✨ The Containment Era is here. Secure AI workloads before they breach. →The Containment Era is here. →The Containment Era is here. →Explore ✨
Research Industry
Breach intelligence, attack campaigns, and threat reports targeting the Research Industry sector.
Explore Other Sectors
Research Industry Threat Reports
Chinese Hackers Exploit Google Workspace to Steal Sensitive Emails
Between September 2023 and November 2025, the China-linked espionage group UNC6508 infiltrated North American medical, academic, and military research networks by compromising externally facing REDCap servers. They deployed custom malware named INFINITERED, which trojanized REDCap system files to harvest login credentials and establish persistent access. With domain administrator rights, UNC6508 abused Google Workspace's content compliance rules to silently BCC emails containing specific keywords to attacker-controlled Gmail addresses, effectively exfiltrating sensitive research and defense communications without deploying additional malware or generating unusual network traffic. This incident underscores the evolving tactics of state-sponsored actors who exploit legitimate administrative features within cloud services to conduct stealthy data exfiltration. Organizations must enhance monitoring of administrative configurations and implement robust security measures to detect and prevent such abuses.
1 week ago
Kill Chain
Marimo 2026 Pre-Auth RCE Exploit: A Wake-Up Call for Rapid Patch Management
In April 2026, a critical pre-authentication remote code execution (RCE) vulnerability, CVE-2026-39987, was identified in Marimo, an open-source Python notebook platform. This flaw allowed unauthenticated attackers to gain full shell access via the /terminal/ws WebSocket endpoint, bypassing authentication mechanisms. Exploitation was observed within 10 hours of public disclosure, with attackers conducting credential theft and reconnaissance activities. The vulnerability affected all Marimo versions up to 0.20.4 and was patched in version 0.23.0. This incident underscores the rapid weaponization of disclosed vulnerabilities, highlighting the necessity for organizations to promptly apply security patches and review authentication controls, especially in platforms exposed to the internet. The swift exploitation also emphasizes the importance of continuous monitoring and threat intelligence to detect and mitigate emerging threats effectively.
2 months ago
Kill Chain
Wikipedia's 2026 JavaScript Worm Attack: A Case Study
On March 5, 2026, the Wikimedia Foundation experienced a significant security incident when a self-propagating JavaScript worm infiltrated multiple Wikipedia projects. The attack originated from a malicious script on the Russian Wikipedia, which, upon execution, modified global JavaScript files, leading to widespread page vandalism and unauthorized script alterations. In response, Wikimedia engineers temporarily restricted editing capabilities across platforms to investigate and mitigate the breach, successfully removing the malicious code and restoring normal operations. This incident underscores the persistent vulnerabilities in web platforms to self-replicating scripts and the critical need for robust security measures to prevent such attacks. The rapid propagation of the worm highlights the importance of continuous monitoring and prompt response strategies in safeguarding collaborative online environments.
3 months ago
Kill Chain
University of Hawaiʻi Cancer Center's 2025 Ransomware Attack: A Wake-Up Call for Research Institutions
In August 2025, the University of Hawaiʻi Cancer Center's Epidemiology Division experienced a ransomware attack that encrypted and potentially exfiltrated sensitive data. The breach affected approximately 1.24 million individuals, exposing personal information such as Social Security numbers, driver's license numbers, and health-related data. The university engaged with cybersecurity experts and the attackers to obtain a decryption tool and secure assurances that the stolen data was destroyed. There was no impact on clinical operations, patient care, or student records. ([hawaii.edu](https://www.hawaii.edu/news/2026/02/27/notice-of-cyberattack-uh-cancer-center/?utm_source=openai)) This incident underscores the growing threat of ransomware attacks targeting research institutions and the critical importance of robust cybersecurity measures to protect sensitive personal and health information. Organizations must remain vigilant and proactive in implementing comprehensive security protocols to mitigate such risks.
3 months ago
Kill Chain
APT37's Ruby Jumper Campaign: A New Threat to Air-Gapped Networks
In December 2025, the North Korean state-sponsored group APT37, also known as ScarCruft, launched the 'Ruby Jumper' campaign targeting air-gapped networks. The attack began with victims opening malicious Windows shortcut (LNK) files, which executed PowerShell scripts to deploy a series of malware tools: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, and FOOTWINE. These tools facilitated initial infection, established command-and-control via Zoho WorkDrive, and enabled lateral movement through removable media, ultimately compromising isolated systems. The campaign underscores the evolving tactics of APT37 in breaching highly secure environments. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/apt37-hackers-use-new-malware-to-breach-air-gapped-networks/?utm_source=openai)) This incident highlights a significant advancement in cyber-espionage techniques, demonstrating the capability to infiltrate air-gapped systems. Organizations with critical infrastructure should reassess their security protocols to mitigate such sophisticated threats.
3 months ago
Kill Chain
La Sapienza University Ransomware Attack: A 2026 Case Study
In early February 2026, La Sapienza University in Rome, one of Europe's largest educational institutions, experienced a significant cyberattack attributed to the pro-Russian group Femwar02. The attackers deployed the BabLock (also known as Rorschach) ransomware, leading to the encryption of critical data and the disruption of numerous IT services. In response, the university proactively shut down its network systems to safeguard data integrity and initiated restoration efforts with the assistance of Italy's National Cybersecurity Agency. ([techcrunch.com](https://techcrunch.com/2026/02/05/one-of-europes-largest-universities-knocked-offline-for-days-after-cyberattack/?utm_source=openai)) This incident underscores the escalating threat of sophisticated ransomware attacks targeting educational institutions, highlighting the urgent need for enhanced cybersecurity measures and preparedness within the sector.
4 months ago
Kill Chain
Spain's Ministry of Science 2026 Data Breach: A Wake-Up Call for Government Cybersecurity
In early February 2026, Spain's Ministry of Science, Innovation, and Universities experienced a significant cybersecurity incident. A threat actor known as 'GordonFreeman' claimed to have exploited an Insecure Direct Object Reference (IDOR) vulnerability, combined with leaked credentials, to gain full administrative access to the ministry's systems. The attacker allegedly exfiltrated sensitive data, including personal records, email addresses, enrollment applications, and official documents. In response, the ministry partially shut down its IT systems, affecting various services for researchers, universities, and students, and suspended all ongoing administrative procedures to assess and mitigate the breach. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/spains-ministry-of-science-shuts-down-systems-after-breach-claims/?utm_source=openai)) This incident underscores the critical importance of robust access controls and vulnerability management within governmental institutions. The exploitation of an IDOR vulnerability highlights the need for comprehensive security assessments and prompt remediation of identified weaknesses. Additionally, the breach serves as a reminder of the persistent threats posed by cyber actors targeting sensitive governmental data, emphasizing the necessity for continuous monitoring and incident response preparedness.
4 months ago
Kill Chain
2025 University of Hawaii Cancer Center Ransomware Breach: Research Data Compromised
In August 2025, the University of Hawaii Cancer Center experienced a ransomware incident that resulted in threat actors encrypting systems associated with a specific research project. The intrusion led to the exfiltration and encryption of files, some of which dated back to the 1990s and included research participant data containing Social Security numbers, predating modern de-identification practices. While only research files and not clinical or patient treatment data were affected, the disruption necessitated a comprehensive remediation effort including system replacements, forensic investigations, ransomware payment for decryption, and negotiations for deletion of exfiltrated information. This incident underscores the targeting of higher-education and research organizations by ransomware attackers seeking both data and financial gain. With universities increasingly storing decades-old PII, and ransomware groups escalating both exfiltration and extortion, the breach exemplifies the urgency of robust detection, legacy data management, and compliance disciplines in the education and research sector.
5 months ago
Kill Chain
GRU’s BlueDelta Targets Energy and Research: Advanced Credential Phishing in 2025
Between February and September 2025, the Russian state-sponsored threat group BlueDelta (APT28/GRU) conducted a series of targeted credential-harvesting attacks, focusing on organizations in Türkiye, Europe, North Macedonia, and Uzbekistan. The attackers deployed sophisticated phishing lures themed as Microsoft Outlook Web Access, Google, and Sophos VPN portals, abusing free hosting and tunneling services such as Webhook.site and ngrok to capture credentials and exfiltrate data. Victims were redirected through multi-stage phishing chains, and legitimate PDF documents were used to enhance believability and evade detection, ultimately supporting Russian intelligence collection. This incident underlines the evolution of state-sponsored phishing techniques, including automation for credential exfiltration and the increasing abuse of legitimate internet infrastructure. The campaign’s focus on energy and defense sectors reflects heightened geopolitical interest and reinforces the urgent need for robust email and identity security practices across sensitive organizations.
5 months ago
Kill Chain
ESA 2024 External Server Breach: Lessons on Third-Party and Perimeter Security
In June 2024, the European Space Agency (ESA) confirmed a cybersecurity incident involving unauthorized access to external servers outside its core corporate IT network. These servers contained 'unclassified' information tied to ESA's collaborative engineering activities. The breach was detected and announced on June 24, with the agency rapidly taking down the compromised servers to contain the incident and beginning an internal investigation. No critical or classified ESA infrastructure was reportedly affected, and mission operations remained unaffected. This breach underscores persistent risks facing organizations collaborating with external partners and utilizing externally accessible infrastructure. Similar methodologies targeting non-core systems and lateral movements are increasing, highlighting the importance of robust segmentation, external system monitoring, and continuous risk assessment for third-party assets.
5 months ago
Kill Chain
ForumTroll APT Strikes Again: Russian Political Scientists Hit by Sophisticated Phishing Scheme
In October 2025, the ForumTroll advanced persistent threat (APT) group launched a spear-phishing campaign targeting Russian political science scholars and researchers. Victims received personalized emails disguised as plagiarism report notifications from a fake scientific library domain, prompting them to download a malicious archive. Opening the archive triggered a PowerShell-based attack chain, culminating in the deployment of the Tuoni red-teaming framework via a custom obfuscated loader, with persistence achieved through COM Hijacking. Attacker infrastructure included typosquatted domains and Fastly-based C2 servers. This incident underscores the increasing shift by APT actors to highly targeted, socially engineered phishing attacks, even when technical sophistication is dialed back. Organizations must contend with the reality of persistent, multi-phase campaigns adapting both commercial and bespoke toolkits, heightening the urgency for advanced detection and resilient user training.
5 months ago
Kill Chain
ForumTroll Launches Sophisticated Phishing Attack on Russian Scholars Using Fake eLibrary Emails
In October 2025, Operation ForumTroll, a previously identified threat actor, launched a targeted phishing campaign against Russian academic and scholarly communities. Using convincingly crafted phishing emails that impersonated official eLibrary notifications, attackers distributed malicious attachments designed to harvest credentials and enable broader espionage operations. The campaign, identified by Kaspersky, marks a decisive tactical shift from prior attacks on organizations to focused targeting of individuals, raising concerns about the security posture of research and educational institutions in the region. This incident highlights the increasing trend of sophisticated phishing campaigns that employ social engineering and trusted brands to bypass traditional defenses. The focused targeting of scholars and intellectuals points towards a rise in espionage-motivated threats seeking sensitive research data, emphasizing the need for robust user education, multifactor authentication, and advanced anomaly detection.
5 months ago
Kill Chain
Stop Active Cloud Data Exfiltration
Aviatrix Breach Lock helps teams instantly identify what data is leaving the environment, from which workload, and where it’s going — during an active breach.
Looking for threats in a different sector?
Browse All Threat Reports