IntelSpring harvest - Leek Likho group's campaign to hunt for documents
The Leek Likho group (also known as SkyCloak or Vortex Werewolf) was first described by researchers in 2025, when a series of targeted attacks on public sector organizations in Russia and Belarus became known. This campaign was called Operation SkyCloak. We observed the continuation of its activity during February-April 2026, and also discovered a new technique that attackers use to filter files.
Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor
Beginning in late September 2025, multiple affected hosts were observed making requests to domains impersonating content delivery networks (CDNs), including infrastructure masquerading as Yahoo- and Apple-affiliated services. Across these cases, Darktrace identified a consistent behavioral execution pattern: the retrieval of legitimate binaries alongside malicious Dynamic Link Libraries (DLLs), enabling sideloading and execution of a modular .NET-based Remote Access Trojan (RAT) framework.
Cato CTRL Threat Research: Suspected China-Linked Threat Actor Targets Global Manufacturer with Undocumented TencShell Malware
In April 2026, Cato CTRL identified and blocked an attempted intrusion against a global manufacturing customer involving TencShell, a previously undocumented, Go-based implant derived from the open-source Rshell C2 framework. The activity appeared in traffic associated with a third-party user connected to the customer environment.