From quiet surveillance to loud extortion, threat actors are operating across the full spectrum of cyber aggression. An unidentified state-backed adversary is running long-running Shadow espionage campaigns spanning 155 countries, relying on stealthy malware, credential harvesting, and lateral movement. In a similar vein, the TGR-STA-1030 group has been actively pursuing targeted espionage operations using custom backdoors and carefully crafted spear-phishing lures against high-value strategic sectors. Meanwhile, the Black Basta ransomware operation is escalating its impact by abusing Bring Your Own Vulnerable Driver (BYOVD) techniques to neutralize security defenses. Continue reading for more cybersecurity updates.
01
An unidentified state-backed threat actor is conducting long-running Shadow espionage operations targeting organizations across 155 countries, using stealthy malware, credential theft, and lateral movement to maintain persistent intelligence access.
02
The TGR-STA-1030 threat group, linked to an Asian state-sponsored actor, has been observed conducting targeted cyber-espionage campaigns using custom backdoors and spear-phishing lures against strategic sectors.
03
The Cyclone and Vortex threat clusters, linked to Werewolf-style operations, are conducting coordinated phishing and malware campaigns against Russian organizations to steal data and deploy remote access tools.
04
The Black Basta ransomware group is leveraging Bring Your Own Vulnerable Driver (BYOVD) techniques to disable security controls, escalate privileges, and deploy ransomware payloads more effectively.
05
A new ransomware group dubbed TeamPcp, linked to former TeamTNT operators, is targeting cloud-native and containerized environments, encrypting workloads and stealing cloud credentials for extortion.
06
KNIFE, a stealthy malware framework, has been designed to compromise edge and networking devices, enabling traffic interception, command execution, and long-term persistence in enterprise environments.
07
Malicious actors published trojanized dydx-named packages on npm and PyPI, embedding credential stealers and backdoors to compromise developer environments via supply chain attacks.
08
Cloudflare’s Q4 2025 DDoS Threat Report highlights a sharp rise in hyper-volumetric and application-layer DDoS attacks, driven by botnets, geopolitical tensions, and attack commoditization.
09
APT groups operating in the APAC region are increasingly industrializing intrusions by reusing tooling, infrastructure, and access brokers to scale espionage and financially motivated attacks.
10
BeyondTrust fixed a critical pre-authentication RCE vulnerability (CVE-2026-1731) that could allow unauthenticated attackers to fully compromise privileged access management systems.
