Recent campaigns of digital espionage and sabotage, uncovered by independent researchers and cybersecurity groups, reveal a worrying evolution of threats, with state-sponsored actors directly targeting supply chains and transport infrastructure by exploiting vulnerabilities in cloud services, remote management systems, and third-party providers. In particular, the Threat Research Unit at Acronis has identified a shift in the strategy of Silk Typhoon, a cyber espionage group believed to be linked to China, which has started to focus on the logistics sector. The group employs compromised credentials, stolen API keys and unpatched vulnerabilities to infiltrate cloud environments in a silent and persistent manner, erasing logs to reduce the chances of detection.
What is particularly alarming for the transport sector is the systematic use of public repositories such as GitHub, where cybercriminals search for leaked credentials to launch targeted attacks. According to Acronis, systems often used for logistics management, fleet monitoring and delivery planning can become privileged gateways for industrial espionage or operational sabotage.
Another serious threat has emerged from Eastern Europe, in the form of a large-scale cyberattack campaign targeting telecommunications operators in China and on the west coast of the United States. The goal is to install malicious software capable of stealing data, blocking remote access and harnessing the computing power of infected systems for cryptocurrency mining. Criminals are using scripting languages like PowerShell and Python to operate covertly, relying on encrypted messaging services to control systems remotely. Once access is gained, the malware installs itself in seemingly harmless directories such as Migration, disables security systems, performs network scans and even intercepts cryptocurrency wallet addresses copied to users’ clipboards.
In Southeast Asia, the Chinese APT group known as Lotus Panda — active since at least 2009 — has upgraded its digital arsenal with new variants of the Sagerunex malware. Targets include government agencies, telecom operators and manufacturing industries in countries such as the Philippines, Vietnam, Hong Kong and Taiwan. One of the most insidious developments is the use of legitimate platforms such as Dropbox, X and Zimbra to conceal command-and-control traffic. Instructions are sent via email or draft files, making detection extremely difficult. The attack infrastructure is further enhanced by tools for cookie theft, sophisticated proxies like Venom, and utilities designed for privilege escalation.
Even South America is not immune. Spanish-speaking countries in particular have been hit by a campaign attributed to the Dark Caracal group, known for long-range espionage operations. The attack vector is the Poco Rat malware, capable of uploading files, capturing screenshots, executing commands and manipulating system processes. Distributed through phishing emails disguised as commercial invoices, Poco Rat allows complete control of compromised devices and the systematic theft of sensitive information. Although the first reports date back to the summer of 2024, links to previous activity suggest a coordinated and long-term strategy.
Finally, a sophisticated espionage operation has been detected in the aviation sector of the United Arab Emirates, believed to be carried out by a group with suspected ties to Iran. Using the compromised identity of an Indian electronics company, hackers sent phishing messages to a limited number of entities within the satellite and aviation industries. The malware used, named Sosano, was developed in the Golang programming language and enables the execution of commands, the download of additional malicious components and the manipulation of system directories. Experts believe that while the operation appears limited in scope, it poses a latent threat to critical infrastructure in the Middle East, with potential implications for international transport.
