Intel 471’s latest intelligence update for July reveals a surge in sophisticated cyber campaigns carried out by advanced persistent threat (APT) groups across the globe in June. These operations point to a shifting threat landscape where espionage and disruption are growing in both scale and impact.
“The Silver Fox APT focused on Taiwan, employing spear-phishing and leveraging RATs like Gh0stCringe and HoldingHands to infiltrate government and tech networks, aiming to steal intellectual property,” researchers detailed in Intel 471’s Intelligence & Research Cyber Threat Updates. “Concurrently, remnants of the dismantled Black Basta group resurfaced under affiliations like CACTUS and BlackSuit, targeting finance and construction sectors using Teams phishing, email bombing, and stealthy multi-stage tools like Rust-based loaders and QDoor.”
Meanwhile, they added that APT28 (Fancy Bear) employed Signal messaging to compromise Ukrainian entities, deploying malware such as SlimAgent to exfiltrate sensitive data.
Intel 471 reported that other campaigns underscored a global increase in disruptive and destructive cyberattacks. Fog ransomware targeted an Asian financial organization with stealthy dwell times and novel persistence methods, even incentivizing victims to propagate the ransomware. Ukraine also faced attacks from PathWiper, a destructive malware designed to erase critical infrastructure data via timed triggers and anti-recovery techniques.
Furthermore, Iranian APTs (APT33, APT34, APT39) executed widespread attacks across North America, Europe, and the Middle East, using advanced tactics like registry tampering, credential reuse, and encrypted data exfiltration to disrupt vital sectors and harvest sensitive information.
Intel 471 also observed that remnants of the dismantled Black Basta group have reemerged under the banners of CACTUS and BlackSuit. These actors have targeted finance, insurance, and construction networks by exploiting Microsoft Teams, combining phishing lures with email bombing and vishing to gain a foothold. Post-compromise activity included backdoor tunneling with QDoor and Rust-based loaders for SSH utilities, showing an evolution toward stealthy, multi-stage intrusions. Security teams are being urged to strengthen detection of Teams-based phishing and script-driven payloads.
APT28, known in security circles as Fancy Bear, added a new wrinkle to its Ukrainian campaigns by weaponizing Signal messaging chats. CERT-UA first flagged the tactic in March, observing the spread of malicious links through group messages, which led to the deployment of SlimAgent malware for data theft and persistent access. This social engineering method highlights a novel approach to compromising political, military, and government targets within Ukraine.
Intel 471 noted that Symantec reported on Fog ransomware striking an Asian financial institution in May. Attackers spent two weeks inside the network before encrypting systems, using Syteca, GC2, Adaptix, and Stowaway proxies to maintain a low profile. In a bizarre twist, ransom notes offered free decryption if victims agreed to propagate the ransomware further, a tactic experts warn could accelerate contagion across connected systems.
Ukraine has also faced a new wave of destructive malware with PathWiper. The Talos Intelligence team confirmed the tool was delivered via spear-phishing to critical infrastructure operators. PathWiper is designed to erase data with time-based triggers and anti-recovery code, effectively halting operations rather than seeking financial payouts. Its command-and-control functionality provided attackers with real-time status reports as systems were wiped.
Finally, a sweeping assessment from Unit 42 chronicled the ongoing cyber campaigns of Iranian state-backed groups such as APT33, APT34, and APT39. These groups targeted agencies, energy producers, and critical infrastructure across North America, Europe, and the Middle East. Their operations combined credential harvesting, destructive wipers, and ransomware while abusing living-off-the-land binaries and manipulating registries for persistence. Iran’s actors also focused on stealing industrial control system data and classified communications, adapting quickly to geopolitical tensions.
Intel 471 analysts expect this pace of cyber aggression to continue as global rivalries and regional instability intensify. Organizations are being urged to bolster visibility across communication platforms, patch known vulnerabilities, and invest in threat hunting capabilities to stay ahead of these evolving campaigns.
The research also stated that it will continue to refine its hunt packages to track these persistent threats as adversaries escalate their focus on high-value targets worldwide.
In April, the Federal Bureau of Investigation (FBI) released its Internet Crime Report 2024, highlighting US$16.6 billion in losses reported to the Internet Crime Complaint Center (IC3) over the past year. Fraud accounted for the majority of these losses, while ransomware remained the most pervasive threat to critical infrastructure, with complaints increasing by 9 percent compared to 2023. Among all demographics, individuals over the age of 60 experienced the highest financial losses and filed the greatest number of complaints.
