Advanced Persistent Threats are state-sponsored or state-affiliated hacking groups that conduct long-term espionage and sabotage operations against government, defense, and critical infrastructure targets. defend.network monitors APT activity reported by threat intelligence vendors, government advisories, and incident response disclosures, tracking which groups are active and which sectors they target.
China-linked UNC6508 maintained undetected access to North American medical, military, and academic research networks for over a year via compromised REDCap servers. Microsoft issued record 200 patches with evidence of active exploitation. Cisco SD-WAN vManage CVE-2026-20262 exploited in the wild.
Splunk Enterprise CVE-2026-20253 (CVSS 9.8) enables unauthenticated RCE; 400+ Arch Linux AUR packages hijacked with infostealer/rootkit; China-linked Velvet Ant maintained decade-long PAM/OpenSSH backdoor.
CVE-2026-5027 in Langflow actively exploited for unauthenticated RCE; JDY botnet expands to 1,500 devices targeting U.S. military networks. CISA mandates 3-day patching for critical flaws.
Palo Alto PAN-OS GlobalProtect authentication bypass (CVE-2026-0257) actively exploited; Dutch authorities arrest two hosting operators supporting Russian cyberattacks; Linux kernel CIFSwitch flaw allows privilege escalation.
GitHub suffered breach of 3,800+ internal repos via TeamPCP. Microsoft disrupted malware-signing operation. SonicWall VPN and Drupal require urgent patching.
Critical threats include FIRESTARTER backdoor persistence on federal Cisco devices, Russian military token theft via router exploitation, Chinese APT GopherWhisper attacks, and four actively exploited CISA KEV vulnerabilities with May 2026 federal patching deadline.
FIRESTARTER backdoor persists on federal Cisco infrastructure despite patches; Russian state actors harvesting Office tokens via router exploits; four critical CVEs added to CISA KEV with May 2026 deadline; APT campaigns targeting U.S. defense sector; AI-powered phishing escalates to personalized 1-to-1 attacks.
FIRESTARTER backdoor persists on federal Cisco infrastructure despite patches. Russian military intelligence harvesting Office tokens via router exploits. Chinese APT targeting NASA and defense sector with spear-phishing. AI-powered phishing and FakeWallet credential theft escalating.
Russian state-backed APT harvesting Microsoft tokens, 1,570+ Gentlemen ransomware victims, critical SD-WAN and RMM exploits, Windows Defender flaws—urgent patching required across infrastructure.
Critical Adobe zero-day under active exploitation, Russian state-sponsored token harvesting, and APT37 social engineering campaigns compound with AI-powered vulnerability discovery threats.
Critical threats span Iranian PLC targeting, Russian token harvesting, Marimo RCE exploitation within 10 hours, and GlassWorm IDE infections. Immediate patching and detection deployment required.
Critical zero-day in Adobe Reader, state-sponsored credential theft via routers, and major supply-chain compromises demand immediate action across all organizations.
APT28 deploys PRISMEX malware targeting NATO allies; 13-year-old ActiveMQ RCE and Russian router-based token theft critical; new botnets and healthcare ransomware disruptions.
Russian APT28 conducting large-scale DNS hijacking via compromised routers for token theft; Iranian hackers targeting U.S. critical infrastructure PLCs; critical Docker and Flowise vulnerabilities under active exploitation.
State-sponsored APT campaigns targeting Microsoft 365 and supply chains escalate with GitHub C2 usage and zero-day exploits deployed within 24 hours of breach.
State-sponsored DPRK and China-linked APT campaigns, critical FortiClient RCE exploit, and cascading supply chain attacks affecting European institutions and npm ecosystem.
Nation-state campaigns targeting European governments and supply chain infrastructure. TA416 resumes targeting with PlugX. North Korean UNC1069 compromises Axios npm. Device code phishing surges 37x.
Critical zero-day in TrueConf, resurgent Chinese APT targeting European governments, North Korean npm supply chain compromise, and third-party vendor breaches require immediate response
Critical zero-day exploits in TrueConf and North Korean Axios compromise, plus wiper attacks and AI platform over-privilege vulnerabilities demand immediate response across cloud, government, and healthcare sectors.
FBI Director's email breached by Iran-linked hackers; critical Citrix and F5 vulnerabilities under active exploitation; wiper attacks target Stryker; nation-state exploit kits leaked publicly.
Iran-linked actors breached FBI Director Kash Patel's email and launched wiper attacks on Stryker. Critical Citrix and F5 vulnerabilities under active exploitation with no patches available.
State-sponsored Chinese APT embedded in telecom backbone, critical Langflow AI vulnerability actively exploited, wiper malware targeting Iran systems, and zero-click AI assistant vulnerabilities require immediate response.
AI-powered autonomous cyber espionage, device code phishing at 340+ organizations, and critical infrastructure vulnerabilities require immediate defensive action across all sectors.
Russian intelligence conducting mass Signal/WhatsApp phishing; critical Oracle RCE vulnerability; Trivy supply-chain attack spreads CanisterWorm across 47+ npm packages; VoidStealer bypasses Chrome encryption; Iran-backed wiper attacks on medical technology.
Subscribe free and never miss a threat briefing.