State-Sponsored Cyber Espionage Targeting Defense and Critical Infrastructure
Google Threat Intelligence Group (GTIG) reported that the defense industrial base (DIB) is under sustained, multi-vector pressure from state-backed and aligned actors seeking to steal sensitive military technology, disrupt supply chains, and undermine national security. The report highlights Russian-linked activity focused on unmanned aircraft systems (UAS) and other emerging technologies, including TEMP.Vermin using drone-themed lures to deliver malware and APT44 (Sandworm/GRU) targeting military personnel devices with tooling such as INFAMOUSCHISEL to harvest data from battlefield-related applications; it also notes some Russian operators are using LLMs to improve reconnaissance and social-engineering effectiveness. GTIG also describes North Korea’s continued use of IT-worker/insider placement to generate revenue and access within Western organizations.
Separately, reporting on Transparent Tribe (APT36) describes ongoing espionage campaigns against Indian government and defense targets across Windows and Linux, including spear-phishing that deploys Geta RAT and execution chains abusing legitimate Windows components (e.g., mshta.exe) and XAML deserialization for evasion, alongside a shift toward more mature Linux tooling and persistence. A third report (Picus Labs’ Red Report) is broader trend research rather than a specific incident, claiming ransomware encryption is declining while “sleeperware”/dormant extortion tradecraft is rising based on ATT&CK technique prevalence across large-scale simulation and telemetry; it does not materially add to the defense-sector espionage narrative beyond general attacker TTP trends.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
GTIG notes rise in hacktivist DDoS and hack-and-leak attacks on defense targets
The report also observed increased geopolitically motivated hacktivism, including pro-Russia and pro-Iran groups conducting DDoS and hack-and-leak operations against defense-related organizations. This added a disruptive and public-facing layer to the threat landscape affecting the sector.
GTIG says China-nexus groups intensify edge-device exploitation in DIB
According to GTIG, China-linked groups were the most active threat to the defense industrial base by volume and increasingly exploited VPNs, firewalls, routers, and multiple zero-day vulnerabilities. Their goal was to gain durable access into supply-chain 'central nodes' that could provide broader downstream reach.
GTIG identifies DPRK fake remote workers as defense-sector insider threat
The report described North Korean operations in which DPRK IT workers pose as remote employees to infiltrate defense contractors. These efforts were used to generate revenue and potentially collect intelligence from within targeted organizations.
GTIG details Russia-linked targeting of Western defense and drone ecosystems
The GTIG report highlighted Russia-linked activity tied to the war in Ukraine, including attacks on Western defense entities and military personnel devices. It emphasized operations focused on unmanned aircraft systems and theft of battlefield-related data.
Google Threat Intelligence Group reports sustained pressure on defense industrial base
Google Threat Intelligence Group published a report describing the defense industrial base as under constant multi-vector pressure from state-sponsored actors and criminal groups seeking military technology, supply-chain access, and disruption opportunities. The report framed the threat as broad and ongoing across cyber espionage, intrusion, and disruptive activity.
Malicious PowerPoint Add-Ins distribute emerging Desk RAT tool
Reporting also identified an emerging tool called Desk RAT being distributed through malicious PowerPoint Add-Ins. This added another delivery and access mechanism to the broader Transparent Tribe ecosystem.
APT36 Linux operation establishes persistence with systemd user services
The Linux intrusion achieved persistence by creating systemd user services so access would survive reboots while blending into normal system activity. This reflected an expansion of the group's tradecraft beyond Windows-focused operations.
Linux campaign uses Go downloader to install Ares RAT
A separate Linux-focused operation delivered a Go-based downloader that installed Ares RAT, a Python remote access tool historically associated with Transparent Tribe. The malware then profiled infected systems and exfiltrated collected data in a structured manner.
Windows campaign deploys Geta RAT via phishing and living-off-the-land techniques
One campaign used phishing emails to infect Windows systems and ultimately deploy Geta RAT. The intrusion chain abused legitimate components including mshta.exe and XAML deserialization to reduce file-based detection and maintain stealth.
Transparent Tribe and SideCopy run espionage campaigns against Indian defense targets
A long-running espionage ecosystem involving Transparent Tribe (APT36) and the aligned SideCopy cluster targeted Indian government and defense organizations for long-term intelligence collection using spear-phishing and weaponized documents. The activity spanned multiple campaigns and platforms, indicating sustained operations rather than a single incident.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Under Siege: GTIG Report Exposes North Korean Spies & Russian Drone Hacks in Defense Sector
securityonline.info
Open sourceAPT36 Hacker Group Attacking Linux Systems with New Tools to Disturb Services - Cyber Security News
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Google GTIG Warns of Intensifying Nation-State Targeting of the Defense Industrial Base
Google’s Threat Intelligence Group (GTIG) reported sustained and expanding cyber operations against the **defense industrial base (DIB)** by state-linked and aligned actors from **China, Iran, North Korea, and Russia**, driven by battlefield technology demands and geopolitical conflict. Reported themes include targeting defense organizations supporting the Russia–Ukraine war, **social engineering and recruitment/hiring-process abuse** aimed at employees (notably attributed to North Korean and Iranian activity), increased reliance on **edge devices and appliances** for initial access by China-nexus groups, and heightened **supply-chain exposure** tied to compromises in adjacent manufacturing ecosystems. The reporting highlights specific tactics and actor activity, including Russia-linked **APT44 (Sandworm)** efforts to access data from **Telegram and Signal**, including use of a Windows batch script (`WAVESIGN`) to decrypt and exfiltrate data from Signal Desktop after likely obtaining physical access to devices in Ukraine. Additional activity described includes Ukraine-focused campaigns using defense-themed lures (e.g., drones and counter-drone systems) and broader nation-state use of **zero-day exploitation in edge devices** to establish footholds in defense contractors’ networks, reinforcing GTIG’s assessment that “pre-positioning” and continuous access-building are now baseline expectations for DIB organizations.
Mar 21, 2026
Google Warns of Escalating State-Backed Cyber-Espionage Targeting Europe’s Defense Industrial Base
Google’s Threat Intelligence Group reported an intensifying, state-backed cyber-espionage campaign against **Western defense companies**—particularly across Europe—describing a “constant, multi-vector siege” aimed at stealing sensitive R&D, disrupting production, and gaining insight into next-generation battlefield systems. The report highlights **drone manufacturers and advanced weapons developers** as priority targets, with **Russia-linked activity** emphasized in the context of the war in Ukraine and a focus on unmanned aircraft technologies and their suppliers. Google attributed one phishing campaign to **UNC5976**, which used **malicious Remote Desktop Protocol (RDP) files** and **spoofed domains** impersonating defense firms across multiple countries. Google assessed that multiple state actors—**Russia, Iran, China, and North Korea**—are leveraging a broad set of access paths, including exploitation of **hiring processes**, **personal accounts**, and **remote work** environments, while smaller manufacturers and adjacent suppliers are also seeing **extortion attempts**, indicating widening supply-chain pressure. Separate reporting also described leaked documents indicating China has used a training platform (*Expedition Cloud*, developed by CyberPeace) to rehearse critical-infrastructure intrusions against neighboring countries by building network “templates” of targets and running reconnaissance-to-attack drills, underscoring the operational maturity and preparation that can translate into real-world campaigns against high-value sectors such as defense and critical infrastructure.
Mar 21, 2026
Multiple APT and malware campaigns abusing phishing, cloud services, and signed binaries
Reporting across multiple research teams described a surge of distinct, ongoing intrusion campaigns rather than a single unified incident. **Check Point** reported on **Silver Dragon**, a Chinese-aligned activity cluster assessed as operating under the broader **APT41** umbrella, targeting organizations in **Southeast Asia and Europe** (notably government) via exploitation of public-facing servers and phishing, then deploying **Cobalt Strike**, **DNS tunneling**, and a new Google Drive–based backdoor (**GearDoor**) alongside custom tools (**SSHcmd** and **SliverScreen**) for remote access and screen capture. **Microsoft** detailed separate February 2026 phishing campaigns by an unknown actor that used meeting/invoice-style lures and **EV code-signed** malware (certificate issued to **TrustConnect Software PTY LTD**) masquerading as common workplace apps (e.g., `msteams.exe`, `adobereader.exe`, `zoomworkspace.clientsetup.exe`) to install legitimate **RMM** tooling (**ScreenConnect**, **Tactical RMM**, **Mesh Agent**) for persistent access and lateral movement. Other reporting highlighted additional, unrelated campaigns and tradecraft: **ClearSky** described a Russian-aligned operation targeting **Ukraine** using a phishing-delivered ZIP/HTA chain that drops a .NET loader (**BadPaw**) and backdoor (**MeowMeow**) with **.NET Reactor** obfuscation, parameter-gated execution, and sandbox/tooling checks (with low-confidence linkage to **APT28**). **Cofense**-reported activity (via SC Media) showed phishing that weaponizes **Windows File Explorer + WebDAV** using URL/LNK shortcuts to pull payloads (notably **AsyncRAT**, **XWorm**, **DcRAT**) and infrastructure including **Cloudflare Tunnel** domains hosting WebDAV servers. **Cisco Talos**-reported **Dohdoor** activity (UAT-10027) targeted US **education and healthcare**, using PowerShell→batch→DLL sideloading via legitimate executables (e.g., `Fondue.exe`, `mblctr.exe`, `ScreenClippingHost.exe`) and **DNS-over-HTTPS** to Cloudflare for C2 discovery and tunneling. Separately, **Zscaler** reported **ScarCruft**’s *Ruby Jumper* campaign using **Zoho WorkDrive** for C2 and removable media components to reach air-gapped systems, while another Zscaler report analyzed **Dust Specter** targeting Iraqi government officials with password-protected RAR delivery and modular implants. **Qianxin XLab** assessed sanctioned infrastructure provider **Funnull** resurfacing to support scam/criminal supply chains and potential **MacCMS**-related supply-chain activity, and **F5 Labs** summarized **APT42**’s **TAMECAT** PowerShell backdoor focused on Edge/Chrome credential theft with C2 over Telegram/Discord/HTTPS and specific file/hash indicators. (A separate Help Net Security item on a Microsoft Defender onboarding tool is product/administrative news and not part of the threat-campaign reporting.)
Mar 21, 2026