China-Nexus JDY Botnet Expands SOHO/IoT Infrastructure for Targeted Reconnaissance
China-nexus state-sponsored actors have scaled the JDY botnet to over 1,500 compromised SOHO and IoT devices, serving as a high-performance reconnaissance engine following the disruption of the KV-botnet. Targeting MIPS and MIPSEL Linux architectures, the botnet utilizes Tor-based C2 to orchestrate high-speed SYN scanning, banner grabbing, and TLS certificate collection. This infrastructure is primarily used for the industrialized mapping of U.S. military assets and critical infrastructure in the energy and defense sectors. By leveraging compromised edge devices from vendors like Cisco and Ubiquiti, actors mask malicious traffic within residential IP space to bypass geolocation and reputation-based filters during the preparation phase of the kill chain.
US Seizure of China-Linked Front Companies Centrik Global and Rightinfo
The U.S. Department of Justice (DOJ) and FBI disabled 13 domains associated with a Chinese intelligence operation utilizing front companies, including Centrik Global and Rightinfo, to conduct social engineering attacks against U.S. government and military personnel. Since November 2023, threat actors leveraged AI-generated personas and professional freelance platforms to recruit targets for "consulting" roles. The campaign transitioned victims to Telegram and used cryptocurrency for payments to incentivize the exfiltration of sensitive national security data and classified research. Remediation involved the legal seizure of infrastructure and a wide-scale Army advisory distributed to over one million personnel.
Deployment of AZUREVEIL/Adaptix C2 Agent via "Operation Dragon Weave"
China-aligned threat actors have launched "Operation Dragon Weave," a sophisticated cyber espionage campaign targeting high-value sectors, including government, research, academic, technology, and financial services. The campaign utilizes highly targeted spearphishing emails to deliver malicious ZIP archives containing deceptive shortcut (.LNK) files masquerading as legitimate documents. Upon execution, these files deploy the AZUREVEIL malware framework, which leverages the Adaptix Command-and-Control (C2) agent to establish persistent communication with actor-controlled infrastructure. The campaign demonstrates a strategic geographic focus on the Czech Republic and Taiwan, aiming for long-term intelligence gathering and unauthorized access within critical infrastructure and academic networks.