China-nexus Threat Actor Targets Arabian Gulf Region With PlugX
IntroductionOn March 1, 2026, ThreatLabz observed new activity from a China-nexus threat actor targeting countries in the Arabian Gulf region. The activity took place within the first 24 hours of the renewed conflict in the Middle East. The threat actor quickly weaponized the theme of the conflict, using an Arabic-language document ... Read More
China-nexus Threat Actor Targets Persian Gulf Region With PlugX
IntroductionOn March 1, 2026, ThreatLabz observed new activity from a China-nexus threat actor targeting countries in the Persian Gulf region. The activity took place within the first 24 hours of the renewed conflict in the Middle East. The threat actor quickly weaponized the theme of the conflict, using an Arabic-language document ... Read More
Dust Specter APT Targets Government Officials in Iraq
IntroductionIn January 2026, Zscaler ThreatLabz observed activity by a suspected Iran-nexus threat actor targeting government officials in Iraq. ThreatLabz discovered previously undocumented malware including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. Due to significant overlap in tools, techniques, and procedures (TTPs), as well as victimology, between this campaign and activity associated with Iran-nexus APT groups, ThreatLabz assesses ... Read More
APT28 Leverages CVE-2026-21509 in Operation Neusploit
IntroductionIn January 2026, Zscaler ThreatLabz identified a new campaign in-the-wild, tracked as Operation Neusploit, targeting countries in the Central and Eastern European region. In this campaign, the threat actor leveraged specially crafted Microsoft RTF files to exploit CVE-2026-21509 and deliver malicious backdoors in a multi-stage infection chain. Due to significant overlaps in ... Read More
APT Attacks Target Indian Government Using GOGITTER, GITSHELLPAD, and GOSHELL | Part 1
IntroductionIn September 2025, Zscaler ThreatLabz identified two campaigns, tracked as Gopher Strike and Sheet Attack, by a threat actor that operates in Pakistan and primarily targets entities in the Indian government. In both campaigns, ThreatLabz identified previously undocumented tools, techniques, and procedures (TTPs). While these campaigns share some similarities with the Pakistan-linked Advanced Persistent ... Read More
COLDRIVER Updates Arsenal with BAITSWITCH and SIMPLEFIX
IntroductionIn September 2025, Zscaler ThreatLabz discovered a new multi-stage ClickFix campaign potentially targeting members of Russian civil society. Based on multiple overlapping tactics, techniques and procedures (TTPs), ThreatLabz attributes this campaign with moderate confidence to the Russia-linked advanced persistent threat (APT) group, COLDRIVER. COLDRIVER (also known as Star Blizzard, Callisto, ... Read More
