Reports Highlight Rising Nation-State/APT Activity and Increased 0-Day Exploitation
Two threat-landscape reports describe an increasingly aggressive nation-state/APT environment, emphasizing how stolen credentials and access sold in underground markets reduce the need for bespoke initial access while enabling long-dwell espionage. SOCRadar’s U.S.-focused writeup frames state-linked operations as prioritizing persistent visibility into high-value environments such as email, identity systems, telecom, and government-adjacent infrastructure, citing China-nexus activity (including Salt Typhoon) as emblematic of strategic access over smash-and-grab theft.
NSFOCUS’s 2025 global APT overview highlights a marked increase in 0-day vulnerability use across operating systems, browsers, network devices, and even security software, enabling extended stealth and broad impact. It cites examples including BlindEagle targeting Colombian judicial/government entities by exploiting a variant of CVE-2024-43451 (Windows shortcut/SMB link behavior enabling NTLMv2 hash capture with low-interaction triggers), Lazarus Group weaponizing a 0-day in South Korea’s widely deployed CrossEX banking/security software for large-scale intrusion and data theft, and Turkey-linked Marbled Dust/Sea Turtle conducting an operation against the Iraqi Kurdish military (disclosed later) using vulnerability exploitation as part of the intrusion chain.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
12 events from the most recent confirmed update back to the earliest known activity.
State-backed espionage campaigns surge against education sector in Q1 2026
In Q1 2026, the global education sector appeared in 20% of observed APT campaigns after being absent the previous quarter, with China-linked groups including MISSION2074, Stone Panda, Hafnium, and Lotus Blossom, as well as Iran-linked Charming Kitten, driving activity. Victims in 27 countries were targeted through email, FTP, and SSHD servers to access research data and institutional communications, alongside related spear-phishing and supply-chain threats.
Google reports UNC1549 and UNC6446 target aerospace and defense personnel
Google reported that Iran-linked UNC1549 and UNC6446 used recruitment-themed lures and career-workflow tools such as job portals, resume builders, and personality tests to target aerospace and defense personnel. The activity also sought to exploit third-party relationships for access.
Kimsuky runs QR-code spear-phishing against U.S. policy-focused organizations
North Korea-linked Kimsuky used QR-code phishing, or quishing, to target U.S. NGOs, think tanks, academic institutions, and government entities focused on North Korea issues. The campaign reflected evolving social-engineering tactics in espionage operations.
CISA-referenced campaign attributes Exchange abuse to GRU Unit 26165
A campaign referenced by CISA was attributed to Russia's GRU Unit 26165, also known as APT28, using password spraying, spearphishing, and Microsoft Exchange mailbox permission manipulation. The activity targeted U.S.-relevant strategic sectors such as logistics and technology.
Apple patches exploited ImageIO zero-click RCE flaw
Apple released a patch for an ImageIO zero-day vulnerability that had been exploited in the wild and could enable zero-click remote code execution. The fix was highlighted as a notable 2025 response to active exploitation.
XE Group compromises VeraCore supply chain with two zero-days
XE Group carried out a supply-chain compromise involving VeraCore and used two zero-day vulnerabilities in the operation. The incident illustrated the growing use of zero-days in software supply-chain attacks.
SharePoint exploit chain is adopted and updated by Mimo and Warlock
A SharePoint remote code execution exploit chain was commoditized and adopted by groups including Mimo and Warlock, which also updated the chain to bypass patches. The development showed how quickly advanced exploit techniques spread beyond their original operators.
Cisco reveals ArcaneDoor espionage using three Cisco-device zero-days
Cisco disclosed ArcaneDoor-linked cyberespionage activity exploiting three zero-days affecting Cisco devices, including two high-severity remote code execution flaws. The campaign targeted global critical infrastructure and U.S. federal agencies.
StealthFalcon spear-phishes Turkish defense contractor with network shortcut zero-day
StealthFalcon conducted a spear-phishing campaign against a Turkish defense contractor, abusing a network shortcut zero-day to install a custom backdoor. The attack highlighted continued targeting of defense-sector organizations with tailored initial access techniques.
Marbled Dust uses Output Messenger zero-day against Iraqi Kurdish military
Marbled Dust, also known as Sea Turtle, exploited a directory traversal zero-day in Output Messenger to deploy a Golang backdoor against the Iraqi Kurdish military. The operation demonstrated nation-state use of messaging software vulnerabilities for espionage.
Lazarus exploits CrossEX zero-day in South Korea
North Korea-linked Lazarus exploited a zero-day in CrossEX software in attacks in South Korea. The activity was cited as an example of APT groups using trusted local software to gain stealthy access.
BlindEagle exploits Windows flaw against Colombian government targets
BlindEagle used a Windows shortcut/SMB NTLMv2-hash capture zero-day to target Colombian judicial and government entities, seeking credential theft and access. The campaign was identified as part of the 2025 APT threat landscape.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Education Sector Under Attack From State Espionage, Spear-Phishing, and Supply Chain Attacks - Cyber Security News
cybersecuritynews.com
Open sourceSouth Korea Threat Landscape Report - CYFIRMA
cyfirma.com
Open sourceMarch 2026 Threat Trend Report on APT Groups - ASEC
asec.ahnlab.com
Open sourceCERT-EU - Threat Landscape Report 2025 - A Year In Review
cert.europa.eu
Open sourceTop Nation-State Cyber Threats Targeting the United States
socradar.io
Open sourceAn Overview of 2025 Global APT Attack Landscape - NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks.
nsfocusglobal.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multi-stage phishing and supply-chain malware campaigns targeting credentials and long-term access
Multiple reports highlight active campaigns using *phishing* and *software supply-chain abuse* to steal credentials and establish persistence. eSentire described an espionage-focused operation targeting residents of India with emails impersonating the Income Tax Department, leading victims to a malicious archive that uses DLL side-loading with a legitimate signed Microsoft application, extensive anti-analysis checks, in-memory shellcode unpacking, UAC bypass, and process masquerading; the payload was identified as a **Blackmoon**-family variant that specifically attempts to disable **Avast Free Antivirus** by automating UI interactions to add exclusions. Separately, Aikido reported a malicious npm package (`ansi-universal-ui`) that deploys a multi-stage infostealer (“**G_Wagon**”) by abusing `postinstall` execution, downloading a Python runtime, running an obfuscated payload, and exfiltrating browser credentials, cloud credentials, Discord tokens, and data from 100+ cryptocurrency wallets to an Appwrite storage bucket; it also includes a Windows DLL used for browser-process injection via NT native APIs. In parallel, network-edge exploitation remains a key access vector: Risky Business reported a renewed wave of attacks against **Fortinet FortiGate** devices via a vulnerability Fortinet allegedly “patched” in December but which attackers can still exploit, enabling SSO authentication bypass (via crafted SAML), creation of new admin accounts, and theft of device configuration; mitigations include disabling the FortiCloud SSO feature (not enabled by default). Several other items are general awareness or roundup content rather than specific incident reporting: TechTarget and other blogs emphasized ongoing phishing/email risk (including relay spam abusing legitimate Zendesk instances) and password hygiene, while The Hacker News published a multi-story bulletin that includes (among other items) a spear-phishing campaign in Afghanistan delivering a FALSECUB backdoor via a GitHub-hosted ISO and LNK execution chain; Risky Business also covered Iran’s internet blackout and Starlink jamming/spoofing as a communications-control issue rather than an enterprise cyber incident.
Mar 21, 2026
Weekly Cybersecurity Roundups Highlighting Government Campaigns, Nation-State Activity, and Emerging Vulnerabilities
Multiple weekly cybersecurity roundups and newsletters highlighted a mix of policy, threat, and vulnerability developments rather than a single discrete incident. UK government messaging featured prominently, including a campaign urging businesses to “lock the door” against cyber criminals and publication of longitudinal survey results indicating most organizations continue to experience cyber incidents (with reported rates in the 70–80% range across businesses and charities). Separately, commentary from European security circles emphasized growing calls for **offensive cyber capabilities** (“strike back”) amid concerns about Russian aggression and sabotage activity across Europe, including references to cyber operations targeting critical infrastructure. Threat reporting in the same period emphasized escalating **nation-state and proxy activity** against critical infrastructure and the defense industrial base, citing research that espionage groups (including those linked to China, Russia, and North Korea) have compromised organizations by exploiting **zero-day vulnerabilities in edge devices** (e.g., VPNs and gateways). Additional reporting pointed to newly identified OT-focused threat groups (e.g., **Sylvanite**, **Azurite**, **Pyroxene**) and a broad set of emerging technical risks and product/security changes, including discussion of an **OpenSSL RCE** risk, **Foxit 0-days**, and analysis of **LockBit 5.0** ransomware techniques (e.g., ETW tampering, process hollowing, log clearing) alongside Android platform security changes (e.g., deprecating cleartext traffic defaults and adding HPKE support).
Mar 21, 2026
Multiple APT and malware campaigns abusing phishing, cloud services, and signed binaries
Reporting across multiple research teams described a surge of distinct, ongoing intrusion campaigns rather than a single unified incident. **Check Point** reported on **Silver Dragon**, a Chinese-aligned activity cluster assessed as operating under the broader **APT41** umbrella, targeting organizations in **Southeast Asia and Europe** (notably government) via exploitation of public-facing servers and phishing, then deploying **Cobalt Strike**, **DNS tunneling**, and a new Google Drive–based backdoor (**GearDoor**) alongside custom tools (**SSHcmd** and **SliverScreen**) for remote access and screen capture. **Microsoft** detailed separate February 2026 phishing campaigns by an unknown actor that used meeting/invoice-style lures and **EV code-signed** malware (certificate issued to **TrustConnect Software PTY LTD**) masquerading as common workplace apps (e.g., `msteams.exe`, `adobereader.exe`, `zoomworkspace.clientsetup.exe`) to install legitimate **RMM** tooling (**ScreenConnect**, **Tactical RMM**, **Mesh Agent**) for persistent access and lateral movement. Other reporting highlighted additional, unrelated campaigns and tradecraft: **ClearSky** described a Russian-aligned operation targeting **Ukraine** using a phishing-delivered ZIP/HTA chain that drops a .NET loader (**BadPaw**) and backdoor (**MeowMeow**) with **.NET Reactor** obfuscation, parameter-gated execution, and sandbox/tooling checks (with low-confidence linkage to **APT28**). **Cofense**-reported activity (via SC Media) showed phishing that weaponizes **Windows File Explorer + WebDAV** using URL/LNK shortcuts to pull payloads (notably **AsyncRAT**, **XWorm**, **DcRAT**) and infrastructure including **Cloudflare Tunnel** domains hosting WebDAV servers. **Cisco Talos**-reported **Dohdoor** activity (UAT-10027) targeted US **education and healthcare**, using PowerShell→batch→DLL sideloading via legitimate executables (e.g., `Fondue.exe`, `mblctr.exe`, `ScreenClippingHost.exe`) and **DNS-over-HTTPS** to Cloudflare for C2 discovery and tunneling. Separately, **Zscaler** reported **ScarCruft**’s *Ruby Jumper* campaign using **Zoho WorkDrive** for C2 and removable media components to reach air-gapped systems, while another Zscaler report analyzed **Dust Specter** targeting Iraqi government officials with password-protected RAR delivery and modular implants. **Qianxin XLab** assessed sanctioned infrastructure provider **Funnull** resurfacing to support scam/criminal supply chains and potential **MacCMS**-related supply-chain activity, and **F5 Labs** summarized **APT42**’s **TAMECAT** PowerShell backdoor focused on Edge/Chrome credential theft with C2 over Telegram/Discord/HTTPS and specific file/hash indicators. (A separate Help Net Security item on a Microsoft Defender onboarding tool is product/administrative news and not part of the threat-campaign reporting.)
Mar 21, 2026