Originally reported by Security Affairs
TL;DR
Multiple nation-state groups remain active with APT28 deploying basic tooling in Operation MacroMaze and MuddyWater conducting Operation Olalampo. Separately, threat actors compromised 900 Sangoma FreePBX instances through CVE-2025-64328 exploitation, maintaining persistent web shell access.
Active APT28 campaign combined with mass exploitation of 900 FreePBX instances via web shell deployment represents significant threat actor activity with widespread infrastructure impact.
Multiple threat intelligence reports highlight ongoing nation-state operations targeting enterprise infrastructure, with Russian APT groups maintaining active campaigns while opportunistic attackers exploit telecommunications systems at scale.
Security Affairs reports that APT28 (Fancy Bear) has launched Operation MacroMaze, a new campaign notable for its use of basic tooling combined with legitimate infrastructure. The Russian military intelligence-linked group appears to be adapting tactics following increased scrutiny of their more sophisticated operations.
The campaign represents a tactical shift for APT28, which has historically deployed advanced persistent threat tools. By leveraging basic tooling alongside legitimate services, the group may be attempting to evade detection systems tuned for their known indicators of compromise.
Concurrently, Iranian-linked threat group MuddyWater continues active operations with their latest campaign designated Operation Olalampo. The group, attributed to Iran's Ministry of Intelligence and Security (MOIS), maintains its focus on strategic intelligence collection across multiple sectors.
MuddyWater's persistent activity underscores the group's role as a primary Iranian cyber espionage capability, with ongoing campaigns suggesting continued strategic intelligence requirements from Tehran.
In a separate but significant development, approximately 900 Sangoma FreePBX instances remain compromised following exploitation of CVE-2025-64328, a command injection vulnerability. The attacks, which began in December 2025, resulted in widespread web shell deployment across affected systems.
Sangoma FreePBX serves as a web-based management platform for Asterisk-powered VoIP systems, making these compromises particularly concerning for business communications infrastructure. The persistent nature of the infections, with web shells remaining active months after initial compromise, indicates either inadequate incident response or continued reinfection.
The scale of the compromise, 900 affected instances, suggests either automated exploitation or coordinated campaign activity. Organizations running FreePBX deployments should immediately verify patch status and conduct forensic analysis for web shell presence.
Additionally, Canadian retail giant Canadian Tire disclosed a data breach affecting over 38 million accounts from an October 2025 incident. The breach exposed personal data including contact details and encrypted passwords, marking one of Canada's largest retail data compromises.
While not directly attributed to nation-state actors, the scale and timing of the breach warrant consideration within the broader threat landscape, particularly given nation-state interest in critical infrastructure data.
Originally reported by Security Affairs