Synopsis

1. A subset of the ‘Con’ hacking group, ‘ShinyHunters’, is becoming a dangerous threat. Russia cyber- attacks Polish power grid, directs volunteer hackers to DDoS Czechia and Denmark, while APT28 hacks Microsoft Office security. Hackers hit Russia with ransomware and disrupt bread producer. PRC hackers hit Downing Street senior personnel and SE Asian governments. PRC behind hack of Notepad++. Pakistan has two new campaigns targeting India.

2. We report hacker activity based on the threat posed. It is our assessment that cyber conflicts such as Russia vs Ukraine, Iran vs Israel, etc are the most likely sources for the creation of next generation malware and/or a primary source of cyber attacks.

ShinyHunters: The Newest Dangerous Criminal Hackers

3. Scattered Lapsus ShinyHunters. A loose group of english-speaking western young men continue to morph into substantial threats. Recently self-branded the ‘Con’, one aggregate of the group now calls itself ‘Scattered Lapus ShinyHunters’ (SLSH). The group has its own tactics techniques and procedures (TTP) to extort victims. They use harassment, threatening (physical violence), and swatting (including homes), “all while notifying journalists and regulators.”2 Some victims do pay up. Unfortunately the group’s history means, in addition to not getting your files un-encrypted, they may not destroy their copies of your data, and there is no guarantee that they won’t come after you again. Worse, the group appears to uninterested in building a reputation for keeping their word.

4. According to ‘Mandiant’, their most recent tactics involve SLSH members pretending to be a company’s IT staff, phoning company members about resetting Multi-Factor Authentication (MFA). SLSH register their own devices to get full access to the target company’s network. If a company’s security team doesn’t hear they have been hacked through ‘Telegram’ chatter, first knowledge of a hack may come from the media asking for comment, one of the group’s standard tactics. Harassment targets range from the organization’s board to the children of executives. Swatting attacks can include bomb threats or hostage situations. Brian Krebs of Krebs on Security was told “A big part of what they’re doing to victims is the psychological aspect of it … and while these victims are getting extortion demands, they’re simultaneously getting outreach from media outlets saying, ‘Hey, do you have any comments on the bad things we’re going to write about you.” As if this isn’t bad enough, the article warns that these “extortion groups tend to instigate feuds and drama between group members, leading to lying, betrayals, credibility destroying behavior, backstabbing, and sabotaging each other.”3

5. The question becomes: How bad is the threat?

• Over 100 Organizations Targeted in ShinyHunters Phishing Campaign
• ShinyHunters group leaks millions of alleged records from SoundCloud, Crunchbase and Betterment
• ShinyHunters claim hacks of Okta, Microsoft SSO accounts for data theft
• ShinyHunters swipes right on 10M records in alleged dating app data grab
• Panera Bread breach: ShinyHunters claims hack of 14 million customers’ data

Analysts Comment: This is as bad as anything I have seen in over twenty years. They are leveraging their natural English skills to spoof victims into providing credentials. These hackers have no morals, nor group ethos, resulting in extreme measures to coerce victims into payment. Even if the victim pays, the decryption code may not work and there is no guarantee your files will be deleted. Last but far from least, success is good for recruiting. There are already thousands of hackers associated with the ‘Con’, with an unknown number associated with ShinyHunters. Their decentralized nature means law enforcement has less of a leadership group to target. Expect the ShinyHunters threat to be around for a long time.

Russia

6. Russian Government Hackers Attack Polish Power Grid. In late 2025 the Polish power grid was hit by a ‘wiper’ cyber attack. Security Researchers at ‘ESET’ reported: ”Based on our analysis of the malware and associated TTPs, we attribute the attack to the Russia-aligned Sandworm APT with medium confidence due to a strong overlap with numerous previous Sandworm wiper activity we analyzed, … We’re not aware of any successful disruption occurring as a result of this attack.”4 If the DynoWiper malware had been successfully deployed, the controlling network would have had its data wiped, shutting down Poland’s power grid. ‘Security Affairs’ noted the cyber attack occurred during ‘peak winter demand’. Followup reports suggested that the networks were accessed through ‘default passwords’.

7. Russia Targeted With ‘Amnesia RAT and Ransomware. In late January a cyber campaign was observed targeting Russian users. ‘Business documents’ were circulated through social media. The first of two malware downloads is ‘Amnesia RAT’ which “facilitates credential theft, session hijacking, financial fraud, and real-time data gathering, turning it into a comprehensive tool for account takeover and follow-on attacks.” The second payload is ransomware “derived from the Hakuna Matata ransomware family and is configured to encrypt documents, archives, images, media, source code, and application assets on the infected endpoint, but not before terminating any process that could interfere with its functioning.”5 The attacker is unknown.

8. NoName057(16) Latest Targets. Between 19 and 25 January Russian volunteer hacking group NoName057(16) used their DDoSia (DDoS) attack to against Czech infrastructure. 141 domains and 131 IP addresses were targeted. In this campaign 74.5% of attacks focused on Czechia with Ukraine receiving 11.5% of the attacks. The majority of the attacks were against government infrastructure, followed by critical transportation infrastructure and then private sector organizations.6 The next target for Russia’s ‘patriotic hackers appeared to be Denmark. On 28 January the ‘Russian Legion’, another Russian volunteer hacker group, announced on its Telegram channel that Denmark withdrawn a Ukrainian support package or that DDoS disruptions would escalate into ‘real cyberattacks’.7 Analysts Comment: The attacks materialized but did not appear to do any significant damage.

9. Major Russian Bread Producer Hacked. On 29 January the Vladimir Bread factory, a major regional producer of bread, was hacked. Production was unaffected however order processing and deliveries “reported difficulties fulfilling existing contracts and temporary shortages of the company’s bakery products in stores.”8 The company reverted to manual processing of orders but does not know when it will be able to restore its digital systems.

10. Russia’s APT28 Exploits Microsoft Office Security Flaw. On 26 January Microsoft published a warning about a security flaw in Microsoft Office. The original attacker is unknown, however on 29 January Russia’s APT28 “cyber-espionage group began abusing [the] recently patched Microsoft vulnerability to steal emails and deploy malicious payloads against organizations in Central and Eastern Europe. … The attacks rely on specially crafted Rich Text Format (RTF) documents to trigger the vulnerability and kick off a multistage infection chain that delivers different malicious payloads.”9 “Social engineering lures were crafted in both English and localized languages, (Romanian, Slovak and Ukrainian) to target the users in the respective countries.”10

People’s Republic of China (PRC)

11. ‘Salt Typhoon’ Hacked Phones of Senior Downing St Officials. UK Intelligence sources say the compromise was extensive, ‘stretching back to 2021’. Senior aides around former Prime Ministers Boris Johnson, Liz Truss, and Rishi Sunak were targeted, although it is unknown if the PMs themselves were targeted. In addition to the PRC’s ‘Salt Typhoon’ attacking telecommunications systems, “there were “many” separate attacks on Downing Street staff phones and wider government communications, particularly during Sunak’s time in office.”11 The Register noted the most difficult challenge may be proving the attackers are no longer there.

12. Notepad++ Update Server Hacked By PRC Hackers. The maintainer of the open source note taking software Notepad++ said ”a compromise at the hosting provider level allowed threat actors to hijack update traffic starting June 2025 and selectively redirect such requests from certain users to malicious servers to serve a tampered update.”12 Only targeted users were redirected to a fake update server. “The general consensus [of cyber security researchers] is that most Notepad++ users were unaffected by this supply chain attack, as the attackers targeted only a small and highly specific group of targets. … the attackers targeted individuals located in Vietnam, El Salvador and Australia; a government organization located in the Philippines; a financial organization located in El Salvador; and a Vietnamese IT service provider.”13

13. PRC’s APT41 Targets Govt and Law Enforcement in SE Asia. Cyber Security company ‘CheckPoint Software’ says PRC’s APT41 operated a cyber-espionage campaign in 2025, targeting government and law enforcement in south east Asia. “The attacks were highly targeted and stealthy, aimed at long-term espionage rather than disruption. The threat actors limited their infrastructure to specific countries to avoid detection and moved quickly to exploit a newly disclosed WinRAR flaw.” Targeted countries included Thailand, Indonesia, Singapore and the Philippines.14

Pakistan vs India

14. Pakistan has launched two new cyber campaigns against the Indian government called Gopher Strike and Sheet attack. The attacks are attributed to APT 36 which