Edge devices are now the #1 entry point for state-sponsored espionage. Exploits cost $30K-$100K vs millions for mobile. China-aligned groups are burning through zero-days, seemingly in a coordinated way. Your edge devices are the new front door for attackers: www.trendmicro.com/vinfo/us/sec...
Each country has a distinct AI strategy that shapes their APT operations. - China: "Full-Stack Anchor": The only nation capable of sustaining a large-scale AI arms race against the US. End-to-end domestic ecosystem. Expect advanced attacks from China-aligned actors using domestic AI tools, reducing our visibility into how they operate. - Russia: "Sovereign Fortress": Hardware constraints offset by energy resources and increasing reliance on Chinese technology. AI applied to warfare, surveillance, and now embedded in active malware. - North Korea: "Asymmetric Saboteur": Leveraging AI to automate cybercrime, funding the missile program through crypto-theft and deepfake-based social engineering. Reliant on third-party AI platforms and Russian infrastructure support.
The APT threat landscape is shaped by the "Digital Autocracy" bloc: an axis between CN, RU, DPRK and IR using AI as a force multiplier.
AI is no longer experimental for APT. It is operational. The next 24 months will be a race for "resilience at machine speed."
www.trendmicro.com/vinfo/us/sec...
It is not often the public gets to see the impact of Russia-aligned cyber operations. This article by Raphael Satter provides exactly that: Russia-aligned actors compromised 170+ accounts of Ukrainian officials tasked with fighting corruption and unmasking spies. www.reuters.com/world/russia...
Scoop: Allegedly Russian hackers have broken into more than 170 inboxes belonging to Ukrainian prosecutors and investigators.
Could help Moscow keep tabs on Ukrainian counterintelligence and sensitive corruption investigations.
www.reuters.com/world/russia...
It is unfortunate that the Rapid7 blog does not seem to reference prior work from up to 5 years ago, which has a very significant overlap with what was apparently presented at RSA 2026.
In our most recent report on the Russia-aligned APT group Pawn Storm (APT28, Fancy Bear, Forest Blizzard), we explain how they have been using PRISMEX, a collection of interconnected malware components, to target the defense supply chain of Ukraine and its allies - www.trendmicro.com/en_us/resear...
We published this article on "Cyber Considerations for Organizations During Times of Conflict" in 2024. It is worth a read again - www.trendmicro.com/vinfo/us/sec...
Spammers abused Atlassian Jira’s notifications to bypass email security filters and target government and corporate entities with spam. In one of the campaigns highly skilled Russians working abroad were targeted, even though the motivation looks to be financial - www.trendmicro.com/en_us/resear...
Navalny was poisoned with exotic frog toxin, five Western nations confirm
Multiple labs have independently analyzed biological samples taken from Alexei Navalny’s body and found epibatidine, a highly toxic alkaloid sourced from a South American poisonous frog.
TrendAI formalizes threat attribution as a structured, repeatable discipline by combining standardized evidence scoring, relationship mapping, and bias testing, with a temporary stage that separates clustering from final naming. Article on how we attribute: www.trendmicro.com/vinfo/us/sec...
#BREAKING #ESETresearch identified the wiper #DynoWiper used in an attempted disruptive cyberattack against the Polish energy sector on Dec 29, 2025. At this point, no successful disruption is known, but the malware’s design clearly indicates destructive intent. 1/5
Trend Micro tracks SHADOW-VOID-042 spear-phishing (Nov 2025) using Trend Micro-themed lures and a decoy site mimicking Trend’s corporate style, targeting defence, energy, chemicals, cybersecurity and ICT sectors. www.trendmicro.com/en_us/resear...
spear phishing email using Trend Micro updates as a lure
targeted industries
comparison between this intrusion set and Void Rabisu
Website mimicking Trend Micro graphical design
We investigated an #APT with links to Void Rabisu (Romcom) that used Trend Micro updates as a lure in a recent campaign involving vulnerability exploitation. There were at least 4 stages before the final payload, some of them being tailored to the targeted machine www.trendmicro.com/en_us/resear...
Recently various industries, including Trend Micro, were targeted by a Trend Micro-themed campaign. Trend Vision One™ stopped it early in the kill chain. The campaign somewhat aligns with Void Rabisu (ROMCOM). For now we track this temporarily under SHADOW-VOID-042 www.trendmicro.com/en_us/resear...
Cyberespionage campaigns are becoming increasingly complex due to the close collaboration between distinct APT groups. Learn how China-aligned Earth Estries provides initial access to compromised assets for Earth Naga (Flax Typhoon) to continue exploitation: www.trendmicro.com/en_us/resear....
One of the botnets that is using a modular approach that will likely be able to circumvent network-based access controls against residential proxies is known as BadBox 2.0. The FBI issued an advisory yesterday: www.ic3.gov/PSA/2025/PSA...
This modular model is already employed by residential proxy providers in the Far East who obtain millions of residential proxies by exploiting vulnerabilities in the supply chain of inexpensive IoT devices and by shipping pre-infected Android Open Source Project-supported devices (AOSP).
We anticipate that residential proxy providers will seek to bypass connection and session-based access controls, by uploading separate software modules to residential endpoints. These modules can independently carry out specific tasks like advertisement fraud without relying on proxied connections.
Residential proxies are a key enabler of cybercrime today. This creates a growing need for connection and session-based access control. We used Ja4T fingerprinting that successfully tagged incoming connections from residential proxies to 1,500 IDS systems. www.trendmicro.com/vinfo/us/sec...
One of my favorite pieces of evidence we were able to obtain was 7 videos with English text, which painstakingly explain how to set up a Beavertail C&C. The screen recording, lasting more than 1 hour, was created by someone logged in with a BlockNovas account from an IP address probably in Russia.
DPRK cybercrime uses Russian infrastructure in Khasan and Khabarovsk, masked by VPNs, proxies, and RDPs. One fictitious DPRK company to lure IT professionals with interviews was BlockNovas. FBI seized BlockNovas' site and a related C&C on April 23, 2025. Read more: www.trendmicro.com/en_us/resear...
Roman Dobrokhotov and Christo Grozev have extensively reported on FSB and GRU. Read this to learn about their ordeal when a team, led by Marsalek, was hunting them down. The story has fun elements and close calls. It highlights the dangers journalists face as they inform us: theins.ru/en/inv/279034
Updated Shadowpad malware used in recent attacks against the manufacturing industry led to ransomware in some incidents. Research by @thehellu.bsky.social : www.trendmicro.com/en_us/resear...
Yet another suspected case of publicly disclosed red team tools being used by an intelligence agency — allegedly the SVR — to conduct a sweeping surveillance operation.
(ht @feikeh.bsky.social)
www.trendmicro.com/en_us/resear...
Earth Koshchei (APT29): A cyberespionage group targeting critical sectors with stealthy techniques. Here’s what you need to know: www.trendmicro.com/en_us/resear... #Cybersecurity #ThreatIntel with @feikeh.bsky.social
Since Aug 2024 Earth Koshchei (APT29, Midnight Blizzard) used 193 RDP relays and 34 rogue backends against military, MFAs and others. The campaign peak was likely preceded by barely audible campaigns that ended with a bang in Oct 2024. Details and indicators here: www.trendmicro.com/en_us/resear...
Attack chain showing attacker generating link on Moonshine, then sending it through targeted application to the victim, which after clicking the links gets compromised and delivered the DarkNimbus backdoor
Validation flow that fingerprints the target by looking at user agent and delivering the proper exploit
multiple Chrome vulnerabilities exploited in the third-party applications
List of Android applications being targeted Most are very popular in South East Asia
Our latest report presents Earth Minotaur, a threat actor targeting Tibetans and Uyghurs using Moonshine, an exploitation framework for Android apps described in 2019 by
@citizenlab.ca
leveraging vulnerabilities in applications embedding old versions of Chromium trendmicro.com/en_us/resear...
Nsocks provides an alternative explanation: "Competitors have hired an organization that has blocked our back-connect servers and continues DDOS attacks." Nsocks now also mandates authentication for their SOCKS5 entrance nodes (which was not the case previously - security by obscurity)
One week ago Lumen/Shadowserver sinkholed Water Barghest C&Cs. Nsocks (alleged seller of Ngioweb bots) apparently suffers from this: US proxies down to 4494 (was 14037), EU proxies down to 2038 (was 9092). I expected a faster recovery. Still expect Water Barghest will make their botnet more robust.
Water Barghest automated each step between finding vulnerable IoT devices to offering them for rent on a commercial residential proxy provider. Water Barghest's infrastructure was used to exploit Cisco IOS XE devices with a 0-day in October 2023. Read more here: www.trendmicro.com/en_us/resear...