From fake voicemails to weaponized Office files, threat actors are getting creative. China-linked Mustang Panda (aka Bronze President or Earth Preta) is targeting diplomatic and geopolitical entities with tailored lures that culminate in the deployment of PlugX-based backdoors. At the same time, Russian state-sponsored APT28 is running a stealthy, multi-stage campaign exploiting the CVE-2026-21509 Microsoft Office flaw. A separate campaign leverages German-language fake voicemail notifications to trick victims into executing a disguised script that installs an RMM agent for persistent remote access. Keep reading for more.
01
The Mustang Panda (aka Bronze President/Earth Preta) China-linked threat actor has been observed targeting geopolitical and diplomatic entities with tailored lures that lead to the deployment of backdoors like PlugX variants.
02
Russian state-linked APT28 is running a stealthy, multi-stage campaign leveraging the CVE-2026-21509 Office flaw with a chain of loaders and implants, including “BeardShell” and cloud-based C2 infrastructure.
03
The DragonForce RaaS cartel continues to deploy highly adaptable ransomware variants derived from LockBit/Conti code against critical infrastructure, enterprises, and MSP supply chains, combining double-extortion tactics with affiliate recruitment.
04
Researchers report that the SystemBC botnet is operating across more than 10,000 infected hosts (including servers) to relay traffic for broader malicious activity and to supportpre-ransomware intrusions.
05
Researchers uncovered the DESCKVB RAT, a modular remote access Trojan using a multi-stage execution architecture and plugin ecosystem to broaden capabilities post-compromise.
06
A modular, three-stage Android malware campaign impersonating RTO/government services harvests sensitive data and conducts cryptomining and surveillance via staged APK installations delivered outside the Play Store.
07
A new campaign uses German-language fake voicemail notifications that trick victims into downloading and executing a disguised script that installs an RMM agent for persistent remote access.
08
The Amaranth Dragon cyberespionage group, linked to APT41, has been exploiting the CVE-2025-8088 WinRAR vulnerability to drop loaders and RAT payloads against Southeast Asian government and law enforcement targets.
09
A complex malvertising chain is redirecting users through compromised ads and script injections to eventually deploy malware and exploit victims via fake updates and bait content.
10
After exploiting React2Shell (CVE-2025-55182), attackers inject malicious NGINX configurations to intercept and redirect web traffic to attacker-controlled backends for malware delivery or credential capture.
