RedNovember is now assessed to be a Chinese state-sponsored cyber-espionage group. Active between June 2024 and July 2025, the group has targeted high-profile government, intergovernmental, and private sector organizations globally.

A Russian influence operation known as CopyCop has expanded its disinformation infrastructure in 2025, deploying over 300 websites to target democratic institutions and public opinion across the US, France, Canada, Germany, Armenia, and Moldova.

A new Delphi-based variant of the DRAT remote access trojan, dubbed DRAT V2, has been deployed by TAG-140 (a subgroup of Transparent Tribe/APT36) in a campaign targeting Indian government entities.

GrayAlpha, a threat actor overlapping with FIN7, has been observed deploying NetSupport RAT using diverse infection vectors and custom loaders. The group utilizes PowerNet, a PowerShell loader, and MaskBat.

Researchers identified Predator-related infrastructure in multiple countries, including a new operator in Mozambique. Angola resumed operations in early 2025. A short-lived cluster was active from August to November 2024.

A Russia-aligned threat actor, TAG-110—linked to APT28 and UAC-0063—has launched a phishing campaign targeting Tajikistan’s government, academic, and research institutions.

The network, active since at least February 2025, includes 71 scam domains and 12 merchant accounts, posing significant financial and compliance risks to card issuers and merchant acquirers.