Google Coordinates China, Iran, Russia, North Korea and Defense Sector Coordinated Cyber ​​Operations

IRavie LakshmananFebruary 13, 2026Malware / Critical Infrastructure

A number of state-sponsored actors, hacktivist organizations, and criminal groups from China, Iran, North Korea, and Russia have trained their eyes on the defense industry sector (DIB), according to findings by the Google Threat Intelligence Group (GTIG).

The intelligence unit that threatens the tech giant said that the targeting of adversaries in this sector is focused on four main themes: offensive defense organizations that send technology to the battlefield in the Russian-Ukraine War, direct access to personnel and the exploitation of the recruitment process by North Korean and Iranian actors, the use of edge devices and dangerous access resources of China. which stems from disrupting the manufacturing sector.

“Many major state sponsors of cyber espionage and hacktivist actors have shown interest in autonomous vehicles and drones, as these platforms play an increasing role in modern warfare,” GTIG said. “Furthermore, the practice of ‘evading detection’ […] continues, as actors focus on a single endpoint and people, or conduct criminals in a way that seeks to avoid endpoint detection and response (EDR) tools altogether.”

Some of the key threat actors involved in this operation include –

• APT44 (aka Sandworm) attempted to extract information from Telegram and Signal’s encrypted messaging apps, presumably after gaining physical access to devices found during operations on the ground in Ukraine. This includes using a Windows batch script called WAVESIGN to decrypt and extract data from the Signal desktop application.
• TEMP.Vermin (aka UAC-0020) used malware such as VERMONSTER, SPECTRUM (aka SPECTR), and FIRMACHAGENT using deceptive content surrounding drone production and development, anti-drone defense systems, and video surveillance security systems.
• UNC5125 (aka FlyingYeti and UAC-0149) conducted highly targeted campaigns focusing on advanced drone units. It used a questionnaire hosted on Google Forms to conduct a survey of prospective drone operators, and distributed via messaging apps such as MESSYFORK (aka COOKBOX) to an Unmanned Aerial Vehicle (UAV) operator in Ukraine.
• UNC5125 it also allegedly used an Android malware called GREYBATTLE, a highly targeted version of the Hydra banking trojan, to steal information and data by distributing it through a website spoofed by a Ukrainian military intelligence agency.
• UNC5792 (aka UAC-0195) used secure messaging applications to target Ukrainian military and government enterprises, as well as individuals and organizations in Moldova, Georgia, France, and the US The threat actor is notable for equipping the Signal device connection feature to hijack victim accounts.
• UNC4221 (aka UAC-0185) and targets secure messaging applications used by the Ukrainian military, using tactics similar to UNC5792. The threat actor also used an Android malware called STALECOOKIE that mimics the Ukrainian battlefield management platform DELTA to steal browser cookies. Another trick used by the team is to use ClickFix to deliver the TINYWHALE downloader, which, in turn, crashes the MeshAgent remote control software.
• UNC5976a group of Russian spies who carried out a phishing campaign deliver malicious RDP connection files modified to connect to actor-controlled domains impersonating a Ukrainian telecommunications company.
• UNC6096a Russian spy group that has carried out malware delivery operations via WhatsApp uses DELTA-related themes to deliver a malicious LNK shortcut inside an archive file that downloads a secondary payload. Attacks targeting Android devices have been found to deliver malware called GALLGRAB that collects locally stored files, contact information, and potentially encrypted user data from battlefield apps.
• UNC5114a Russian spy group allegedly delivered a variant of the Android malware called CraxsRAT by crafting it as an update for Kropyva, a combat control system used in Ukraine.
• APT45 (aka Andariel) targeted South Korean defense, semiconductor, and automotive companies with the SmallTiger malware.
• APT43 (aka Kimsuky) it may have used infrastructure that mimics German and US-related businesses to launch a backdoor called THINWAVE.
• UNC2970 (aka Lazarus Group) launched Operation Dream Job to target the aerospace, defense, and energy sectors, in addition to relying on artificial intelligence (AI) tools to conduct investigations into targets.
• UNC1549 (aka Nimbus Manticore) targets the aerospace, aviation, and defense industries in the Middle East with malware families such as MINIBIKE, TWOSTROKE, DEEPROOT, and CRASHPAD. The group is known for organizing Lazarus Group-style Dream Job campaigns to trick users into using malware or giving away information under the guise of legitimate job opportunities.
• UNC6446an Iranian-nexus threat actor that has used architect and humanitarian inspection applications to distribute custom malware to aerospace and defense targets across the US and the Middle East.
• APT5 (aka Keyhole Panda and Mulberry Storm) targets current and former employees of major aerospace and defense contractors with targeted phishing sites.
• UNC3236 (aka Volt Typhoon) carried out reconnaissance work against publicly hosted portals of North American military and defense contractors, while using the ARCMAZE obfuscation framework to hide its origin.
• UNC6508a China-nexus threat group targeting a US-based research institute in late 2023 by using the REDCap exploit to drop a custom malware called INFINITERED capable of persisting remote access and stealing credentials after entering the application software development process.

In addition, Google said it has also seen China-nexus threat groups use Operational Relay (ORB) networks to retarget defense industry targets, thereby complicating detection and data recovery efforts.

“While specific risks vary by geography and sub-sector expertise, the broad trend is clear: the defense industry is under constant, multi-vector siege,” Google said. “Financially motivated actors are defrauding this sector and the broader manufacturing base, like many other verticals they target for financial gain.”

“Campaigns against defense contractors in Ukraine, threats or exploitation of defense personnel, the continued expansion of China-nexus actors, and hacking, leaking, and disruption of production facilities are some of the leading threats to the industry today.”