espionage

Persistent Espionage: Mustang Panda's LOTUSLITE Campaign Hits Banking

John Z Black Apr 27, 2026

Threat Intelligence #mustang-panda #apt #espionage #supply-chain #nation-state

A refreshed LOTUSLITE variant from Mustang Panda is targeting Indian banks and South Korean policy groups. Nation-states aren't extortionists. They're collectors. And they're patient.

Adversarial Distillation: The Industrial-Scale Theft of Frontier AI

John Z Black Apr 23, 2026

AI Security #ai-security #china #adversarial-distillation #deepseek #white-house #espionage #frontier-ai #anthropic

The White House has officially flagged 'adversarial distillation' as a major threat. China is using tens of thousands of fake accounts to clone U.S. AI capabilities by strip-mining model outputs. This is model theft through the front door.

The AI Espionage Playbook: How a Hacker Used Claude and GPT-4.1 to Steal 415 Million Records

John Z Black Apr 15, 2026

AI Security #ai-security #nation-state #espionage #llm-abuse #openai #anthropic #claude #data-breach #mexico

A threat actor used Claude Code and GPT-4.1 to automate a government-scale data breach in Mexico, exfiltrating 415 million records through 5,317 AI-generated commands. This is the first documented case of AI coding tools used as a nation-state espionage engine.

China's TA416 Is Back in Europe After Two Years. They Brought New Tricks.

John Z Black Apr 6, 2026

Threat Intelligence #china #ta416 #plugx #oauth #phishing #espionage #eu #apt

TA416 has resumed targeting EU government and diplomatic organizations with PlugX malware, now abusing OAuth redirects to slip past traditional phishing defenses.

BRICKSTORM Hides Where Your EDR Can't See It

John Z Black Apr 6, 2026

Threat Intelligence #china #espionage #vmware #vsphere #brickstorm #unc5221 #edr #hypervisor

A suspected China-nexus espionage operation targets VMware vCenter and ESXi hypervisors, persisting at the virtualization layer where endpoint security is blind.

A Zero-Day Turned TrueConf's Update Channel Into a Malware Delivery System

John Z Black Apr 3, 2026

Threat Intelligence #zero-day #supply-chain #trueconf #espionage #china #cve-2026-3502

Chinese-nexus actors exploited a zero-day in TrueConf to hijack the update mechanism and push trojanized updates to Southeast Asian government agencies.

FBI Says China Hacked Its Surveillance Systems, Triggers 'Major Incident' Classification

John Z Black Apr 3, 2026

Incidents & Breaches #fbi #china #surveillance #fisma #espionage #nation-state

The FBI classified a suspected Chinese intrusion into law enforcement surveillance infrastructure as a FISMA major incident, forcing Congressional notification within days.

Three Chinese Hacker Groups Hit the Same Government. At the Same Time.

John Z Black Mar 31, 2026

Threat Intelligence #china #apt #mustang-panda #unit42 #espionage #southeast-asia #usb-worm #hiupan #nation-state

The Progress We Thought We Were Making Against Hackers? It Just Went Backward.

John Z Black Mar 30, 2026

Threat Intelligence #m-trends #dwell-time #mandiant #espionage #ransomware #north-korea #threat-intelligence

Dwell time reversed in 2025, and the reason why tells you exactly which threats most security programs are not built to catch.

Two Spy Campaigns, Two Completely Different Playbooks

John Z Black Mar 16, 2026

Threat Intelligence #espionage #apt #china #russia #signal #asean #military #threat-intelligence

A Chinese APT has been sitting inside Southeast Asian military networks for six years. Meanwhile, Russian hackers are stealing Signal accounts with fake support messages. Same goal, wildly different approaches.

China's Been Quietly Spying on Southeast Asian Militaries for Years

John Z Black Mar 13, 2026

Nation-State Threats #china #apt #espionage #southeast-asia #military #unit42 #nation-state

Unit 42 documented a suspected Chinese state-sponsored espionage campaign with years of undetected access to military networks across Southeast Asia. This is what patient intelligence collection looks like.