Proofpoint recently identified a SugarGh0st RAT campaign targeting organizations in the United States involved in artificial intelligence efforts, including those in academia, private industry, and government service.
Proofpoint tracks the cluster responsible for this activity as UNK_SweetSpecter. SugarGh0st RAT is a remote access trojan, and is a customized variant of Gh0stRAT, an older commodity trojan typically used by Chinese-speaking threat actors. SugarGh0st RAT has been historically used to target users in Central and East Asia, as first reported by Cisco Talos in November 2023.
Read more…
Source: ProofPoint
Related:
- Confucius Espionage: From Stealer to Backdoor
October 2, 2025
The Confucius group is a long-running cyber-espionage actor operating primarily across South Asia. First identified in 2013, the group is believed to have links to state-sponsored operations in the region. Over the past decade, Confucius has repeatedly targeted government agencies, military organizations, defense contractors, and critical industries—especially in Pakistan—using spear-phishing and malicious documents as initial access ...
- Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite
September 30, 2025
Phantom Taurus is a previously undocumented nation-state actor whose espionage operations align with People’s Republic of China (PRC) state interests. Over the past two and a half years, Unit 42 researchers have observed Phantom Taurus targeting government and telecommunications organizations across Africa, the Middle East, and Asia. Their observations show that Phantom Taurus’ main focus areas ...
- SVG Phishing hits Ukraine with Amatera Stealer, PureMiner
September 26, 2025
FortiGuard Labs recently observed a phishing campaign designed to impersonate Ukrainian government agencies and deliver additional malware to targeted systems. The phishing emails contain malicious Scalable Vector Graphics (SVG) files designed to trick recipients into opening harmful attachments. When opened, the SVG initiates the download of a password-protected archive that contains a Compiled HTML Help (CHM) ...
- Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors
September 24, 2025
Google Threat Intelligence Group (GTIG) is tracking BRICKSTORM malware activity, which is being used to maintain persistent access to victim organizations in the United States. Since March 2025, Mandiant Consulting has responded to intrusions across a range of industry verticals, most notably legal services, Software as a Service (SaaS) providers, Business Process Outsourcers (BPOs), and Technology. ...
- Apple’s latest iPhone security feature just made life more difficult for spyware makers
September 11, 2025
Buried in an ocean of flashy novelties announced by Apple this week, the tech giant also revealed new security technology for its latest iPhone 17 and iPhone Air devices. This new security technology was made specifically to fight against surveillance vendors and the types of vulnerabilities they rely on the most, according to Apple. The feature ...
- ICE reactivates contract with spyware maker Paragon
September 2, 2025
U.S. Immigration and Customs Enforcement (ICE) signed a contract last year with Israeli spyware maker Paragon worth $2 million . Shortly after, the Biden administration put the contract under review, issuing a “stop work order,” to determine whether the contract complied with an executive order on commercial spyware, which restricts U.S. government agencies from using spyware ...