A Chinese cyberespionage group has shifted its gaze back to Europe after years of focusing on other parts of the world, Proofpoint research published Wednesday found.

The surge began in mid-2025, with a bevy of issues bubbling up between China and Europe, the company said. Proofpoint labels the government-linked group TA416, but other companies track it as Twill Typhoon, Mustang Panda or other names.

“This renewed focus most heavily targeted individuals or mailboxes associated with diplomatic missions and delegations to NATO and the EU,” Proofpoint’s Mark Kelly and Georgi Mladenov wrote. “TA416’s return to European government targeting occurred during heightened EU–China tensions over trade, the Russia–Ukraine war, and rare earths exports, and commenced immediately following the 25th EU–China summit.”

Separately, the same group took up targeting the Middle East in March after the start of the conflict in Iran, something it had never been spotted doing before, Proofpoint found.

“This aligns with a trend observed by Proofpoint of some state-aligned threat actors shifting targeting toward Middle Eastern government and diplomatic entities in the aftermath of the war,” the firm said. “This likely reflects an effort to gather regional intelligence on the status, trajectory, and broader geopolitical implications of the conflict.”

TA416 was active in Europe in 2022 and 2023, coinciding with the onset of the Ukraine-Russia war, but stepped away from the continent afterward, according to the researchers. Its focus turned to Southeast Asia, Taiwan and Mongolia for a couple years.

The group’s focus on Europe through early 2026 used a variety of web bug and malware delivery methods, including setting up reconnaissance by dangling lures about Europe sending troops to Greenland. It also included phishing emails about humanitarian concerns, interview requests and collaboration proposals, Proofpoint said.

“During this period, TA416 repeatedly altered its initial infection chains while maintaining a consistent goal of loading the group’s customized PlugX backdoor via DLL sideloading triads,” the researchers wrote.

Proofpoint’s is not the only report of late about Chinese cyberespionage groups targeting Europe, with another focused on LinkedIn solicitations to NATO and European institutions.

The post European-Chinese geopolitical issues drive renewed cyberespionage campaign appeared first on CyberScoop.

A cyberattack that an Iranian hacking group said it carried out against medical device manufacturer Stryker might mark Tehran’s first significant cyber action since the start of the joint U.S.-Israel conflict.

But even that may have been a happy accident for Iranian hackers in what has been a low buzz of activity during that timeframe, with the attackers striking paydirt by happenstance rather than on purpose.

Cybersecurity firms, threat intelligence trackers and critical infrastructure owners have been fighting to separate the noise about proclaimed attacks out of Iran, and the warnings and threats related to the conflict, from what is actually happening and poses any significant danger.

“Everybody is scrambling right now,” said Alex Orleans, a long-time Iran threat analyst and head of threat intelligence at Sublime Security. Others said the nascent nature of the conflict is making assessments difficult.

“What we see is quite difficult to quantify or characterize about whether there’s been an increase or decrease,” said Saher Naumaan, senior threat researcher at Proofpoint. “I think since we’re only a couple weeks into the conflict, and the regular cadence of Iranian actors isn’t very consistent, necessarily, we don’t have enough data points or enough time to really judge.”

Signs of activity

In the early days of the conflict, there were indications that physical attacks on Iran might have hampered Iranian retaliatory efforts or other cyber activity, as those who would carry out cyberattacks were probably “hiding in bunkers,” Orleans said, and as Iran suffered internet outages.

In recent days, however, the Stryker attack and other indicators suggest that Iranian cyber activity could be heating up.

“For several days following the outbreak of the conflict, there was a noted decrease in cyber threat activity emanating from Iran,” a group of industry information and sharing analysis centers warned Wednesday. “However, there are signs of life in Iranian offensive cyber operations.”

The Stryker attack stands out for both the size and location of the target, a Michigan-based medical device manufacturer with more than $25 billion in revenue in 2025.

But both Orleans and Sergey Shykevich, threat intelligence group manager at Check Point Research, said the attack has the hallmarks of an opportunistic one rather than a deliberate, focused one. The group claiming credit for the attack, Handala — a Ministry of Intelligence-linked outfit — is known more for seizing advantage of weaknesses they happen upon rather than doggedly pursuing particular targets.

Notably, Stryker is also the class of a military vehicle used by U.S. forces. That military connection, even if confused with the medical device manufacturer, could possibly explain why the company was a target.

Still, “it was a much higher-profile attack than we expected from Handala,” Shykevich said. “Unfortunately, it’s possible to define it as a relatively big success for them.”

There have been reports of other cyber activity that might be connected to the conflict. Albania said the email system of its parliament had been targeted, with Iranian hackers taking credit. There was the targeting of cameras from Iran-linked infrastructure in countries that Iran then launched missiles into. Poland said it was looking into whether Iran was behind an attempted cyberattack on a nuclear research facility.

Some of the claims don’t match reality. “There are many hacktivist groups that are very active in Telegram, but actually they don’t have any significant successes,” Shykevich said.

There are other cyber-related developments in the conflict, too, like espionage, the proliferation of artificial intelligence-fueled misinformation and the possibility of Russia or China helping out in cyberspace on Iran’s behalf, even if some experts doubt the likelihood of the latter.

How effective any of it has been is still unclear. Stryker, for instance, said the attack mainly affected its internal networks, although there were signs it might be affecting communications at hospitals, too.

But the damage might be beside the point. Orleans said the attacks could be psychological in nature, aimed at producing fear abroad and affirming hackers’ standing with domestic leaders in Iran during the conflict.

Even low-level defacement or distributed denial-of-service attacks can play a role.

“Coming into work and finding an Iranian flag on your workstation would be a little bit  disconcerting, because they’re letting you know that, ‘I can reach out and touch you,’” said Sarah Cleveland, senior director of federal strategy at ExtraHop and a former cyber officer in the U.S. Air Force.

Possible follow-up impacts

While primarily known as a medical supply company, Stryker has received sizable contracts with the military for hospital equipment and surgical supplies, for example. It is unclear whether the hackers intended to use Stryker’s military connection to exploit government systems.

The Pentagon has long warned of increased, complex cyberattacks against the defense industrial base, a vast network of companies — with disparate levels of cybersecurity — that the military relies on for advanced weaponry to basic stretchers. The DIB is often seen by adversaries as a backdoor into military systems.

While he did not directly address the Stryker hack, the Army’s principal cyber adviser, Brandon Pugh, outlined some of the challenges to the DIB and the service’s part in trying to protect it during a webinar Thursday in response to a question on the topic.

He said adversaries “right or wrong” see companies “as an extension of the military” and that they believe an attack on private industry would have a secondary impact on the armed forces.

“Some are very large, sophisticated multinational companies,” he said, noting that security needs across the DIB aren’t universal. “Others are very small companies that are lucky to have a director of IT, let alone a sophisticated cyber team, and I think that’s where it’s really important to lean into.”

Pugh said that agencies across the federal government have been working with the DIB to boost its resilience to attacks, and that the Army’s cyber effort emphasizes entrenching cybersecurity from the beginning of the acquisition process.

“Cyber can’t be an afterthought — not saying it is,” Pugh added. “I’d say the Army does a great job here, but making sure it’s never forgotten and is always considered along that way.”

Matt Tait, the CEO and president of MANTECH, said in response to a question about the Stryker attack and DIB protections that defending against such incidents includes leveraging government agreements and access, such as with the NSA, and quickly sharing information following an attack.

“To me, it’s about real time information sharing,” he said. “You need real time information sharing when you’re getting attacked to be able to actually share that information with the rest of industry, as well as with government, because they can actually share that information across” federal cybersecurity entities.

“If you want to do mission focused technology work, this is the world you have to live in, and that you should be sharing this information on a real time basis,” he added. “24 hours later, 48 hours later, I call that ambulance chasing. That’s too far after the fact from a cyber perspective.”

The post Stryker attack highlights nebulous nature of Iranian cyber activity amid joint U.S.-Israel conflict appeared first on CyberScoop.

Tycoon 2FA, a major phishing kit and platform that allowed low-skilled cybercriminals to bypass multifactor authentication and conduct large-scale adversary-in-the-middle attacks, was dismantled Wednesday by a global coalition of security companies and law enforcement agencies.

Microsoft, which led the effort alongside Europol and authorities from six countries and 11 security firms or organizations, said it seized 330 domains that powered Tycoon 2FA’s core infrastructure, including control panels and fraudulent login pages.

The platform, which emerged in August 2023, was responsible for tens of millions of phishing messages that reached more than 500,000 organizations globally each month, according to Microsoft Threat Intelligence. Thousands of cybercriminals used Tycoon 2FA to break into email and online services, including Microsoft 365, Outlook, SharePoint, OneDrive and Google services.

“By mid‑2025, Tycoon 2FA accounted for approximately 62% of all phishing attempts Microsoft blocked, including more than 30 million emails in a single month. That placed Tycoon 2FA among the largest phishing operations globally,” Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit, said in a blog post about the takedown. 

“Despite extensive defenses, the service is linked to an estimated 96,000 distinct phishing victims worldwide since 2023, including more than 55,000 Microsoft customers,” Masada added. 

The phishing kit, which was developed and advertised by a group Microsoft tracks as Storm-1747, was sold to cybercriminals on Telegram and Signal for $350 a month. The platform provided core components for phishing on a single dashboard that allowed cybercriminals to configure, track and refine their campaigns.

The platform also provided cybercriminals with pre-built templates, attachment files for common phishing lures, domain and hosting configuration and redirect logic, Microsoft said. The monthly volume of phishing messages attributed to Tycoon 2FA peaked at more than 30 million messages in November 2025.

Organizations in education and health care were hit hardest by phishing attacks enabled by Tycoon 2FA. More than 100 members of Health-ISAC, a co-plaintiff in the court case filed in the U.S. District Court for the Southern District of New York, were successfully phished, Masada said. 

Two hospitals, six schools and three universities in New York confronted attempts or successful compromises via Tycoon 2FA, resulting in incidents that disrupted operations, diverted resources and delayed patient care, he added. 

Microsoft and Health-ISAC filed a civil complaint against alleged creator Saad Fridi and four unnamed associates, demanding a $10 million injunction, for developing, running and selling Tycoon 2FA. The court order allowed Microsoft to dismantle and take ownership of Tycoon 2FA’s technical infrastructure.

Authorities from Latvia, Lithuania, Portugal, Poland, Spain and the United Kingdom assisted with the operation alongside Cloudflare, Coinbase, Crowell & Moring, eSentire, Intel 471, Proofpoint, Resecurity, Shadowserver, SpyCloud and Trend Micro. 

Selena Larson, staff threat researcher at Proofpoint who provided a formal declaration in support of the court order, said Tycoon 2FA was responsible for the highest volume of adversary-in-the-middle phishing attacks observed by Proofpoint. 

“Tycoon was the biggest MFA phishing threat in our data, and we anticipate seeing a significant decrease after this operation,” she told CyberScoop.

“Many customers will find their hacking tool is no longer working, and even if Tycoon 2FA is able to create new domains and infrastructure, the brand will be significantly harmed, with customers either purchasing less effective phishing kit, or potentially rethinking their life choices and getting out of the game,” Larson added.

Tycoon 2FA’s easy-to-use and robust capabilities contributed to its popularity, researchers said. The platform’s codebase was updated regularly and operators generated a high volume of subdomains for brief periods before abandoning them and moving on to new domains.

Researchers said the rapid turnover and shifts to temporary infrastructure complicated efforts to detect and block new campaigns.

The Tycoon 2FA takedown follows a recent wave of cybercrime crackdowns, including actions against Racoon0365 and the Lumma Stealer infostealer operation, which infected about 10 million systems.

The post Global coalition dismantles Tycoon 2FA phishing kit appeared first on CyberScoop.

Proofpoint announced Thursday it has acquired Acuvity, an AI security startup, as the cybersecurity company moves to address security risks stemming from widespread corporate adoption of agentic AI.

The acquisition strengthens Proofpoint‘s capabilities in monitoring and securing AI-powered systems that are increasingly handling sensitive business functions across enterprises. 

Financial terms of the deal were not disclosed, but Ryan Kalember, Proofpoint’s chief strategy officer, told CyberScoop that the acquisition was beyond a pure “technology acquisition,” with Acuvity’s engineering team slated to join the California-based company. 

Acuvity specializes in visibility and governance for AI applications, including the ability to track how employees and automated systems interact with external AI services and protect custom AI models developed within organizations. The startup’s platform monitors AI usage across multiple deployments, from web browsers to specialized infrastructure including Model Context Protocol (MCP) servers and locally installed AI tools.

The deal reflects growing concern among enterprises about security gaps created as organizations deploy agentic AI across departments, like software development, customer support, finance, and legal operations. These systems increasingly access sensitive data and execute tasks previously handled exclusively by humans.

Additionally, AI-specific attack vectors such as prompt injection and model manipulation have emerged as potential threats that traditional cybersecurity tools were not designed to address.

Kalember said CISOs are seeing the potential risk combined with agentic AI growth, and are sensing the need to maintain governance without impeding innovation, particularly as the pace of AI adoption has outstripped many companies’ ability to secure these systems effectively.

“It has definitely been a pivot from, ‘I got to be able to stop prompt injection’ to ‘I have to be able to figure out what the AI is even doing,’” he told CyberScoop.

Last May, Proofpoint acquired Hornetsecurity Group, a Germany-based provider of Microsoft 365 security services, in a deal reportedly valued at more than $1 billion. Kalember told CyberScoop he sees Acuvity helping small- and medium-sized organizations that leverage Hornetsecurity’s offerings to boost its AI security. 

“That is going to be a world in which, independent of the size of the organization, they are going to very much leverage AI, and some of that will be built into the tools like M365 that is tightly coupled with the Hornetsecurity architecture,” Kalember said.

The acquisition follows a theme within the industry where larger security companies are buying AI-focused security startups. Just last week, data security firm Varonis acquired AI security firm AllTrue.ai for $150 million. 

The post Proofpoint acquires Acuvity to tackle the security risks of agentic AI appeared first on CyberScoop.

In a sweeping international crackdown coordinated from Europol’s headquarters, law enforcement agencies from the United States and 10 other countries have disrupted three of the world’s most widely used cybercriminal malware operations. Conducted Nov. 10-13, Operation Endgame focused on neutralizing the Rhadamanthys info-stealing malware, the VenomRAT remote access trojan, and the Elysium botnet — tools authorities say enabled hackers to infect hundreds of thousands of computers and steal millions of sensitive credentials across the globe.

The effort involved law enforcement and judicial agencies from Australia, Belgium, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, the United Kingdom, and the United States. According to Europol, the operation led to the arrest of the main VenomRAT suspect in Greece on Nov. 3, searches of 11 locations across Europe, and the seizure or disruption of 1,025 servers and 20 internet domains used by criminals. Coordinated support from over 30 private cybersecurity organizations further assisted the investigation, with companies such as Crowdstrike, Proofpoint, Bitdefender, and the Shadowserver Foundation helping to analyze malicious activity and notify affected network operators.

The law enforcement action is the latest phase of Operation Endgame, an ongoing international initiative to curtail ransomware and malware infrastructure. Previous phases of the operation targeted similar cybercrime enablers over the past two years. Officials said the dismantled infrastructure included hundreds of thousands of computers running malware and several million stolen credentials.

The Shadowserver Foundation, which aggregates global malware infection data, said it sent alerts about Rhadamanthys infections between March and November to national security response teams in 175 countries and more than 10,000 network owners. Europol added that the principal suspect behind the infostealer controlled access to over 100,000 cryptocurrency wallets, with potential losses reaching millions of euros. Many victims whose credentials and devices were compromised continued to operate their systems unaware, authorities said.

VenomRAT, which evolved from earlier remote access trojans, was reportedly marketed for around $150 per month and delivered primarily through malicious email attachments. It allowed users to open backdoors on compromised computers, effectively taking over devices remotely and sometimes exfiltrating sensitive data or launching additional attacks.

Authorities also contacted users of compromised criminal services, appealing for information and exposing some users through an operation-dedicated website and Telegram channel. As these offenders increasingly leverage global infrastructure, authorities suggest that coordinated responses are likely to remain a key feature in future takedowns. 

Operation Endgame is ongoing, with officials indicating that additional actions may follow as investigations continue.

The post Operation Endgame targets malware networks in global crackdown appeared first on CyberScoop.