The Electronic Frontier Foundation and Lookout describe "Dark Caracal," a long-running espionage campaign affecting Android mobile devices sine 2012. Lebanon's intelligence service, the General Directorate of General Security (GDGS), is the organization being held responsible for the campaign. Their targets included journalists and activists, military personnel, manufacturers, and financial institutions in more than twenty countries.
Several things are noteworthy about the discovery. First, the GDGS seems to have inadvertently left the information they took exposed on an open server. Second, no sophisticated malware was involved. Dark Caracal spread by phishing with baited software that looked like legitimate communication apps. The malware simply used the permissions users granted when they downloaded it. Third, it seems the GDGS may have rented its espionage tools and infrastructure from some third-party—the researchers say they found servers and malware seen last year in an investigation of Kazakhstan hackers.
Cisco Talos reports on a new threat actor, "Group 123." It's responsible for six identifiable campaigns mounted during 2017 and continuing into this year: "Golden Time," "Evil New Year," "Are You Happy?" "Free Milk," "North Korean Human Rights," and "Evil New Year 2018." (The odd names allude to the campaigns' distinctive phishbait.) All except Free Milk targeted South Korean individuals and organizations; Free Milk was international in scope. Talos is coy about attribution, but you don't have to be a spymaster to see that these look like the work of Pyongyang.
Schneider Electric offers a post mortem on Triton/Trisis industrial malware and the zero-day it exploited.