// #threat-intelligence
19 articles
Velvet Ant's Operation Highland: China-Nexus APT Spent a Decade Inside an Air-Gapped Network via Auth Stack Hijack
Sygnia researchers disclosed Operation Highland, a China-nexus espionage campaign in which the Velvet Ant threat group maintained persistent, undetected access to an air-gapped enterprise network from 2016 to 2026 by hijacking authentication infrastructure and bridging the isolation via a modified Nginx binary and GS-Netcat reverse shell. The case fundamentally challenges the security model of air-gapping as an isolation control.
Gentlemen Ransomware Claims 478 Victims in 66 Countries as Worm-Like Lateral Movement Capability Confirmed
New analysis of the Gentlemen ransomware operation reveals the group has compromised 478 organisations across 66 countries, significantly exceeding initial healthcare-focused estimates. Researchers have confirmed the ransomware includes a worm module that leverages SMB vulnerabilities and credential reuse to spread autonomously across enterprise networks without human operator intervention.
VerdantBamboo Deploys BSD Variant of BRICKSTORM Backdoor Against Linux and BSD Network Appliances
China-nexus threat cluster VerdantBamboo has deployed a BSD-compatible variant of the BRICKSTORM backdoor, extending its implant capability beyond Linux ESXi hosts to commercial network appliances running FreeBSD-derived operating systems. The implant uses HTTPS command and control via legitimate TLS certificates, survives reboots, and operates below enterprise EDR visibility.
China-Nexus Threat Groups and the Shift to Linux and BSD Appliance Targeting
A pattern documented across multiple China-nexus threat actors in 2025–2026 shows a deliberate move from Windows endpoint compromise toward Linux-based network appliances and BSD-running security devices. Network devices running proprietary Linux/BSD derivatives sit at the network edge with high-privilege routing access — and typically outside the enterprise's EDR coverage.
Verizon DBIR 2026: Vulnerability Exploitation Surpasses Phishing as Top Initial Access Vector — Enterprise Implications
Verizon's 2026 Data Breach Investigations Report, published mid-May, documents a structural shift in breach methodology: vulnerability exploitation has overtaken phishing as the most common initial access pathway in analysed breaches. The shift reflects a maturing attacker ecosystem that increasingly uses automated exploit delivery rather than requiring human interaction. Enterprise security programmes built around phishing awareness need recalibration.
Google GTIG Confirms First AI-Developed Zero-Day Used in Active Exploitation — 2FA Bypass via Automated Vulnerability Discovery
Google's Threat Intelligence Group has confirmed the first documented case of a threat actor using AI tools to discover and develop a working zero-day exploit deployed in a live attack campaign. The target was a 2FA bypass in a widely-used open-source web administration tool. A separate China-aligned actor was also found using AI platforms for automated offensive reconnaissance.
Fortinet 2026 Global Threat Landscape: Ransomware Victims Up 389% Year-over-Year, AI Crime Industrialising
Fortinet's 2026 Global Threat Landscape Report documents 7,831 confirmed ransomware victims in 2025 — a 389% increase over 2024's approximately 1,600 — alongside the first systematic evidence of AI-enabled cybercrime tooling (WormGPT, FraudGPT, BruteForceAI) being used at scale. Manufacturing, business services, and retail are the hardest-hit sectors. The report reframes the threat environment as fundamentally changed, not merely intensified.
Microsoft Threat Intelligence: AiTM Phishing Campaign Hit 35,000 Users Across 26 Countries in Two Days
Microsoft Threat Intelligence has published analysis of a highly targeted adversary-in-the-middle phishing campaign that compromised 35,000 user accounts across healthcare and financial services organisations in 26 countries during a 48-hour window in April 2026. The campaign used polished enterprise-grade HTML templates impersonating Microsoft 365 compliance and code-of-conduct notifications, bypassing standard MFA via real-time session token interception.
AccountDumpling Abuses Google AppSheet as Legitimate Phishing Relay to Compromise 30,000 Facebook Accounts
The AccountDumpling campaign has compromised approximately 30,000 Facebook accounts by routing phishing emails through Google AppSheet — a legitimate no-code application platform — to bypass spam filters and email security gateways. The technique exploits trusted sender reputation of Google infrastructure and demonstrates the growing difficulty of filtering phishing delivered through legitimate SaaS platforms.
Cordial Spider and Snarky Spider Drive Multi-Sector SaaS Account Takeover via Vishing and SSO AiTM Attacks
Two newly-designated threat actor clusters — Cordial Spider (UNC6671) and Snarky Spider (UNC6661) — are conducting coordinated vishing and adversary-in-the-middle SSO phishing campaigns against enterprise organisations across finance, technology, and logistics sectors, bypassing MFA to harvest persistent OAuth tokens. Organisations should review SSO conditional access policies and verify help desk vishing verification procedures.
EtherRAT Uses Ethereum Blockchain Transactions as Immutable C2 Channel — Campaign Targeting Government and Finance
Researchers have disclosed EtherRAT, a remote access trojan that encodes command-and-control instructions directly into Ethereum blockchain transactions, creating a C2 channel that cannot be taken down, domain-blocked, or sinkholed. Active campaigns have targeted government and financial organisations in Eastern Europe and the Middle East.
China-Linked SHADOW-EARTH-053 Targets Asian Governments and NATO Member With ShadowPad Implants
Security researchers have attributed a sustained intrusion campaign against at least seven government ministries across Southeast and Central Asia — and one NATO member state's foreign affairs ministry — to the China-nexus cluster SHADOW-EARTH-053, operating the ShadowPad remote access trojan. The campaign exploits legacy Microsoft Exchange vulnerabilities for initial access and uses living-off-the-land techniques to evade detection.
Trellix Confirms Source Code Repository Breach — Forensic Investigation Underway
Cybersecurity vendor Trellix has confirmed unauthorised access to an internal source code repository, with law enforcement notified and a forensic investigation ongoing. The breach raises concerns about potential weaponisation of security product internals against Trellix's enterprise customer base.
Silk Typhoon Operator Xu Zewei Extradited to US — First MSS Shanghai Bureau Hacker Held Accountable
Xu Zewei, a hacker attributed to the MSS Shanghai Bureau and the Silk Typhoon (formerly Hafnium) APT group, has been extradited from Italy to face US federal charges relating to the theft of COVID-19 vaccine research, defence contractor IP, and financial sector data via Exchange Server zero-days. The extradition marks the first successful prosecution of a Silk Typhoon operator and sends a direct signal to MSS-affiliated cyber operators.
UNC6692 Abuses Microsoft Teams to Deliver SNOW Malware via IT Help Desk Vishing
Threat actor UNC6692 is impersonating IT help desk staff via Microsoft Teams to socially engineer victims into installing SNOW malware. The campaign exploits trusted internal communication channels where detection tooling is typically absent — immediate Teams external access policy review is recommended.
Seized Gentlemen Ransomware C2 Server Exposes 1,570 Victims — GPO Deployment Reveals Full Domain Compromise
Check Point Research's analysis of a seized SystemBC command-and-control server linked to The Gentlemen ransomware operation exposed 1,570+ victim IP addresses and documented the group's use of Group Policy Objects to deploy ransomware domain-wide. GPO-based distribution is a forensic marker that attackers achieved Domain Admin access days before encryption — defenders should treat it as an indicator of extended dwell time, not a starting point.
DPRK-Linked Hackers Steal $285 Million from Drift Protocol in Six-Month Social Engineering Operation
North Korean threat actors attributed to UNC4736 (Citrine Sleet/AppleJeus) stole $285 million from Solana-based Drift Protocol after a six-month infiltration campaign combining social engineering of multisig signers with a novel durable nonce pre-signing technique. The incident reveals social engineering tactics directly transferable to enterprise environments.
Handala Ransomware Surges to 23 Victims in March — Geopolitically-Motivated Wiper Threat Expands Beyond Israel
Handala ransomware claimed 23 victims in March 2026 — the group's most active month, accounting for more than half of its total 2026 activity to date. While predominantly targeting Israeli organisations with suspected IRGC ties, Handala has begun extending its reach into European financial services, healthcare, and utilities. The group deploys wiper functionality alongside ransomware, meaning recovery from an attack is frequently impossible even without a ransom payment.
Qilin Ransomware Posts Record 131 Victims in March — Third Consecutive Month Above 100
Qilin ransomware posted 131 confirmed victims in March 2026, its highest monthly total since emerging as a major ransomware-as-a-service operation. This marks three consecutive months above 100 victims — a sustained tempo that no tracked ransomware group has previously achieved. Healthcare, manufacturing, and professional services bear the heaviest burden, with the US accounting for half of all March ransomware victims across all groups.
Commentary tagged #threat-intelligence
Why China-Nexus Actors Are Targeting Network Appliances — and Why Your EDR Won't Tell You
The BRICKSTORM BSD variant developed by VerdantBamboo is not a technical curiosity. It is evidence of a deliberate strategic investment by China-nexus threat actors in precisely the attack surface that most enterprise security programmes cannot see. Appliance-targeting is not the path of least resistance — it is the path of least detection.
CipherWatch Editorial
Security Intelligence Platform
The Risk Calculus Changed Today
Google's confirmation of the first AI-developed zero-day used in live exploitation is not a warning about the future. It is a statement about the present. The security industry's habit of treating AI-assisted exploitation as a 'horizon threat' just ran out of runway.
CipherWatch Editorial
Security Intelligence Platform
Seven Thousand Ransomware Victims in a Year and We're Still Surprised Every Time
Fortinet's 2026 threat landscape report documents 7,831 confirmed ransomware victims last year — nearly five times the 2024 figure. The industry will spend a week discussing what this means. Then a new disclosure will arrive, and the conversation will move on. The problem is not that we lack threat intelligence. The problem is that threat intelligence is not changing behaviour fast enough to matter.
CipherWatch Editorial
Security Intelligence Platform
AI Didn't Make Attackers Smarter — It Removed the Barrier That Was Keeping Them Small
DPRK's AI-generated npm malware campaign is not remarkable because AI made it more sophisticated. It's remarkable because AI let a small team produce something that would previously have required many more people to build and maintain. The scale constraint on supply chain attacks has just changed fundamentally.
CipherWatch Editorial
Security Intelligence Platform
The Threat Intelligence Report That Nobody Reads
Most organisations have a threat intelligence subscription. Fewer have a threat intelligence programme. The gap between the two is not a budget problem — it is a clarity problem about what intelligence is actually for, and it costs the industry significantly in both money and security posture.
CipherWatch Editorial
Security Intelligence Platform
Ransomware Has Industrialised — Your Response Strategy Probably Has Not
Qilin's 131 confirmed victims in March alone is not a spike — it is what a mature criminal enterprise operating at scale looks like. The ransomware ecosystem has industrialised completely, with dedicated development, HR, and affiliate management functions. Enterprise response strategies built for a different threat model are overdue for review.
CipherWatch Editorial
Security Intelligence Platform