APT Articles

China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Southeast Asian Espionage Campaigns

Check Point Research documents a new threat cluster weaponizing CVE-2025-8088 within days of disclosure to target government and law enforcement agencies across Cambodia, Thailand, Philippines, and neighboring countries.

February 4, 2026 APT China Amaranth-Dragon

Notepad++ Update Mechanism Hijacked by Chinese Threat Actors to Deliver Malware

Lotus Blossom APT compromised Notepad++'s hosting provider to intercept update traffic and deliver the Chrysalis backdoor to targeted government and financial organizations over a six-month period.

February 2, 2026 supply chain malware China

WinRAR Vulnerability Still Widely Exploited by Nation-State and Cybercrime Groups

CVE-2025-8088 (CVSS 8.8), a path traversal flaw abusing Windows Alternate Data Streams, continues to be exploited by Russian APTs, Chinese actors, and cybercriminals to achieve persistence via Startup folder drops.

February 2, 2026 WinRAR CVE-2025-8088 APT

RedKitten: Iran-Linked Group Targets Human Rights NGOs With AI-Written Macros

HarfangLab uncovered an Iran-linked campaign using AI-generated Office macros and the SloppyMIO backdoor to target activists documenting human rights violations during Iran's 2025-2026 protests.

January 31, 2026 APT Iran espionage

China-Linked Mustang Panda Deploys Updated COOLCLIENT Backdoor Against Governments

APT group targets government entities across Southeast Asia with enhanced malware featuring clipboard monitoring, browser credential theft, and kernel-mode rootkit capabilities.

January 27, 2026 APT China Mustang Panda

Salt Typhoon: Inside the Worst Telecom Hack in US History

Chinese state-sponsored hackers compromised nine major US telecommunications carriers throughout 2024, accessing wiretap systems, call metadata for over a million users, and communications of presidential campaign staff.

January 17, 2026 Salt Typhoon China telecom

Volt Typhoon Discovered Pre-Positioned in Additional US Critical Infrastructure Sectors

Joint CISA/NSA/FBI advisory reveals Chinese state-sponsored group Volt Typhoon has expanded persistent access into US water, energy, and transportation infrastructure, maintaining dormant footholds for 12-18 months undetected.

January 12, 2026 Volt Typhoon China critical infrastructure

Russia's Fancy Bear APT Runs Low-Cost Credential Harvesting Campaign Against Global Targets

APT28 targets energy, defense, and policy organizations in Turkey, the Balkans, and Central Asia with phishing campaigns using legitimate PDFs from real think tanks and free hosting infrastructure.

January 9, 2026 APT Russia Fancy Bear

Chinese Hackers Exploited VMware ESXi Zero-Days a Year Before Disclosure

Huntress discovered a Chinese-linked exploit toolkit (MAESTRO) targeting VMware ESXi that was built in February 2024—a year before VMware disclosed CVE-2025-22224. Over 30,000 instances remain exposed.

January 9, 2026 VMware ESXi zero-day

Iranian MuddyWater APT Deploys New Rust-Based 'RustyWater' Implant

CloudSEK analysis reveals MuddyWater's upgraded toolkit targeting diplomatic, maritime, financial, and telecom entities across the Middle East with Rust-based malware featuring advanced evasion techniques.

January 8, 2026 APT Iran MuddyWater