The Confucius hacking group has significantly evolved its attack methodologies over the past year, transitioning from document stealers like WooperStealer to sophisticated Python-based backdoors including AnonDoor malware.

A widespread extortion campaign is targeting Oracle customers with emails claiming data theft from Oracle’s E-Business Suite. The emails are allegedly linked to the Clop ransomware group.

Threat actors are increasingly adopting stealthy and unconventional techniques inspired by the Chinese APT group Salt Typhoon, which previously infiltrated major telecommunications providers.

Turla has been known for deploying stealthy Linux malware and using satellite-based Internet links to maintain the stealth of its operations. These activities suggest a strategic alignment between the two groups to enhance operational effectiveness.

APT28 (aka Fancy Bear, Sofacy, Sednit) has launched a sophisticated cyber-espionage campaign dubbed "Phantom Net Voxel," combining steganography, cloud-based command-and-control (C2), and modular implants.

A Russian influence operation known as CopyCop has expanded its disinformation infrastructure in 2025, deploying over 300 websites to target democratic institutions and public opinion across the US, France, Canada, Germany, Armenia, and Moldova.

GOLD SALEM, also known as the Warlock Group, is an emerging ransomware threat actor active since March. The group has targeted a wide range of organizations across North America, Europe, and South America, deploying its Warlock ransomware.

A China-based advanced persistent threat (APT) group is actively targeting military organizations in the Asia-Pacific region, particularly the Philippines, using a newly discovered fileless malware framework named EggStreme.

A set of 45 previously unreported domains linked to the China-affiliated threat actors Salt Typhoon and UNC4841 has been uncovered, revealing a longstanding cyber espionage campaign dating back to May 2020.

Lazarus hackers exploited a zero-day vulnerability to deploy three custom RATs targeting financial and cryptocurrency firms. The attack chain included social engineering, exploitation, discovery, and next-stage deployment.