DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:13:27ZSOURCES: 14CRITICAL: 30
⚠ ACTIVE ALERTS
@FalconFeedsio CRITICAL — 🚨 Ransomware Alert: The Gentlemen RaaS group continues active DLS postings. Now at 478… /// @DarkWebInformer CRITICAL — 🚨 ServiceNow discloses June 5 security update tied to anomalous activity — KB3067321.… /// @MsftSecIntel CRITICAL — MSTIC analysis of The Gentlemen ransomware (tracked internally): self-propagating… /// @GossiTheDog CRITICAL — ServiceNow KB3067321 situation is worse than the vendor comms suggest. Advisory was gated… /// @AlvieriD CRITICAL — The '340M OnlyFans' listing on the leak forum is a compiled corpus — seller confirmed to…
30Critical Threats
15Active CVEs
1IOCs Tracked
14New Advisories
INTEL FEED/THREAT ACTORS/APT ENERGY SECTOR CLUSTER (Mustang Panda / Lazarus / Sandworm)
TLP:WHITETHREAT ACTOR DOSSIER // APT-ENERGY-CLUSTER-JUN2026FIRST SEEN: APR 2026

APT ENERGY SECTOR CLUSTER (Mustang Panda / Lazarus / Sandworm)

ALSO KNOWN AS: MISSION2074 (China cluster lead), TA416 (Mustang Panda), Kimsuky-adjacent (DPRK), APT44 (Sandworm)
FROM:DMZ INTELLIGENCE DESK
ORIGIN:China (PRC), North Korea (DPRK), Russia (GRU) — multi-actor coordinated campaign surge
ATTRIBUTION:STATE-SPONSORED
STATUS:ACTIVE
FIRST OBSERVED:APR 2026
TECHNICALRESOURCESPERSISTENCESTEALTHIMPACT
TECHNICAL91/100
RESOURCES99/100
PERSISTENCE99/100
STEALTH99/100
IMPACT91/100

SUBJECT PROFILE

New CYFIRMA research published June 10, 2026 revealed that the energy and utilities sector appeared in 66.6% of all observed APT campaigns over the preceding three months — with Chinese actor Mustang Panda, North Korea's Lazarus Group, and Russia's Sandworm (APT44) identified as the most active adversaries across attacks spanning 18 countries. The China-aligned MISSION2074 cluster recorded the highest campaign count of any single actor across all sectors in the most recent reporting period, with Volt Typhoon, Salt Typhoon, Earth Estries, and Hafnium providing additional Chinese representation. Sandworm was separately linked to a destructive DynoWiper malware campaign targeting Poland's energy sector in late 2025.

Strategic pre-positioning, critical infrastructure espionage, and disruption readiness targeting energy and utilities sectors across 18+ countries

OPERATIONAL HISTORY

Living-off-the-land (LOTL) techniques, ICS/SCADA reconnaissance, web application exploitation, credential abuse, DLL sideloading (Mustang Panda COOLCLIENT backdoor), supply chain compromise, long-haul persistence, destructive wiper deployment (Sandworm DynoWiper), cryptocurrency theft (Lazarus), IaaS/cloud infrastructure compromise

ENERGY
UTILITIES
POWER GENERATION
RENEWABLES
ICS/SCADA
OIL AND GAS
JAPAN
UNITED STATES
UNITED KINGDOM
AUSTRALIA
GERMANY

KNOWN INFRASTRUCTURE

Mustang Panda: COOLCLIENT backdoor variants, DLL sideloading chains; Lazarus: custom implants, cryptocurrency theft tooling; Sandworm: DynoWiper (Windows wiper targeting Polish energy), C2 infrastructure spanning 18+ target countries; MISSION2074: China-aligned cluster C2

ATTRIBUTED CAMPAIGNS

FILE DATE: JUN 2026
CYFIRMA Energy Sector APT Surge Report
CYFIRMA published findings on June 10, 2026 showing 66.6% of all observed APT campaigns in Q2 2026 targeted energy/utilities, with Mustang Panda, Lazarus, and Sandworm as lead actors spanning 18 countries including the US, UK, Japan, Australia, and Germany.
FILE DATE: JAN 2026
Operation DynoWiper — Poland Energy Sector
Sandworm/APT44 deployed destructive DynoWiper malware against Poland's conventional and renewable energy ██████████████████████ 2025 / early 2026, permanently disabling Windows systems by eliminating data and configuration.
SHARE BRIEF:✕ Post on Xin Share on LinkedIn