud provider caused a cascading multi-region outage lasting over 12 hours, affecting thousands of businesses and highlighting cloud concentration risk.

15 December 2025Cloud service consumers, SaaS providers

criticalCampaignActive

Chinese Salt Typhoon Telecom Breaches Expand to Additional Carriers

US intelligence agencies revealed that the Chinese state-sponsored Salt Typhoon campaign has expanded beyond the initially reported telecom carriers, with evidence of persistent access in additional US and allied nation telecommunications networks.

17 November 2025US telecommunications providers, allied nation telecom networks

highCampaignActive

Ransomware Attack Disrupts Major US Hospital Network Operations

A ransomware attack forced a major US hospital network to divert ambulances and revert to paper records across multiple facilities, the largest healthcare disruption since the Change Healthcare incident.

20 September 2025US hospital network, healthcare patients

criticalCampaignActive

Volt Typhoon Pre-Positions in US Critical Infrastructure Water Systems

US intelligence agencies released a joint advisory warning that Chinese state-sponsored group Volt Typhoon has expanded pre-positioning operations to water treatment facilities, maintaining persistent access for potential disruptive attacks.

22 August 2025US water treatment facilities, US critical infrastructure

highCampaignActive

Massive Data Breach at US Health Insurance Provider Exposes 15 Million Records

A major US health insurance provider confirmed a data breach affecting approximately 15 million current and former members, with stolen data including Social Security numbers, medical records, and financial information.

18 July 2025US healthcare consumers, health insurance members

highCampaignActive

Coinbase Discloses Breach After Employees Bribed to Steal Customer Data

Coinbase revealed that threat actors bribed overseas customer support contractors to exfiltrate personal data of roughly 1% of monthly transacting users, then demanded a $20 million ransom.

19 May 2025Coinbase, Coinbase customers

mediumCampaignContained

4chan Breached and Taken Offline After Source Code and Data Leak

The imageboard 4chan was breached and taken offline after attackers exploited an outdated PHP installation, leaking source code, moderator information, and internal tools.

15 April 20254chan platform, moderators, registered users

highCampaignActive

Fortinet Devices Found With Persistent Backdoors Surviving Patches

Threat actors maintained persistent read-only access to Fortinet FortiGate devices through symlinks in the SSL-VPN language files, surviving firmware updates and patches applied by defenders.

3 April 2025Fortinet FortiGate devices with SSL-VPN enabled

mediumCampaignActive

Orange Group Confirms Data Breach After Hacker Leaks Internal Documents

French telecommunications giant Orange confirmed a data breach after a threat actor leaked thousands of internal documents, source code, and customer records from the company's Romanian branch.

25 February 2025Orange Group, Orange Romania customers

criticalCampaignActive

Bybit Cryptocurrency Exchange Suffers Record-Breaking $1.5 Billion Theft

Cryptocurrency exchange Bybit lost approximately $1.5 billion in Ethereum from a cold wallet, in what is believed to be the largest cryptocurrency theft in history, attributed to North Korean state-sponsored hackers.

21 February 2025Bybit exchange, Ethereum ecosystem

highCampaignActive

Juniper Routers Targeted by Mirai Botnet Campaign Using Default Credentials

A Mirai botnet variant is actively scanning for and compromising Juniper SSR routers that still use factory-default credentials, incorporating them into DDoS infrastructure.

22 January 2025Juniper Session Smart Router (SSR)

highCampaignActive

PowerSchool Data Breach Exposes Student and Staff Records Across School Districts

Education technology giant PowerSchool suffered a major data breach exposing personal information of students and staff across numerous K-12 school districts in North America.

17 January 2025PowerSchool SIS customers, K-12 school districts in US and Canada

highCampaignActive

State-Sponsored Chinese Actors Compromise U.S. Treasury Office

Chinese state-backed hackers breached the Office of Foreign Assets Control (OFAC), potentially gaining access to sensitive sanctions-related data.

2 January 2025U.S. Treasury Department's Office of Foreign Assets Control