Proofpoint has detailed TA4922, a Chinese-speaking financially-motivated cybercrime group that has expanded from East Asia into Europe, deploying the previously undocumented Atlas backdoor against organizations in Germany, Italy, the UK, and South Africa. Since March its tempo has surged - Proofpoint says TA4922 now runs more unique campaigns than any other cybercrime actor in its data. Lures impersonate payroll notices, tax audits, VAT filings, compliance notices, invoices, and HR communications, with follow-up contact via WhatsApp, LINE, and Microsoft Teams. The group overlaps with activity reported as Silver Fox and Void Arachne. Proofpoint believes the rapidly expanding malware arsenal is being accelerated with LLMs, citing AI-generated code patterns and placeholder values.
WithSecure has attributed persistent attacks against Ukraine and Ukraine-related entities since at least August 2025 to GREYVIBE, a previously undocumented Russian-speaking group operating in the Russian time zone and aligned with Kremlin intelligence interests. Victims span military, government, civilian, and business organizations. The group uses spear-phishing (PhantomMail, delivering JavaScript loaders from Google Drive and 4sync), a PowerShell RAT called PhantomRelay, and ClickFix-style fake-CAPTCHA pages (PhantomClick) impersonating Zoom and a fake adult-club site (PrincessClub). WithSecure describes GREYVIBE as low-to-moderately sophisticated, hampered by repeated OPSEC mistakes, but increasingly relying on generative AI and LLMs to accelerate malware development. Some members have ties to the broader Russian cybercrime ecosystem.
Check Point has documented Iranian APT Nimbus Manticore (also tracked as UNC1549) accelerating its operations during US Operation Epic Fury rather than going quiet. The campaign hits aviation, software, and defense organizations in the US, Europe, and the Middle East via three waves: career-themed phishing using AppDomain hijacking to deploy MiniJunk (February), a trojanized Zoom installer that hijacks legitimate scheduled tasks to deliver the new MiniFast backdoor (March), and the group's first SEO poisoning campaign distributing a weaponized Oracle SQL Developer installer via getsqldeveloper[.]com (April). MiniFast shows signs of AI-assisted development: defensive coding patterns, verbose error strings, and modular structure.