In 2025, the Russia-nexus Calisto intrusion set used spearphishing, trusted-contact impersonation, and redirector-based credential harvesting (including AiTM-style tactics) to target NGOs and other entities linked to Ukraine support, including Reporters Without Borders.

Resilience, Attack Surface, and Exposure (RASE)

PRC state-sponsored cyber actors are deploying the BRICKSTORM backdoor to maintain long-term, stealthy access to VMware vSphere and related Windows infrastructure in government and IT organizations, enabling persistent control, lateral movement, and data exfiltration.

Arctic Wolf Labs reports that RomCom, a Russian-aligned threat group, was observed delivering its Mythic Agent loader through the SocGholish framework for the first time, targeting a U.S. engineering firm with ties to Ukraine.