Field notes from the edge.
What our engineers learned this week. Hands-on technical deep-dives, postmortems, and strategy frameworks.
AIOceanLotus Hits Vietnam Investors With SPECTRALVIPER in FireAnt Attack
The Vietnam-aligned threat actor OceanLotus has conducted two cyber espionage campaigns targeting Vietnamese infrastructure companies and stock investors using the SPECTRALVIPER backdoor. The attacks include a prolonged operation against a Vietnamese construction corporation spanning mid-2024 to February 2026, alongside a separate supply chain attack targeting investors.
AIWinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine
Two Russia-aligned threat groups, Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226), continue to exploit a patched WinRAR vulnerability (CVE-2025-8088) to target Ukrainian organizations nearly a year after fixes were released. The campaigns leverage a path traversal flaw to deploy information-stealing malware against Ukrainian entities, demonstrating persistent targeting despite available sec
AINew Threat Cluster OP-512 Targets Microsoft IIS Servers with Custom Web Shell Framework
A newly identified threat cluster designated OP-512 has been discovered targeting Microsoft IIS servers with a custom web shell framework for espionage purposes. ReliaQuest researchers assess with moderate to high confidence that the activity is linked to China-based threat actors, representing a significant risk to organizations running IIS infrastructure.
AIChina's TA4922 Expands Cybercrime Attacks Globally
Chinese cybercrime group TA4922, characterized by its diverse and unfocused attack methodology, is expanding its operations beyond its traditional East Asian targets to establish a global presence. This expansion represents a significant shift in the threat landscape as the group broadens its geographic scope and potential victim base.
AIHackers Spied on a Stock Exchange Executive's Outlook Mailbox for Five Months
Cybercriminals conducted a sophisticated five-month espionage operation targeting a senior executive at a major global stock exchange, exfiltrating email data through legitimate cloud services like Dropbox and OneDrive to evade detection. The attackers used small, repeated data transfers that mimicked normal cloud traffic patterns, demonstrating advanced tradecraft focused on intelligence gatherin
AIPakistan-Linked SideCopy Targets Afghanistan Finance Ministry with Xeno RAT
The Pakistan-aligned threat actor SideCopy has launched a targeted spear-phishing campaign against Afghanistan's Ministry of Finance, deploying the open-source Xeno RAT malware. The attack vector involves a ZIP archive containing a malicious LNK file with a Pashto-language filename designed to deceive targets into execution.
AIChina-Aligned Groups Ramp Up Attacks: Dragon Weave Hits Czech Republic & Taiwan
A cyber espionage campaign called Operation Dragon Weave, attributed to China-aligned threat actors, is targeting government, research, academic, technology, and financial services organizations in the Czech Republic and Taiwan. The campaign uses spear-phishing emails with ZIP attachments to deliver the AdaptixC2 agent, enabling remote access and surveillance capabilities.
AIKimsuky Deploys HTTPSpy, Expands Arsenal with HelloDoor and VS Code Tunnels
North Korean state-sponsored threat group Kimsuky has launched targeted cyber attacks against South Korean military and corporate organizations during March-April 2026. The campaign employs sophisticated social engineering techniques including spoofed security software pages and fake Webex meeting interfaces to deliver malware including HTTPSpy, HelloDoor, and VS Code tunnels.
AIMuddyWater Uses DLL Side-Loading in Espionage Campaign Targeting 9 Countries
Iranian threat actor MuddyWater conducted a sophisticated espionage campaign in Q1 2026, targeting at least nine organizations across nine countries and four continents using DLL side-loading techniques. The campaign focused on critical sectors including industrial manufacturing, education, public sector, financial services, and professional services, according to research from Symantec and Carbon
AIMuddyWater Uses Microsoft Teams to Steal Credentials in False Flag Ransomware Attack
Iranian state-sponsored threat actor MuddyWater conducted a false flag ransomware attack in early 2026, using Microsoft Teams as an initial attack vector through social engineering techniques. Rapid7 identified this operation, which represents a concerning evolution in nation-state tactics that disguise espionage activities as financially-motivated cybercrime.