APT - Cisco Talos Blog Blog May 5, 2026 06:00 UAT-8302 and its box full of malware Cisco Talos is disclosing UAT-8302, a sophisticated, China-nexus advanced persistent threat (APT) group targeting government entities in South America since at least late 2024 and government agencies in southeastern Europe in 2025. Jungsoo An , Asheer Malhotra , Brandon White Threat Spotlight April 23, 2026 11:10 UAT-4356's Targeting of Cisco Firepower Devices Cisco Talos is aware of UAT-4356's continued active targeting of Cisco Firepower devices’ Firepower eXtensible Operating System (FXOS).
UAT-4356 exploited n-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) to gain unauthorized access to vulnerable devices. Cisco Talos Threat Advisory Threats March 5, 2026 06:00 UAT-9244 targets South American telecommunication providers with three new malware implants Cisco Talos is disclosing UAT-9244, who we assess with high confidence is a China-nexus advanced persistent threat (APT) actor closely associated with Famous Sparrow. malware January 8, 2026 06:00 UAT-7290 targets high value telecommunications infrastructure in South Asia Talos assesses with high confidence that UAT-7290 is a sophisticated threat actor falling under the China-nexus of advanced persistent threat actors (APTs).
UAT-7290 primarily targets telecommunications providers in South Asia. Vitor Ventura , December 17, 2025 11:55 UAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager Cisco Talos is tracking the active targeting of Cisco AsyncOS Software for Cisco Secure Email Gateway, formerly known as Cisco Email Security Appliance (ESA), and Cisco Secure Email and Web Manager, formerly known as Cisco Content Security Management Appliance (SMA).
September 23, 2025 14:00 How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking Talos discovered that a new PlugX variant’s features overlap with both the RainyDay and Turian backdoors Joey Chen , Takahiro Takeda August 15, 2025 06:00 UAT-7237 targets Taiwanese web hosting infrastructure Cisco Talos discovered UAT-7237, a Chinese-speaking advanced persistent threat (APT) group active since at least 2022, which has significant overlaps with UAT-5918.
Brandon White , Vitor Ventura June 18, 2025 06:00 Famous Chollima deploying Python version of GolangGhost RAT Learn how the North Korean-aligned Famous Chollima is using the a new Python-based RAT, "PylangGhost," to target cryptocurrency and blockchain jobseekers in a campaign affecting users primarily in India. Vanja Svajcer SecureX DPRK June 5, 2025 06:00 Newly identified wiper malware “PathWiper” targets critical infrastructure in Ukraine Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper we are calling “PathWiper.” Jacob Finn , Dmytro Korzhevin , Asheer Malhotra Ukraine wiper May 22, 2025 06:00 UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware Talos has observed exploitation of CVE-2025-0994 in the wild by UAT-6382, a Chinese-speaking threat actor, who then deployed malware payloads via TetraLoader. vulnerability March 20, 2025 06:00 UAT-5918 targets critical infrastructure entities in Taiwan UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim environments for information theft and credential harvesting.
February 27, 2025 06:00 Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools Joey Chen October 17, 2024 06:00 UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants Cisco Talos has observed a new wave of attacks active since at least late 2023, from a Russian speaking group we track as “UAT-5647”, against Ukrainian government entities and unknown Polish entities Vanja Svajcer , Russia August 21, 2024 06:00 MoonPeak malware from North Korean actors unveils new details on attacker infrastructure Cisco Talos has uncovered a new remote access trojan (RAT) family we are calling “MoonPeak.” This a XenoRAT-based malware, which is under active development by a North Korean nexus cluster we are calling “UAT-5394.” Guilherme Venere North Korea August 1, 2024 08:00 APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike ShadowPad, widely considered the successor of PlugX, is a modular remote access trojan (RAT) only seen sold to Chinese hacking groups.
Ashley Shen , June 13, 2024 06:00 Operation Celestial Force employs mobile and desktop malware to target Indian entities Cisco Talos is disclosing a new malware campaign called “Operation Celestial Force” running since at least 2018. It is still active today, employing the use of GravityRAT, an Android-based malware, along with a Windows-based malware loader we track as “HeavyLift.” May 30, 2024 08:01 LilacSquid: The stealthy trilogy of PurpleInk, InkBox and InkLoader Cisco Talos is disclosing a new suspected data theft campaign, active since at least 2021, we attribute to an advanced persistent threat actor (APT) we’re calling “LilacSquid.” Multiple TTPs utilized in this campaign bear some overlap with North Korean APT groups.
April 24, 2024 11:54 ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices Cisco is aware of new activity targeting certain Cisco Adaptive Security Appliances (ASA) 5500-X Series and has released three CVEs related to the event. We assess with high confidence this activity is related to same threat actor as ArcaneDoor in 2024. April 23, 2024 08:01 Suspected CoralRaider continues to expand victimology using three information stealers Talos also discovered a new PowerShell command-line argument embedded in the LNK file to bypass anti-virus products and download the final payload into the victims’ host.
March 21, 2024 09:08 New details on TinyTurla’s post-compromise activity reveal full kill chain We now have new information on the entire kill chain this actor uses, including the tactics, techniques and procedures (TTPs) utilized to steal valuable information from their victims and propagate through their infected enterprises. Holger Unterbrink , Arnaud Zobec Turla