weekly
SIGNALS WEEKLY: Chrome 0-Day in the Wild + December Patch Tuesday Priv-Esc
Chrome 0-day in the wild + Windows priv-esc getting abused + OT VNC still exposed like it’s 2009. 😬🔥
russia
space
Space IoT: Under Siege.
If your organization consumes satellite data, runs VSATs (very small aperture terminals), or depends on vendors who do—you’re in scope. Since 2020, attackers have shifted from “space” to the easier target: ground networks and cloud storage.
russia
Russian APTs: OAuth Abuse, RDP Phish, and Takedowns
Russia-linked actors leaned hard on OAuth device codes and RDP phishing from Oct 2024–Aug 2025. Providers pushed back in concert. Here’s what changed, what to watch in your logs, and the quickest moves that buy real risk reduction.
romcom
RomCom’s WinRAR Exploit: Persistent Startup Folder Attacks and Encrypted C2 Exfiltration Targeting Critical Sectors
Russian-linked RomCom is abusing a critical WinRAR bug to quietly persist in networks, move laterally, and siphon data over encrypted channels — hitting government, finance, and telecom sectors hard. Patch lag is keeping doors wide open.
darkwatchman
DarkWatchMan and Hive0117: Fileless Malware Evolution Targeting Russian Critical Infrastructure
DarkWatchMan is a fileless, modular malware family first observed in late 2021 and attributed to the financially motivated Hive0117 group. The malware is primarily delivered via spear-phishing emails containing password-protected archives, targeting Russian critical infrastructure (energy, etc).
sandworm
Sandworm’s Evolving Playbook: Destructive Malware, BadPilot Subgroup, and the Escalating Threat to Global Critical Infrastructure
Sandworm, a Russian GRU-affiliated cyber threat group (Unit 74455), continues to escalate its offensive cyber operations, with a primary focus on Ukraine and Western allies. The group is notorious for high-impact attacks such as the 2015-2016 Ukrainian power grid blackouts...
void-blizzard
Void Blizzard: Russian State-Backed Cloud Espionage, AitM Phishing, and LOTL Tactics Targeting NATO and Allies
Void Blizzard, a Russian state-sponsored APT attributed to the GRU and tracked as Laundry Bear by Dutch intelligence, has rapidly emerged as a major cyber espionage threat since April 2024. The group targets government, defense, telecommunications, NGOs, and critical infrastructure across NATO...
russia
LOSTKEYS: COLDRIVER’s Next-Gen Social Engineering Malware and the Evolution of Russian State Espionage Tactics
LOSTKEYS, first observed in early 2025, marks a significant evolution in Russian cyber-espionage, attributed to the FSB-backed COLDRIVER group. Unlike traditional spear-phishing, LOSTKEYS employs a sophisticated multi-stage infection chain initiated by fake CAPTCHA lure websites (ClickFix)...
apt
Strategic Cyber Threats: Chinese, Russian, and North Korean APTs.. How are they different?
Recent trends indicate a shared interest among these state-sponsored groups in exploiting vulnerabilities and utilizing AI tools like Google's Gemini to improve their cyberattack capabilities.
apt28
GruesomeLarch: Unveiling the Sophisticated Cyber-Espionage Tactics of a Russian Nation-State Actor
The threat actor known as "GruesomeLarch," also publicly recognized as Fancy Bear (APT28), has been identified as a sophisticated Russian nation-state group involved in cyber-espionage activities.
midnight-blizzard
Midnight Blizzard: Unmasking the Espionage Tactics of Russia's Elite Cyber Threat Actor -- What's Next?
Midnight Blizzard, a cyber threat actor linked to Russia's Foreign Intelligence Service (SVR), has been a persistent menace in the cyber espionage landscape, targeting sectors such as government, defense, academia, and non-governmental organizations.
apt
THREAT-ACTOR - FIN7: A Persistent Cyber Threat with Evolving Tactics
Their primary motivation is financial gain, focusing on sectors rich in valuable data and assets...