The Containment Era is here. →Explore

aviatrix logoAviatrix
Under Active Attack
Industry Category

Think Tanks

Breach intelligence, attack campaigns, and threat reports targeting the Think Tanks sector.

8 threat reports
Page 1 of 1

Explore Other Sectors

Accounting
Aerospace/Aviation
Agriculture
Airlines/Aviation
Animation
Apparel/Fashion
Architecture/Planning
Artificial Intelligence
Artificial Intelligence/Machine Learning
Arts/Crafts
Automotive
Aviation/Aerospace
Banking/Mortgage
Biotechnology/Greentech
Blockchain/Cryptocurrency
Broadcast Media
Broadcasting Media
Broadcasting/Media
Building Materials
Business Supplies/Equipment
Capital Markets/Hedge Fund/Private Equity
Chemical
Chemicals
Civic/Social Organization
Civil Engineering
Cloud Computing
Cloud Computing/SaaS
Cloud Services
Commercial Facilities
Commercial Real Estate
Computer Games
Computer Hardware
Computer Networking
Computer Software/Engineering
Computer/Network Security
Construction
Consulting
Consumer Electronics
Consumer Goods
Consumer Services
Cosmetics
Cosmetics
Critical Manufacturing
Cryptocurrencies
Customer Services
Cybersecurity
Dairy
Dating/Personal Services
Defense/Space
Design
E-Learning
Education Management
Electrical/Electronic Manufacturing
Emergency Services
Energy
Energy/Oil/Solar/Greentech
Entertainment/Movie Production
Environmental Services
Events Services
Facilities Services
Farming
Fashion/Apparel
Financial Services
Fine Art
Fishery
Food Production
Food/Beverages
Fortune 500 companies
Franchising
Fundraising
Gambling/Casinos
Gaming
Gaming/Casinos
Government Administration
Government Facilities
Government Relations
Graphic Design/Web Design
Health Care / Life Sciences
Higher Education/Acadamia
Hospitality
Human Resources/HR
Import/Export
Individual/Family Services
Industrial Automation
Information Services
Information Technology/IT
Insurance
International Affairs
International Trade/Development
Internet
Investment Banking/Venture
Investment Management/Hedge Fund/Private Equity
Judiciary
Law Enforcement
Law Practice/Law Firms
Legal Services
Legislative Office
Leisure/Travel
Logistics/Procurement
Luxury Goods/Jewelry
Machinery
Management Consulting
Manufacturing
Maritime
Marketing/Advertising/Sales
Mechanical or Industrial Engineering
Media Production
Medical Equipment
Medical Practice
Military Industry
Mining/Metals
Mobile
Museums/Institutions
Music
Newspapers/Journalism
Non-Profit/Volunteering
Oil/Energy/Solar/Greentech
Online Publishing
Outsourcing/Offshoring
Package/Freight Delivery
Parking
Pharmaceuticals
Philanthropy
Photography
Plastics
Political Organization
Primary/Secondary Education
Professional Training
Public Relations/PR
Public Safety
Publishing Industry
Railroad Manufacture
Real Estate/Mortgage
Recreational Facilities/Services
Religious Institutions
Renewables/Environment
Research Industry
Restaurants
Retail Industry
Robotics
Rural Healthcare
Security/Investigations
Semiconductors
Sporting Goods
Sports
Staffing/Recruiting
Supermarkets
Technology
Technology/IT
Telecommunications
Think Tanks
Toys and Games
Transportation
Travel/Tourism
Trucking/Freight
Utilities
Venture Capital/VC
Warehousing
Water and Wastewater
Water and Wastewater Systems
Water and Wastewater Treatment
Water, Waste, Steam, and Air Conditioning Services
Water/Wastewater Management
Water/Wastewater/Utilities
Wholesale
Wireless

Think Tanks Threat Reports

Showing 18 / 8 reports
FBI: North Korean 'Quishing' Campaign Exploits QR Codes to Breach US Organizations (2025)
Impact· medium
Think Tanks

FBI: North Korean 'Quishing' Campaign Exploits QR Codes to Breach US Organizations (2025)

In May and June 2025, North Korean state-backed group Kimsuky (also known as APT43) launched a wave of spear-phishing attacks leveraging malicious QR codes—known as "quishing"—against U.S. and foreign think tanks, academic institutions, and government entities. Attackers embedded QR codes in spoofed emails designed to bypass enterprise security controls by luring recipients into scanning codes with unmanaged mobile devices. These malicious codes redirected victims to attacker-controlled infrastructure for credential harvesting, cloud account takeover, and the deployment of Android malware such as DocSwap. The campaign enabled threat actors to steal session tokens, circumvent multi-factor authentication, and maintain persistence in organizational environments via compromised identities and secondary phishing from breached mailboxes. This incident underscores a significant shift toward MFA-resilient, mobile-driven spear-phishing tactics that exploit overlooked security gaps at the intersection of email and mobile authentication. The campaign represents a new wave of targeted attacks exploiting trust in QR codes and mobile workflows as adversaries adapt to improved enterprise email defenses.

5 months ago

Kill Chain

IC
Initial Compromise(high)
PE
Privilege Escalation(high)
LM
Lateral Movement(medium)
C&C
Command & Control(medium)
E
Exfiltration(high)
I
Impact(medium)
Read Report
APT28 Targets Energy and Policy Sectors With Sophisticated Credential Phishing (2025)
Impact· medium
Oil/Energy/Solar/Greentech

APT28 Targets Energy and Policy Sectors With Sophisticated Credential Phishing (2025)

Between February and September 2025, Russian state-sponsored APT28 (aka BlueDelta, linked to the GRU) launched highly targeted credential-harvesting attacks against individuals in Turkish energy and nuclear agencies, a European think tank, and organizations in North Macedonia and Uzbekistan. The campaign relied on phishing emails with region-specific lures and fake login pages imitating Microsoft OWA, Google, and Sophos VPN portals. Stolen credentials were exfiltrated via disposable internet services, and victims were seamlessly redirected to legitimate sites to avoid suspicion, evading typical detection methods. Notably, attackers leveraged legitimate PDF documents themed around high-profile geopolitical events as decoy content. These incidents underscore the increasing sophistication and operational focus of nation-state phishing campaigns, with attackers rapidly exploiting current geopolitical tensions to credibly target sensitive sectors. Repeated use of trusted public infrastructure for data exfiltration further complicates defense and detection efforts.

5 months ago

Kill Chain

IC
Initial Compromise(high)
PE
Privilege Escalation(medium)
LM
Lateral Movement(low)
C&C
Command & Control(high)
E
Exfiltration(high)
I
Impact(medium)
Read Report
Kimsuky Leverages QR Code Phishing to Target U.S. Strategic Organizations in 2025
Impact· low
Think Tanks

Kimsuky Leverages QR Code Phishing to Target U.S. Strategic Organizations in 2025

In June 2025, the FBI identified a sophisticated spearphishing campaign by North Korean state-backed group Kimsuky (APT43) targeting U.S. organizations involved in North Korea-related policy, research, and strategic consultancy. Attackers used emails containing malicious QR codes—an attack known as 'quishing'—to lure victims from think tanks, government agencies, and academic institutions into scanning codes with mobile devices. Scanned QR codes redirected victims to convincing phishing pages impersonating Microsoft 365, Okta, and other login portals, harvesting credentials and cloud session tokens to circumvent multi-factor authentication measures. The attacks bypassed traditional email security by exploiting unmanaged mobile endpoints and compromised inboxes, posing significant risks to identity security and ongoing policy work. This incident highlights an escalating trend of QR code phishing, enabling attackers to sidestep conventional defenses while targeting sensitive organizations. The campaign underscores the growing threat posed by identity-driven attacks, advanced social engineering, and multi-factor authentication bypass techniques, prompting urgent calls for improved mobile device security postures and enhanced employee awareness programs.

5 months ago

Kill Chain

IC
Initial Compromise(high)
PE
Privilege Escalation(high)
LM
Lateral Movement(medium)
C&C
Command & Control(medium)
E
Exfiltration(medium)
I
Impact(low)
Read Report
GRU’s BlueDelta Targets Energy and Research: Advanced Credential Phishing in 2025
Impact· medium
Oil/Energy/Solar/Greentech

GRU’s BlueDelta Targets Energy and Research: Advanced Credential Phishing in 2025

Between February and September 2025, the Russian state-sponsored threat group BlueDelta (APT28/GRU) conducted a series of targeted credential-harvesting attacks, focusing on organizations in Türkiye, Europe, North Macedonia, and Uzbekistan. The attackers deployed sophisticated phishing lures themed as Microsoft Outlook Web Access, Google, and Sophos VPN portals, abusing free hosting and tunneling services such as Webhook.site and ngrok to capture credentials and exfiltrate data. Victims were redirected through multi-stage phishing chains, and legitimate PDF documents were used to enhance believability and evade detection, ultimately supporting Russian intelligence collection. This incident underlines the evolution of state-sponsored phishing techniques, including automation for credential exfiltration and the increasing abuse of legitimate internet infrastructure. The campaign’s focus on energy and defense sectors reflects heightened geopolitical interest and reinforces the urgent need for robust email and identity security practices across sensitive organizations.

5 months ago

Kill Chain

IC
Initial Compromise(high)
PE
Privilege Escalation(medium)
LM
Lateral Movement(low)
C&C
Command & Control(high)
E
Exfiltration(high)
I
Impact(medium)
Read Report
Microsoft 365 Under Siege: OAuth Device Code Phishing Attacks Surge in 2025
Impact· low
Government Administration

Microsoft 365 Under Siege: OAuth Device Code Phishing Attacks Surge in 2025

In late 2025, Microsoft 365 accounts across multiple sectors were targeted in a sophisticated phishing campaign leveraging OAuth device code authorization. Threat actors, including financially motivated group TA2723 and a Russia-aligned group tracked as UNK_AcademicFlare, deceived victims into entering attacker-provided device codes on legitimate Microsoft login portals. This granted attacker-controlled applications elevated access to organizational email and data, bypassing credentials and even multi-factor authentication protections. Attackers utilized phishing kits such as SquarePhish and Graphish, and orchestrated lures mimicking document sharing or salary bonus notifications to maximize engagement and scale. Notably, state-aligned campaigns exploited compromised government accounts to build rapport, targeting U.S. and European government, academic, and transportation sectors. These OAuth-based phishing attacks mark a significant escalation in adversary techniques focusing on authorization abuse rather than credential theft. The surge in such activity since September 2025 demonstrates the growing adaptation of sophisticated phishing kits and highlights a strategic shift toward targeting identity and cloud permissions, reflecting evolving attack surfaces and regulatory scrutiny in cloud security.

5 months ago

Kill Chain

IC
Initial Compromise(high)
PE
Privilege Escalation(medium)
LM
Lateral Movement(low)
C&C
Command & Control(medium)
E
Exfiltration(medium)
I
Impact(low)
Read Report
SmudgedSerpent 2025: Espionage Hits Policy Experts Amid Iran-Israel Tensions
Impact· low
Government Administration

SmudgedSerpent 2025: Espionage Hits Policy Experts Amid Iran-Israel Tensions

Between June and August 2025, an advanced threat group dubbed UNK_SmudgedSerpent orchestrated a series of targeted cyber espionage campaigns against U.S.-based academics and foreign policy experts. Leveraging spear-phishing and sophisticated social engineering, the attackers exploited topical Iranian political themes to deliver customized malware, enabling data exfiltration and continuous monitoring of sensitive research communications. The campaign coincided with heightened Iran–Israel tensions, harnessing unauthorized east-west network movement and encrypted C2 channels to bypass traditional security controls, resulting in significant exposure of policy research, analysis drafts, and privileged communications. This intrusion highlights the evolving tactics of nation-state-aligned actors who exploit contextual geopolitical unrest to target civilian research and policy infrastructure. The incident underscores the escalating risk to sectors handling sensitive knowledge, while accelerating demands for retroactive compliance audits and robust zero trust segmentation as espionage techniques continue to proliferate.

5 months ago

Kill Chain

IC
Initial Compromise(high)
PE
Privilege Escalation(medium)
LM
Lateral Movement(medium)
C&C
Command & Control(medium)
E
Exfiltration(medium)
I
Impact(low)
Read Report
Iranian APTs Target US Policy Influencers in Sophisticated 2024 Phishing Campaign
Impact· low
Government Administration

Iranian APTs Target US Policy Influencers in Sophisticated 2024 Phishing Campaign

In mid-2024, Iranian state-aligned advanced persistent threat (APT) actors launched a sophisticated spear-phishing campaign targeting prominent US foreign policy influencers, think tank members, and government advisors. The attackers employed socially engineered emails and credential harvesting tactics, using well-crafted phishing lures to compromise email accounts and exfiltrate sensitive conversations. While attribution remains uncertain among Iranian groups, the campaign utilized advanced operational security measures, making detection difficult and demonstrating high levels of persistence. As a result, sensitive policy information and strategic communications were potentially exposed, raising concerns about foreign influence and espionage risks. This campaign is especially relevant as it highlights a broader surge in highly personalized phishing attacks by nation-state actors against geopolitical targets. It underscores the need for advanced identity protection, more robust security around internal communications, and ongoing vigilance among organizations operating in the policy and government sectors.

5 months ago

Kill Chain

IC
Initial Compromise(high)
PE
Privilege Escalation(medium)
LM
Lateral Movement(medium)
C&C
Command & Control(medium)
E
Exfiltration(medium)
I
Impact(low)
Read Report
Chinese TA415 Breaches US Economic Policy Experts Using VS Code Remote Tunnels
Impact· medium
Government Administration

Chinese TA415 Breaches US Economic Policy Experts Using VS Code Remote Tunnels

In mid-2025, the China-aligned threat actor TA415 launched a sophisticated spear-phishing campaign targeting U.S. government agencies, economic policy think tanks, and academic organizations. The attackers leveraged social engineering tactics, masquerading as high-profile U.S. officials, and delivered phishing emails containing malicious links. Through these lures, TA415 exploited Visual Studio Code Remote Tunnels—a legitimate feature used for remote development—to establish persistent, covert remote access within target environments. This allowed them to conduct extended espionage operations, exfiltrate sensitive economic policy data, and evade traditional endpoint and network defenses. The attack highlights the convergence of advanced phishing techniques with legitimate remote access tools, underscoring a shift toward stealthy, “living off the land” tactics by nation-state adversaries. Organizations are urged to address internal monitoring, east-west security, and robust detection of unauthorized remote connectivity, as similar techniques are expected to proliferate across sectors.

5 months ago

Kill Chain

IC
Initial Compromise(high)
PE
Privilege Escalation(medium)
LM
Lateral Movement(medium)
C&C
Command & Control(medium)
E
Exfiltration(medium)
I
Impact(medium)
Read Report
[ INCIDENT RESPONSE // UNDER ATTACK? ]

Stop Active Cloud Data Exfiltration

Aviatrix Breach Lock helps teams instantly identify what data is leaving the environment, from which workload, and where it’s going — during an active breach.

Under Attack

Looking for threats in a different sector?

Browse All Threat Reports