INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Google Links China, Iran to Coordinated Defense Sector
| 2026-02-13 16:23 CRITICAL HIGHExecutive Summary AI-generated
The threat actor group behind the coordinated defense industrial base (DIB) sector cyber operations is a formidable force, comprising state-sponsored actors from China, Iran, North Korea, and Russia. Their targeting strategy centers around four key themes: disrupting Ukraine's military efforts in the Russia-Ukraine War, infiltrating employees through direct approaches and exploiting hiring processes by non-state actors, utilizing edge devices as initial access pathways for groups affiliated with China-nexus networks, and compromising supply chains due to breaches of manufacturing sectors. Notably, some notable threat actors have been linked to these activities, including APT44 (Sandworm) attempting to exfiltrate information from encrypted messaging applications in Ukraine, while others have used questionnaires hosted on Google Forms to conduct reconnaissance against prospective drone operators and distributed malware like MESSYFORK to unmanned aerial vehicle operators.
Technical Mitigations AI-generated
* Implement a secure patching mechanism: Regularly update and patch software, operating systems, and applications to prevent exploitation of known vulnerabilities.
* Use multi-factor authentication (MFA): Require two or more forms of verification, such as passwords, biometric data, and one-time codes, to access sensitive areas or services.
* Monitor network traffic for suspicious activity: Use intrusion detection and prevention systems (IDPS) to monitor network traffic for signs of unauthorized access, malware, or other malicious activity.
* Use a virtual private network (VPN): Establish a secure, encrypted connection between devices and the internet by using a VPN. This can help protect against eavesdropping and man-in-the-middle attacks.
* Keep software and operating systems up-to-date: Ensure that all installed software and operating systems are current with the latest security patches and updates to prevent exploitation of known vulnerabilities.
Technical Observables
AI Podcast (EN) detail_available
detail_listen_ai (EN)
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Operation Dream JobOperation Dream Job
Mustang PandaMustang PandaVolt TyphoonVolt TyphoonKimsukyKimsukyAPT41APT41APT42APT42Lazarus GroupLazarus GroupAPT5APT5AndarielAndariel
CVE-2025-8088CVE-2025-8088
Target & Sectors
DPRK
DPRK
DACH
DACH
MIDDLE_EAST
MIDDLE_EAST
CIS
CIS
aerospaceaerospace
automotiveautomotive
energyenergy
defensedefense
governmentgovernment
telecommunicationstelecommunications
manufacturingmanufacturing
aviationaviation
Incident Timeline
late 2023
Threat actors used a REDCap exploit to target UNC6508, a China-nexus threat cluster that compromised a U.S.-based research institution in late 2023.
Click on any entity below to view its context and source!
source_region
China
UNC6508
, a China-nexus threat cluster that targeted a U.S.-based research institution in late 2023 by leveraging a REDCap exploit to drop a custom malware named INFINITERED that's capable of persistent remote access and credential theft after intercepting the application's software upgrade process.
December 2025
Google's links to China, Iran, Russia, North Korea in its Coordinated Defense Sector were detected by Huntress.
Click on any entity below to view its context and source!
organisation
Huntress
The activity was
flagged
in December 2025 by Huntress.
2026-01-13
Praetorian used a replica model to target the Coordinated Defense Sector by sending 1,000 queries to its API and training it for 20 epochs.
Click on any entity below to view its context and source!
general_metric
80.1 %
Last month, Praetorian devised a PoC extraction attack where a replica model achieved an accuracy rate of 80.1% simply by sending a series of 1,000 queries to the victim's API and recording the outputs and training it for 20
epochs
.
general_metric
1,000 queries
Last month, Praetorian devised a PoC extraction attack where a replica model achieved an accuracy rate of 80.1% simply by sending a series of 1,000 queries to the victim's API and recording the outputs and training it for 20
epochs
.
general_metric
20 epochs
Last month, Praetorian devised a PoC extraction attack where a replica model achieved an accuracy rate of 80.1% simply by sending a series of 1,000 queries to the victim's API and recording the outputs and training it for 20
epochs
.
Feb 12, 2026
Threat actors used Google to target Iranian, Russian, North Korean and Chinese government entities in a coordinated defense sector cyber operations.
2026-02-13
North Korea-linked threat actor UNC2970 used Google Gemini's API to conduct reconnaissance on targets.
Click on any entity below to view its context and source!
industry
Defense
"
"The campaigns against defense contractors in Ukraine, threats to or exploitation of defense personnel, the persistent volume of intrusions by China-nexus actors, and the hack, leak, and disruption of the manufacturing base are some of the leading threats to this industry today."
source_region
China
"
"The campaigns against defense contractors in Ukraine, threats to or exploitation of defense personnel, the persistent volume of intrusions by China-nexus actors, and the hack, leak, and disruption of the manufacturing base are some of the leading threats to this industry today."
industry
Manufacturing
"
"The campaigns against defense contractors in Ukraine, threats to or exploitation of defense personnel, the persistent volume of intrusions by China-nexus actors, and the hack, leak, and disruption of the manufacturing base are some of the leading threats to this industry today."
source_region
Ukraine
"
"The campaigns against defense contractors in Ukraine, threats to or exploitation of defense personnel, the persistent volume of intrusions by China-nexus actors, and the hack, leak, and disruption of the manufacturing base are some of the leading threats to this industry today."
organisation
Google
Google Links China, Iran, Russia, North Korea to Coordinated Defense Sector Cyber Operations.
Google Reports State-Backed Hackers Using Gemini AI for Recon and Attack Support.
organisation
Coordinated Defense
Google Links China, Iran, Russia, North Korea to Coordinated Defense Sector Cyber Operations.
threat_actor
Mustang Panda
HEX or Mustang Panda
(China), to compile a dossier on specific individuals, including targets in Pakistan, and to gather operational and structural data on separatist organizations in various countries.
threat_actor
APT41
APT41
(China), to extract explanations from open-source tool README.md pages, as well as troubleshoot and debug exploit code.
organisation
UNC795
UNC795
(China), to troubleshoot their code, conduct research, and develop web shells and scanners for PHP web servers.
organisation
PHP
UNC795
(China), to troubleshoot their code, conduct research, and develop web shells and scanners for PHP web servers.
infrastructure
Winrar
APT42
(Iran), to facilitate reconnaissance and targeted social engineering by crafting personas that induce engagement from the targets, as well as develop a Python-based Google Maps scraper, develop a SIM card management system in Rust, and research the use of a proof-of-concept (PoC) for a WinRAR flaw (
CVE-2025-8088
).
threat_actor
APT42
APT42
(Iran), to facilitate reconnaissance and targeted social engineering by crafting personas that induce engagement from the targets, as well as develop a Python-based Google Maps scraper, develop a SIM card management system in Rust, and research the use of a proof-of-concept (PoC) for a WinRAR flaw (
CVE-2025-8088
).
organisation
Google Maps
APT42
(Iran), to facilitate reconnaissance and targeted social engineering by crafting personas that induce engagement from the targets, as well as develop a Python-based Google Maps scraper, develop a SIM card management system in Rust, and research the use of a proof-of-concept (PoC) for a WinRAR flaw (
CVE-2025-8088
).
organisation
SIM
APT42
(Iran), to facilitate reconnaissance and targeted social engineering by crafting personas that induce engagement from the targets, as well as develop a Python-based Google Maps scraper, develop a SIM card management system in Rust, and research the use of a proof-of-concept (PoC) for a WinRAR flaw (
CVE-2025-8088
).
organisation
PoC
APT42
(Iran), to facilitate reconnaissance and targeted social engineering by crafting personas that induce engagement from the targets, as well as develop a Python-based Google Maps scraper, develop a SIM card management system in Rust, and research the use of a proof-of-concept (PoC) for a WinRAR flaw (
CVE-2025-8088
).
organisation
WinRAR
APT42
(Iran), to facilitate reconnaissance and targeted social engineering by crafting personas that induce engagement from the targets, as well as develop a Python-based Google Maps scraper, develop a SIM card management system in Rust, and research the use of a proof-of-concept (PoC) for a WinRAR flaw (
CVE-2025-8088
).
organisation
Recon
Google Reports State-Backed Hackers Using Gemini AI for Recon and Attack Support.
threat_actor
Lazarus Group
UNC2970
is the moniker assigned to a North Korean hacking group that overlaps with a cluster that's tracked as Lazarus Group, Diamond Sleet, and Hidden Cobra.
organisation
HONESTCUE
Google also said it detected a malware called HONESTCUE that leverages Gemini's API to outsource functionality generation for the next-stage, along with an AI-generated phishing kit codenamed COINBAIT that's built using Lovable AI and masquerades as a cryptocurrency exchange for credential harvesting.
organisation
API
Google also said it detected a malware called HONESTCUE that leverages Gemini's API to outsource functionality generation for the next-stage, along with an AI-generated phishing kit codenamed COINBAIT that's built using Lovable AI and masquerades as a cryptocurrency exchange for credential harvesting.
organisation
COINBAIT
Google also said it detected a malware called HONESTCUE that leverages Gemini's API to outsource functionality generation for the next-stage, along with an AI-generated phishing kit codenamed COINBAIT that's built using Lovable AI and masquerades as a cryptocurrency exchange for credential harvesting.
organisation
ClickFix
Google has also called attention to a recent wave of ClickFix campaigns that leverage the public sharing feature of generative AI services to host realistic-looking instructions to fix a common computer issue and ultimately deliver information-stealing malware.
organisation
Google Gemini's
"HONESTCUE is a downloader and launcher framework that sends a prompt via Google Gemini's API and receives C# source code as the response," it said.
organisation
LLM
"However, rather than leveraging an LLM to update itself, HONESTCUE calls the Gemini API to generate code that operates the 'stage two' functionality, which downloads and executes another piece of malware.
organisation
the Gemini API
The fileless secondary stage of HONESTCUE then takes the generated C# source code received from the Gemini API and uses the legitimate .NET
CSharpCodeProvider
framework to compile and execute the payload directly in memory, thereby leaving no artifacts on disk.
Feb 13, 2026
The threat actors involved in the incident targeted aerospace, defense contractors and their employees with tailored phishing lures.
Click on any entity below to view its context and source!
organisation
ORB
In addition, Google said it has also observed China-nexus threat groups utilizing
operational relay box (ORB) networks
for reconnaissance against defense industrial targets, thereby complicating detection and attribution efforts.
organisation
VERMONSTER
TEMP.Vermin (aka UAC-0020)
has used malware like VERMONSTER, SPECTRUM (aka SPECTR), and FIRMACHAGENT using lure content revolving around drone production and development, anti-drone defense systems, and video surveillance security systems.
threat_actor
Andariel
APT45 (aka Andariel)
has targeted South Korean defense, semiconductor, and automotive manufacturing entities with
SmallTiger
malware.
organisation
SmallTiger
APT45 (aka Andariel)
has targeted South Korean defense, semiconductor, and automotive manufacturing entities with
SmallTiger
malware.
threat_actor
Kimsuky
APT43 (aka Kimsuky)
has likely leveraged infrastructure mimicking German and U.S. defense-related entities to deploy a backdoor called THINWAVE.
threat_actor
Lazarus Group
UNC2970 (aka Lazarus Group)
has conducted the Operation Dream Job campaign to target aerospace, defense, and energy sectors, in addition to relying on artificial intelligence (AI) tools to conduct reconnaissance on its targets.
The group is known to orchestrate Lazarus Group-style
Dream Job campaigns
to trick users into executing malware or giving up credentials under the guise of legitimate employment opportunities.
organisation
Nimbus Manticore
UNC1549 (aka Nimbus Manticore)
has targeted aerospace, aviation, and defense industries in the Middle East with malware families like MINIBIKE, TWOSTROKE, DEEPROOT, and CRASHPAD.
organisation
MINIBIKE
UNC1549 (aka Nimbus Manticore)
has targeted aerospace, aviation, and defense industries in the Middle East with malware families like MINIBIKE, TWOSTROKE, DEEPROOT, and CRASHPAD.
organisation
TWOSTROKE
UNC1549 (aka Nimbus Manticore)
has targeted aerospace, aviation, and defense industries in the Middle East with malware families like MINIBIKE, TWOSTROKE, DEEPROOT, and CRASHPAD.
organisation
CRASHPAD
UNC1549 (aka Nimbus Manticore)
has targeted aerospace, aviation, and defense industries in the Middle East with malware families like MINIBIKE, TWOSTROKE, DEEPROOT, and CRASHPAD.
threat_actor
APT5
APT5 (aka Keyhole Panda and Mulberry Typhoon)
has targeted current and former employees of major aerospace and defense contractors with tailored phishing lures.
threat_actor
Volt Typhoon
UNC3236 (aka Volt Typhoon)
has conducted reconnaissance activity against publicly hosted login portals of North American military and defense contractors, while using the ARCMAZE obfuscation framework to conceal its origin.
organisation
WhatsApp
UNC6096
, a Russian espionage cluster that has conducted malware delivery operations via WhatsApp using DELTA-related themes to deliver a malicious LNK shortcut within an archive file that downloads a secondary payload.
organisation
DELTA
UNC6096
, a Russian espionage cluster that has conducted malware delivery operations via WhatsApp using DELTA-related themes to deliver a malicious LNK shortcut within an archive file that downloads a secondary payload.
organisation
LNK
UNC6096
, a Russian espionage cluster that has conducted malware delivery operations via WhatsApp using DELTA-related themes to deliver a malicious LNK shortcut within an archive file that downloads a secondary payload.
infrastructure
Android
UNC5114
, a suspected Russian espionage cluster that has delivered a variant of an off-the-shelf Android malware called
CraxsRAT
by masquerading it as an update for
Kropyva
, a combat control system used in Ukraine.
The threat actor has also leveraged an Android malware called STALECOOKIE that mimics Ukraine's battlefield management platform
DELTA
to steal browser cookies.
UNC5125
is also said to have leveraged an Android malware called GREYBATTLE, a bespoke version of the
Hydra
banking trojan, to steal credentials and data by distributing it via a website spoofing a Ukrainian military artificial intelligence company.
Attacks aimed at Android devices have been found to deliver malware called GALLGRAB that collects locally stored files, contact information, and potentially encrypted user data from specialized battlefield applications.
organisation
CraxsRAT
UNC5114
, a suspected Russian espionage cluster that has delivered a variant of an off-the-shelf Android malware called
CraxsRAT
by masquerading it as an update for
Kropyva
, a combat control system used in Ukraine.
organisation
Sandworm
"
Some of the notable threat actors that have participated in the activity include -
APT44 (aka Sandworm)
has attempted to exfiltrate information from Telegram and Signal encrypted messaging applications, likely after securing physical access to devices obtained during on-ground operations in Ukraine.
organisation
Telegram
"
Some of the notable threat actors that have participated in the activity include -
APT44 (aka Sandworm)
has attempted to exfiltrate information from Telegram and Signal encrypted messaging applications, likely after securing physical access to devices obtained during on-ground operations in Ukraine.
organisation
Signal
"
Some of the notable threat actors that have participated in the activity include -
APT44 (aka Sandworm)
has attempted to exfiltrate information from Telegram and Signal encrypted messaging applications, likely after securing physical access to devices obtained during on-ground operations in Ukraine.
organisation
Google Forms
It has used a questionnaire hosted on Google Forms to conduct reconnaissance against prospective drone operators, and distributed via messaging apps malware like MESSYFORK (aka COOKBOX) to an Unmanned Aerial Vehicle (UAV) operator based in Ukraine.
organisation
COOKBOX
It has used a questionnaire hosted on Google Forms to conduct reconnaissance against prospective drone operators, and distributed via messaging apps malware like MESSYFORK (aka COOKBOX) to an Unmanned Aerial Vehicle (UAV) operator based in Ukraine.
organisation
UAV
It has used a questionnaire hosted on Google Forms to conduct reconnaissance against prospective drone operators, and distributed via messaging apps malware like MESSYFORK (aka COOKBOX) to an Unmanned Aerial Vehicle (UAV) operator based in Ukraine.
organisation
GALLGRAB
Attacks aimed at Android devices have been found to deliver malware called GALLGRAB that collects locally stored files, contact information, and potentially encrypted user data from specialized battlefield applications.
infrastructure
Windows
This includes the use of a Windows batch script called WAVESIGN to decrypt and exfiltrate data from Signal's desktop app.
organisation
WAVESIGN
This includes the use of a Windows batch script called WAVESIGN to decrypt and exfiltrate data from Signal's desktop app.
organisation
EDR
"Further, the 'evasion of detection' trend [...] continues, as actors focus on single endpoints and individuals, or carry out intrusions in a manner that seeks to avoid endpoint detection and response (EDR) tools altogether.
organisation
UAC-0149
UNC5125 (aka FlyingYeti and UAC-0149)
has conducted highly targeted campaigns focusing on frontline drone units.
organisation
ClickFix
Another tactic employed by the group is the use of
ClickFix
to deliver the TINYWHALE downloader that, in turn, drops the
MeshAgent
remote management software.
organisation
TINYWHALE
Another tactic employed by the group is the use of
ClickFix
to deliver the TINYWHALE downloader that, in turn, drops the
MeshAgent
remote management software.
organisation
MeshAgent
Another tactic employed by the group is the use of
ClickFix
to deliver the TINYWHALE downloader that, in turn, drops the
MeshAgent
remote management software.
Tactical Metrics
Metrics
infrastructure
Android
Affected Product
Click for context!
The threat actor has also leveraged an Android malware called STALECOOKIE that mimics Ukraine's battlefield management platform
DELTA
to steal browser cookies.
UNC5114
, a suspected Russian espionage cluster that has delivered a variant of an off-the-shelf Android malware called
CraxsRAT
by masquerading it as an update for
Kropyva
, a combat control system used in Ukraine.
UNC5125
is also said to have leveraged an Android malware called GREYBATTLE, a bespoke version of the
Hydra
banking trojan, to steal credentials and data by distributing it via a website spoofing a Ukrainian military artificial intelligence company.
Attacks aimed at Android devices have been found to deliver malware called GALLGRAB that collects locally stored files, contact information, and potentially encrypted user data from specialized battlefield applications.
Metrics
infrastructure
Windows
Affected Product
This includes the use of a Windows batch script called WAVESIGN to decrypt and exfiltrate data from Signal's desktop app.
Metrics
infrastructure
Winrar
Affected Product
APT42
(Iran), to facilitate reconnaissance and targeted social engineering by crafting personas that induce engagement from the targets, as well as develop a Python-based Google Maps scraper, develop a SIM card management system in Rust, and research the use of a proof-of-concept (PoC) for a WinRAR flaw (
CVE-2025-8088
).
Intelligence Sources
The Hacker News
2026-02-12
The Hacker News
2026-02-13
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Reset / Delete
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T06:55
Comprehensive Tactical Telemetry
Highly Correlated Entities
40x
organisation
Identified Entity
Google
entity
11x
target region
Target Country
China
country
8x
industry
Targeted Sector
Defense
sector
8x
threat actor
APT Group
Andariel
actor
7x
timeline
Temporal Reference
late 2023
date
6x
attribution
Attributing Entity
DIB
authority
6x
tactic
Cyber Operation Type
Reconnaissance
tactic
5x
source region
Origin Country
China
country
3x
tactic
MITRE ATT&CK Technique
T1588.001 - Malware
technique
3x
general metric
Feb
13
feb
3x
infrastructure
Affected Product
Android
software
2x
target region
Target Region
DPRK
region
Contextual Telemetry
Context Block
7 METRICS
source region
Origin Region
DPRK
region
campaign
Campaign
Operation Dream Job
operation
vulnerability
Exploited CVE
CVE-2025-8088
cve
general metric
%
80
%
general metric
Queries
1,000
queries
general metric
Epochs
20
epochs
general metric
Prompts
100,000
prompts
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.