Pierluigi Paganini@Security Affairs
//
The Chinese espionage group Silk Typhoon is expanding its cyberattacks to target the global IT supply chain. Microsoft has warned that this group, backed by the Chinese state, has shifted its tactics to focus on remote management tools and cloud services. These supply chain attacks provide access to downstream customers, enabling the group to move laterally within networks and compromise various organizations.
US government agencies have announced criminal charges against alleged members of the Silk Typhoon gang, along with the seizure of internet domains linked to their long-term espionage campaign. The group is accused of compromising US government agencies and other major organizations. The Justice Department has stated that the Chinese government, including its Ministries of State and Public Security, has encouraged and supported private contractors and technology companies to hack and steal information, providing a form of plausible deniability.
Recommended read:
References :
- bsky.app: Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
- The Register - Security: They're good at zero-day exploits, too Silk Typhoon, the Chinese government crew believed to be behind the December US Treasury intrusions, has been abusing stolen API keys and cloud credentials in ongoing attacks targeting IT companies and state and local government agencies since late 2024, according to Microsoft Threat Intelligence.
- BleepingComputer: Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
- bsky.app: Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
- securityaffairs.com: Microsoft warns that China-backed APT Silk Typhoon linked to US Treasury hack, is now targeting global IT supply chains, using IT firms to spy and move laterally.
- cyberinsider.com: Microsoft Threat Intelligence has identified a shift in tactics by Silk Typhoon, a Chinese state-sponsored cyber-espionage group, which is now targeting IT supply chain providers, including remote management tools and cloud applications.
- Information Security Buzz: China-linked APT Silk Typhoon targets IT Supply Chain
- The Hacker News: China-Linked Silk Typhoon Expands Cyber Attacks to IT Supply Chains for Initial Access
- thecyberexpress.com: The Chinese espionage group known as Silk Typhoon has expanded the cyberattacks to target the global IT supply chain. Microsoft Threat Intelligence has identified a shift in the group’s tactics, highlighting a new focus on commonly used IT solutions such as remote management tools and cloud applications.
- gbhackers.com: Microsoft Warns Silk Typhoon Hackers Exploit Cloud Services to Attack IT Supply Chain
- Cyber Security News: Microsoft Warns Silk Typhoon Hackers Exploit Cloud Services to Attack IT Supply Chain
- The Register - Security: Feds name and charge alleged Silk Typhoon spies behind years of China-on-US attacks
- Virus Bulletin: Microsoft Threat Intelligence has identified a shift in tactics used by Silk Typhoon. The espionage group is now targeting common IT solutions like remote management tools and cloud applications to gain initial access.
- Microsoft Security Blog: Silk Typhoon targeting IT supply chain
- www.scworld.com: Google's Threat Intelligence Group report on Silk Typhoon's new tactic highlights the group's shift towards IT supply chain attacks.
- Threats | CyberScoop: Silk Typhoon shifted to specifically targeting IT management companies
- Vulnerable U: Microsoft Details Silk Typhoon’s IT Supply Chain Attacks
- bsky.app: Microsoft warns that Chinese cyber-espionage threat group "Silk Typhoon" has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
- : Microsoft warns that Chinese espionage group Silk Typhoon is increasingly exploiting common IT solutions to infiltrate networks and exfiltrate data.
- securityonline.info: Zero-Day Attacks & Stolen Keys: Silk Typhoon Breaches Networks
@World - CBSNews.com
//
The U.S. Justice Department has indicted 12 Chinese nationals for their alleged involvement in state-linked cyber operations. The individuals include employees of the Chinese technology firm i-Soon, members of the APT27 group (also known as Emissary Panda, TG-3390, Bronze Union, and Lucky Mouse), and two officers from China's Ministry of Public Security. These indictments shed light on the hacking tools and methods allegedly employed in a global hacking scandal. The Justice Department stated that the Ministry of State Security (MSS) and Ministry of Public Security (MPS) utilized an extensive network of private companies, including i-Soon, to conduct unauthorized computer intrusions in the U.S. and elsewhere.
The U.S. DoJ charges these individuals with data theft and suppressing dissent worldwide. i-Soon, identified as one of the private companies involved, allegedly provided tools and methods to customers and hacked for the PRC (People's Republic of China). These actions highlight a significant cybersecurity concern involving state-sponsored actors and their use of private firms to conduct cyber espionage.
Recommended read:
References :
- bsky.app: US Justice Department has charged Chinese state security officers and APT27 and i-Soon Chinese hackers linked to network breaches and cyberattacks targeting victims worldwide since 2011.
- CyberInsider: U.S. Charges 12 Chinese Nationals Over Decade-Long Cyber Espionage Campaign
- The Cyber Express: The United States Department of Justice (DOJ) has taken action against a major cyber threat, opening indictments against 12 Chinese nationals, including two officers from China’s Ministry of Public Security (MPS) and several employees of the Chinese technology firm i-Soon.
- bsky.app: USA accuses China's State of operating network of "hackers for hire". Accused 12 individuals, 2 officers of the PRC Ministry of Public Security (MPS), employees of a private company, Anxun Information Technology Co. Ltd, and members of APT27.
- The Hacker News: U.S. Charges 12 Chinese Nationals in State-Backed Hacking Operations
- securityaffairs.com: US DOJ charges 12 Chinese nationals for state-linked cyber operations
- The Register - Security: Xi's freelance infosec warriors apparently paid up to $75K to crack a single American inbox US government agencies announced Wednesday criminal charges against alleged members of China's Silk Typhoon gang, plus internet domain seizures linked to a long-term Chinese espionage campaign that saw Beijing hire miscreants to compromise US government agencies and other major orgs.…
- DataBreaches.Net: U.S. Charges 12 Chinese Contract Hackers and Law Enforcement Officers in Global Computer Intrusion Campaigns
- bsky.app: The US Justice Department has charged Chinese state security officers and APT27 and i-Soon Chinese hackers linked to network breaches and cyberattacks targeting victims worldwide since 2011.
- cyble.com: U.S. Indictments Shed Light on i-Soon Hacking Tools, Methods
- Metacurity: US indicts twelve prolific Chinese hackers, including eight i-Soon staffers
- Carly Page: The Department of Justice has announced criminal charges against 12 Chinese government-linked hackers who are accused of hacking over 100 American organizations, including the U.S. Treasury, over the course of a decade
- Threats | CyberScoop: US indicts 12 Chinese nationals for vast espionage attack spree
- BleepingComputer: The U.S. Justice Department has charged Chinese state security officers along with APT27 and i-Soon hackers for network breaches and cyberattacks that have targeted victims globally since 2011.
- hackread.com: US Charges 12 in Chinese Hacker-for-Hire Network, Offers $10M Reward
- Risky Business: US indicts the i-Soon and APT27 hackers, the BADBOX botnet gets disrupted again,authorities seize the Garantex crypto exchange, and the FBI arrests hackers who stole Taylor Swift concert tickets.
- Security | TechRepublic: Targets included the U.S. Treasury Department, journalists, and religious organisations, and the attacks intended to steal data and suppress free speech.
- techxplore.com: US indicts 12 Chinese nationals in hacking
- : US Charges Members of Chinese Hacker-for-Hire Group i-Soon
@gbhackers.com
//
North Korean hackers, specifically the Kimsuky APT group (also known as Emerald Sleet), have been observed employing a new tactic to compromise targets. The group is tricking individuals into running PowerShell as an administrator, then instructing them to paste and execute malicious code they provide. The threat actor masquerades as a South Korean government official, building rapport before sending a spear-phishing email with a PDF attachment containing instructions to open PowerShell as an administrator and paste a specific code snippet.
If the target executes the code, it downloads and installs a browser-based remote desktop tool along with a certificate and PIN. The code then sends a web request to register the victim device, granting the threat actor access for data exfiltration. Microsoft Threat Intelligence has observed this tactic in limited attacks since January 2025, describing it as a departure from the threat actor's usual tradecraft.
Recommended read:
References :
- gbhackers.com: Microsoft Threat Intelligence has exposed a novel cyberattack method employed by the North Korean state-sponsored hacking group, Emerald Sleet (also known as Kimsuky or VELVET CHOLLIMA).
- securityaffairs.com: North Korea-linked APT Emerald Sleet is using a new tactic
- The Hacker News: The North Korea-linked threat actor known as Kimsuky has been observed using a new tactic that involves deceiving targets.
- gbhackers.com: Microsoft Threat Intelligence has exposed a novel cyberattack method employed by the North Korean state-sponsored hacking group, Emerald Sleet (also known as Kimsuky or VELVET CHOLLIMA).
- BleepingComputer: North Korean state actor 'Kimsuky' (aka 'Emerald Sleet' or 'Velvet Chollima') has been observed using a new tactic inspired from the now widespread ClickFix campaigns.
- : Microsoft Threat Intelligence has observed North Korean state actor Emerald Sleet (also known as Kimsuky and VELVET CHOLLIMA) using a new tactic: tricking targets into running PowerShell as an administrator and then pasting and running code provided by the threat actor.
- www.bleepingcomputer.com: Reports on Emerald Sleet's activity exploiting PowerShell.
- www.microsoft.com: The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation
- www.scworld.com: PowerShell exploited in new Kimsuky intrusions
- Talkback Resources: Kimsuky, a North Korean nation-state threat actor, is conducting an ongoing cyber attack campaign named DEEP#DRIVE targeting South Korean business, government, and cryptocurrency sectors using tailored phishing lures and leveraging PowerShell scripts and Dropbox for payload delivery and data exfiltration.
- The Hacker News: North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks
- MSSP feed for Latest: Ongoing Kimsuky Attack Campaign Exploits PowerShell, Dropbox
- securityaffairs.com: Analyzing DEEP#DRIVE: North Korean
@cyberscoop.com
//
The Chinese nation-state hacking group Salt Typhoon, despite facing US sanctions, continues to actively target telecommunications providers. Between December 2024 and January 2025, Recorded Future observed Salt Typhoon breaching five telecom firms, including a US-based affiliate of a UK telecom provider, a US internet service provider, and companies in Italy, South Africa, and Thailand. The group also performed reconnaissance on a Myanmar-based telecom provider.
Salt Typhoon exploited vulnerabilities in Cisco IOS XE software, specifically CVE-2023-20198 and CVE-2023-20273, to compromise unpatched Cisco devices. They attempted to compromise over 1,000 Cisco routers globally, focusing on those within telecom networks. Additionally, Salt Typhoon targeted universities, including the University of California and Utah Tech, potentially seeking access to research related to telecommunications and engineering.
Recommended read:
References :
- cyberscoop.com: Salt Typhoon remains active, hits more telecom networks via Cisco routers
- The Register - Security: More victims of China's Salt Typhoon crew emerge: Telcos just now hit via Cisco bugs
- Carly Page: The China-backed Salt Typhoon group is still hacking telecommunications providers, despite government sanctions. Recorded Future says Salt Typhoon breached five firms between December and January, including a US affiliate of a prominent UK provider and a US-based ISP
- techcrunch.com: The China-backed Salt Typhoon group is still hacking telecommunications providers, despite government sanctions.
- www.wired.com: Wired's coverage of Salt Typhoon's ongoing hacking activities.
- Threats | CyberScoop: Salt Typhoon remains active, hits more telecom networks via Cisco routers
- cyberinsider.com: Chinese Hackers Breach Cisco Devices in Global Telecom Attacks
- securebulletin.com: RedMike (Salt Typhoon) continues global Telecom attacks
- CyberInsider: Chinese Hackers Breach Cisco Devices in Global Telecom Attacks
- Secure Bulletin: Report on RedMike's continued attacks on telecom providers.
- Talkback Resources: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks [exp] [net]
- Talkback Resources: Chinese state-sponsored APT group Salt Typhoon targets telecommunications providers and universities by exploiting Cisco vulnerabilities, creating privileged accounts, bypassing firewalls, and exfiltrating data using GRE tunnels, prompting organizations to patch devices, enforce access controls, and monitor for unauthorized changes.
- Talkback Resources: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks
- PCMag UK security: China's Salt Typhoon Spies Are Still Eavesdropping on Global Networks
- ciso2ciso.com: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks
- ciso2ciso.com: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks – Source: www.securityweek.com
- securityaffairs.com: China-linked APT Salt Typhoon breached telecoms by exploiting Cisco router flaws
- securityaffairs.com: China-linked APT Salt Typhoon breached telecoms by exploiting Cisco router flaws
- BleepingComputer: China's Salt Typhoon hackers are still actively targeting telecoms worldwide and have breached more U.S. telecommunications providers via unpatched Cisco IOS XE network devices.
- industrialcyber.co: Insikt Group details RedMike cyber espionage campaign on telecom providers using Cisco vulnerabilities
- securityonline.info: Cybersecurity researchers at Insikt Group have identified an ongoing cyber espionage campaign by RedMike (also tracked as Salt Typhoon).
- Industrial Cyber: Insikt Group details RedMike cyber espionage campaign on telecom providers using Cisco vulnerabilities
- SecureWorld News: Salt Typhoon Expands Espionage Campaign, Targets Cisco Routers
- Cisco Talos Blog: Weathering the storm: In the midst of a Typhoon
- cyberscoop.com: Cisco Talos observed the campaign targeting major U.S. telecommunication companies and observed the attackers primarily used legitimate login credentials to gain initial access, making detection and prevention difficult.
- cyberscoop.com: Salt Typhoon gained initial access to telecoms through Cisco devices
- securityaffairs.com: Salt Typhoon used custom malware JumbledPath to spy U.S. telecom providers
Ridhika Singh@cysecurity.news
//
A sophisticated cyber espionage campaign, dubbed UNK_CraftyCamel, is actively targeting aviation and satellite organizations in the United Arab Emirates (UAE). Cybersecurity researchers at Proofpoint discovered this attack in October 2024. The attackers are employing advanced techniques, including the use of polyglot files, a custom Go-based backdoor known as Sosano, and compromised business accounts, to evade detection. This highly targeted campaign leverages compromised business relationships and tailored lures to deliver a multi-stage infection chain.
The attack begins with phishing emails sent from the compromised account of an Indian electronics company, INDIC Electronics. These emails contain links to malicious ZIP files hosted on domains designed to mimic legitimate companies. The ZIP archives contain cleverly disguised malware components using polyglot files, a relatively rare technique in espionage operations. These files are structured so they can be interpreted as multiple file formats, allowing attackers to hide malicious content within seemingly legitimate files, making detection more difficult. The use of polyglot files demonstrates an advanced adversary with a focus on stealth and obfuscation.
Once executed, the polyglot malware installs Sosano, a custom Go-based backdoor designed for stealth and resilience. Sosano establishes a connection with a command-and-control server and waits for commands, which include listing directories, executing shell commands, and downloading additional payloads. While some tactics overlap with known Iranian-aligned threat actors, researchers have not definitively linked this activity to any previously identified group. The attackers’ focus on aviation and satellite communications in the UAE suggests a strategic intelligence-gathering motive.
Recommended read:
References :
- Cyber Security News: Hackers Exploit Business Relationships to Attack Arab Emirates Aviation Sector
- gbhackers.com: Hackers Exploiting Business Relationships to Attack Arab Emirates Aviation Sector
- The Record: Proofpoint researchers say they spotted new backdoor malware that suspected Iranian regime-backed hackers have aimed at sectors such as aviation, satellite communications and critical transportation infrastructure in the United Arab Emirates.
- Information Security Buzz: Highly Targeted Cyber Espionage Campaign Targeting UAE Aviation Sector
- thehackernews.com: Suspected Iranian Hackers Used Compromised Indian Firm's Email to Target U.A.E. Aviation Sector
- Virus Bulletin: Proofpoint researchers identified a highly targeted email-based campaign targeting UAE organizations. The malicious messages were sent from a compromised entity in a trusted business relationship with the targets, and used lures customized to every target.
- www.cysecurity.news: A highly targeted cyber espionage campaign, dubbed UNK_CraftyCamel, is targeting aviation and satellite organizations in the UAE. Attackers use polyglot files, a custom Go-based backdoor (Sosano), and compromised business accounts to evade detection.
- Vulnerable U: Highly Targeted Polyglot Malware Campaign Hits UAE Aviation and Satellite Firms
- Industrial Cyber: Proofpoint details likely Iranian-backed Sosano malware targeting UAE’s critical sectors
- : New Cyber-Espionage Campaign Targets UAE Aviation and Transport
- www.scworld.com: New Sosano malware attacks target UAE
- securityonline.info: UNK_CraftyCamel: New Threat Group Using Polyglot Malware in UAE
- securityaffairs.com: A new cyber espionage campaign is targeting UAE aviation and satellite companies. Researchers have identified a custom Go-based backdoor, Sosano, being used in this operation.
- www.redpacketsecurity.com: Researchers have identified a new cyber-espionage campaign targeting aviation and satellite organizations in the UAE.
@www.bleepingcomputer.com
//
Chinese-linked threat actor Mustang Panda has been observed exploiting the Microsoft Application Virtualization Injector (MAVInject.exe) utility to evade antivirus detection. According to research from Trend Micro, the group injects malicious payloads into legitimate processes, such as waitfor.exe, using MAVInject.exe, a LOLBIN (Living Off the Land Binary). This allows the malware to operate without being flagged by security software. This technique involves combining legitimate software components with malicious code to bypass security measures and maintain control of compromised systems.
Researchers discovered that Mustang Panda initially drops multiple files, including legitimate executables and malicious components, and deploys a decoy PDF. A legitimate Electronic Arts application ("OriginLegacyCLI.exe") is executed to sideload a modified version of the TONESHELL backdoor. The malware then checks for ESET antivirus processes and, if detected, uses "waitfor.exe" and "MAVInject.exe" to inject malicious code. This allows them to evade detection and maintain persistence in compromised systems, ultimately establishing connections with a remote server to receive commands and exfiltrate data.
Recommended read:
References :
- www.trendmicro.com: Trend Micro’s Nathaniel Morales & Nick Dai discuss the latest technique used by Earth Preta (Mustang Panda), in which the APT group leverages MAVInject & Setup Factory to deploy payloads, bypass ESET antivirus, & maintain control over compromised systems.
- securityonline.info: Researchers from Trend Micro’s Threat Hunting team have discovered a new campaign by the advanced persistent threat (APT) The post appeared first on .
- Talkback Resources: Trend Micro's Threat Hunting team discovered Earth Preta (Mustang Panda) using legitimate and malicious components in a new campaign targeting government entities in the Asia-Pacific region, urging vigilance among cybersecurity professionals, particularly those using ESET antivirus applications.
- Talkback Resources: Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection [app] [mal]
- securityonline.info: Earth Preta APT Group Evades Detection with Legitimate and Malicious Components
- aboutdfir.com: InfoSec News Nuggets on Chinese APT group abuse of Microsoft's Application Virtualization Injector utility.
- The Hacker News: Chinese Hackers Exploit MAVInject.exe to Evade Detection in Targeted Cyber Attacks
- www.bleepingcomputer.com: Chinese hackers abuse Microsoft APP-v tool to evade antivirus
- Anonymous ???????? :af:: hacking group "Mustang Panda" has been spotted abusing the Microsoft Application Virtualization Injector utility as a LOLBIN to inject malicious payloads into legitimate processes to evade detection by antivirus software.
- BleepingComputer: The Chinese APT hacking group "Mustang Panda" has been spotted abusing the Microsoft Application Virtualization Injector utility as a LOLBIN to inject malicious payloads into legitimate processes to evade detection by antivirus software.
- Know Your Adversary: Here's How Mustang Panda Evades AV and How to Detect It
- BleepingComputer: Infosec Exchange Post about Mustang Panda abusing Microsoft APP-V tool to evade antivirus.
- BleepingComputer: The Chinese APT hacking group "Mustang Panda" has been spotted abusing the Microsoft Application Virtualization Injector utility as a LOLBIN to inject malicious payloads into legitimate processes to evade detection by antivirus software.
- Information Security Buzz: Mustang Panda APT Exploits Windows Utilities to Slip Through Security Nets
- aboutdfir.com: Chinese hackers abuse Microsoft APP-v tool to evade antivirus The Chinese APT hacking group “Mustang Panda� has been spotted abusing the Microsoft Application Virtualization Injector utility as a LOLBIN to inject malicious payloads into legitimate processes to evade detection by antivirus software.
- Talkback Resources: Chinese state-sponsored threat actor Mustang Panda is using a novel technique involving MAVInject.exe to inject malicious payloads into external processes, dropping multiple files and deploying a decoy PDF to distract victims, while evading detection and maintaining persistence in compromised systems.
@www.bleepingcomputer.com
//
The North Korean hacking group Kimsuky has been observed in recent attacks employing a custom-built RDP Wrapper and proxy tools to directly access infected machines. A new report by AhnLab's ASEC team details additional malware used by Kimsuky in these attacks, highlighting the group's intensified use of modified tools for unauthorized system access. This cyber espionage campaign begins with spear-phishing tactics, distributing malicious shortcut files disguised as legitimate documents to initiate the infection chain.
These files, often disguised as PDFs or Office documents, execute commands via PowerShell or Mshta to download malware such as PebbleDash and the custom RDP Wrapper, enabling remote control of compromised systems. Kimsuky's custom RDP Wrapper, a modified version of an open-source utility, includes export functions designed to evade detection by security software, facilitating stealthy remote access. In environments where direct RDP access is restricted, Kimsuky deploys proxy malware to bypass network barriers, maintaining persistent access and employing keyloggers and information-stealing malware to exfiltrate sensitive data.
Recommended read:
References :
- asec.ahnlab.com: Having previously analyzed cases of attacks by the Kimsuky group that utilized the PebbleDash backdoor and a custom-made RDP Wrapper, a new blog post from AhnLab's ASEC team covers additional malware used by Kimsuky in attacks of the same type
- cyberpress.org: North Korean Hackers Deploy Custom RDP Wrapper to Hijack Remote Desktop
- www.bleepingcomputer.com: Kimsuky hackers use new custom RDP wrapper for remote access
- BleepingComputer: The North Korean hacking group known as Kimsuky was observed in recent attacks using a custom-built RDP Wrapper and proxy tools to directly access infected machines.
- securityonline.info: Kimsuky Group Leverages RDP Wrapper for Persistent Cyber Espionage
- Cyber Security News: The North Korean cyber espionage group Kimsuky has intensified its use of custom-built tools, including a modified Remote Desktop Protocol (RDP) Wrapper, to gain unauthorized access to targeted systems.
- Virus Bulletin: Having previously analysed cases of attacks by the Kimsuky group that utilized the PebbleDash backdoor and a custom-made RDP Wrapper, a new blog post from AhnLab's ASEC team covers additional malware used by Kimsuky in attacks of the same type.
- Anonymous ???????? :af:: hacking group known as Kimsuky was observed in recent attacks using a custom-built RDP Wrapper and proxy tools to directly access infected machines.
- securityonline.info: Kimsuky Group Leverages RDP Wrapper for Persistent Cyber Espionage
- securityaffairs.com: Researchers spotted North Korea’s Kimsuky APT group launching spear-phishing attacks to deliver forceCopy info-stealer malware.
- ciso2ciso.com: North Korean APT Kimsuky Uses forceCopy Malware to Steal Browser-Stored Credentials – Source:thehackernews.com
- Thomas Roccia :verified:: Having previously analysed cases of attacks by the Kimsuky group that utilized the PebbleDash backdoor and a custom-made RDP Wrapper, a new blog post from AhnLab's ASEC team covers additional malware used by Kimsuky in attacks of the same type.
- Know Your Adversary: Kimsuky Abuses RDP Wrapper in a Recent Campaign
- ciso2ciso.com: Kimsuky APT group used custom RDP Wrapper version and forceCopy stealer – Source: securityaffairs.com
- ciso2ciso.com: Researchers spotted North Korea’s Kimsuky APT group launching spear-phishing attacks to deliver forceCopy info-stealer malware.
- BleepingComputer: Additional information on the malware used in Kimsuky attacks, including PebbleDash backdoor and custom-made RDP Wrapper.
- securityaffairs.com: Researchers spotted North Korea’s Kimsuky APT group launching spear-phishing attacks to deliver forceCopy info-stealer malware.
@Talkback Resources
//
Cybersecurity researchers have unveiled advanced obfuscation tactics employed by APT28, a Russian state-sponsored threat actor, in their HTA Trojan. The investigation focuses on espionage campaigns targeting Central Asia and Kazakhstan diplomatic relations, revealing intricate multi-layer obfuscation strategies designed to evade detection. The analysis highlights the use of Microsoft’s VBE technique within HTA files as a core component of APT28’s malware delivery mechanism. This encoding method, facilitated by the Windows Script Encoder, transforms VBScript and JavaScript files into obfuscated formats that remain executable while concealing their true functionality.
The investigation uncovered that the malware leverages Windows’ vbscript.dll to generate embedded strings dynamically during execution. By analyzing these strings and their interaction with memory addresses, researchers were able to reconstruct the original VBScript payload hidden within the HTA file. Using publicly available tools like “vbe-decoder.py,” they successfully deobfuscated the encoded scripts, exposing the final malicious payload designed for espionage activities. This discovery underscores the need for robust malware analysis capabilities and proactive threat intelligence sharing within the cybersecurity community.
Recommended read:
References :
- Virus Bulletin: Cisco Talos researcher Joey Chen describes how Lotus Blossom uses Sagerunex and other hacking tools for post-compromise activities. The espionage operation targets government, manufacturing, telecommunications & media organizations from Philippines, Vietnam, Hong Kong & Taiwan.
- gbhackers.com: Lotus Blossom Hacker Group Uses Dropbox, Twitter, and Zimbra for C2 Communications
- Talkback Resources: Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools
- www.cysecurity.news: Cisco Talos Uncovers Lotus Blossom’s Multi-Campaign Cyber Espionage Operations
- Cyber Security News: Researchers Unveil APT28’s Advanced HTA Trojan Obfuscation Tactics in Detail
- gbhackers.com: Researchers Unveil APT28’s Advanced HTA Trojan Obfuscation Tactics
- securityaffairs.com: Chinese Lotus Blossom APT targets multiple sectors with Sagerunex backdoor
Veronika Telychko@SOC Prime Blog
//
The RedCurl/EarthKapre APT group is actively engaged in corporate espionage, particularly targeting the legal sector. The group uses sophisticated techniques to infiltrate organizations, beginning with phishing emails disguised as Indeed-themed job applications. These emails contain malicious attachments designed to trick victims into downloading ZIP archives containing ISO image files that mimic CVs. Once the ISO image is mounted, the victim unknowingly executes a signed Adobe executable, which then sideloads the EarthKapre loader.
This loader, delivered via a legitimate Adobe executable, is the core of the attack. It establishes command and control through Cloudflare Workers. The malware uses encryption to protect its payloads and sets up a scheduled task to maintain persistence on the compromised system. The eSentire Threat Response Unit (TRU) identified this attack targeting law firms and legal services.
Recommended read:
References :
- Information Security Buzz: eSentire’s Threat Response Unit (TRU) has uncovered a new cyber espionage campaign leveraging a legitimate Adobe executable to sideload the EarthKapre/RedCurl loader.
- SOC Prime Blog: The nefarious cyber-espionage hacking collective tracked as EarthKapre or RedCurl APT has resurfaced to target legal sector organizations using Indeed-themed phishing.
- Virus Bulletin: Infosec Exchange post summarizing eSentire's investigation into RedCurl/EarthKapre APT targeting legal services.
- Talkback Resources: Unraveling the Many Stages and Techniques Used by RedCurl/EarthKapre...
- Know Your Adversary: 046. RedCurl Abuses PowerShell for Collection and Exfiltration: Detection Opportunities
- socprime.com: RedCurl/EarthKapre APT Attack Detection: A Sophisticated Cyber-Espionage Group Uses a Legitimate Adobe Executable to Deploy a Loader
- www.esentire.com: eSentire researchers summarise a recent investigation into an attack by the RedCurl/EarthKapre APT against an organization within the legal services industry. The group primarily targets private-sector organizations with a focus on corporate espionage.
- securityonline.info: Stealth Attack: EarthKapre Leverages Cloud and DLL Sideloading for Data Exfiltration
- Talkback Resources: eSentire's TRU team identified and responded to an attack targeting the Law Firms & Legal Services industry involving the EarthKapre/RedCurl loader being sideloaded through a legitimate Adobe executable, utilizing Cloudflare Workers for C2 infrastructure.
- securityonline.info: Stealth Attack: EarthKapre Leverages Cloud and DLL Sideloading for Data Exfiltration
- Talkback Resources: Unraveling the Many Stages and Techniques Used by RedCurl/EarthKapre… [net] [mal]
- securityaffairs.com: eSentire report on the RedCurl/EarthKapre APT's campaign targeting law firms, using a legitimate Adobe executable for the loader.
- Kim Zetter: eSentire's TRU team identified and responded to an attack targeting the Law Firms & Legal Services industry involving the EarthKapre/RedCurl loader being sideloaded through a legitimate Adobe executable, utilizing Cloudflare Workers for C2 infrastructure.
drewt@secureworldexpo.com (Drew Todd)@SecureWorld News
//
The Chinese state-sponsored hacking group Salt Typhoon is expanding its espionage campaign, targeting U.S. telecommunication providers and other networks globally. The group, active since at least 2019, has been breaching major companies like AT&T, Verizon, and Lumen Technologies. Between December 2024 and January 2025, Salt Typhoon compromised additional telecom networks across the globe. The attacks involve a custom utility called JumbledPath, used to stealthily monitor network traffic and potentially capture sensitive data.
Salt Typhoon gains initial access through stolen credentials and exploiting vulnerabilities in Cisco routers. Specifically, they target internet-exposed Cisco network routers, leveraging CVE-2023-20198 and CVE-2023-20273 to escalate privileges and gain root access. Once inside, they extract credentials by intercepting authentication traffic, modify network configurations, and create hidden accounts to maintain persistent access. The group's objectives include intercepting sensitive communications, tracking political activists, and stealing research from academic institutions.
Recommended read:
References :
- bsky.app: The Chinese state-sponsored Salt Typhoon hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
- BleepingComputer: The Chinese state-sponsored Salt Typhoon hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
- securityaffairs.com: Salt Typhoon used custom malware JumbledPath to spy U.S. telecom providers
- www.bleepingcomputer.com: state-sponsored hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
- Anonymous ???????? :af:: state-sponsored hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
- BleepingComputer: The Chinese state-sponsored Salt Typhoon hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
- Carly Page: state-sponsored hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
- Blog: New Details: Salt Typhoon Used Leaked Creds in Telecom Attack
- SecureWorld News: Chinese cyber espionage group
Salt Typhoon has made headlines in the last year, breaching major , including AT&T, Verizon, and Lumen Technologies.
- cyberscoop.com: Salt Typhoon gained initial access to telecoms through Cisco devices
- www.bleepingcomputer.com: Chinese hackers breach more U.S. telecoms via unpatched Cisco routers
- gbhackers.com: Gbhackers news on Salt Typhoon Hackers Exploit Cisco Vulnerability
- www.the420.in: The 420 news on Chinese Hackers Target US Telecom Giants
@www.bleepingcomputer.com
//
Chinese APT groups are actively targeting U.S. telecom providers and European healthcare organizations using sophisticated cyberattacks. The attacks involve custom malware, such as JumbledPath used by Salt Typhoon to spy on U.S. telecom networks, and the exploitation of vulnerabilities like the Check Point flaw (CVE-2024-24919). These campaigns are characterized by the deployment of advanced tools like ShadowPad and NailaoLocker ransomware, indicating a blend of espionage and financially-motivated cybercrime.
These threat actors gain initial access through exploited vulnerabilities, then move laterally within the networks using techniques like RDP to obtain elevated privileges. The attackers then deploy ShadowPad and PlugX, before deploying the NailaoLocker ransomware in the final stages, encrypting files and demanding Bitcoin payments. These findings highlight the evolving tactics of Chinese APT groups and the challenges in attributing these attacks, given the blurring lines between state-sponsored espionage and financially driven operations.
Recommended read:
References :
- securityaffairs.com: Salt Typhoon used custom malware JumbledPath to spy U.S. telecom providers
- The Hacker News: Chinese-Linked Attackers Exploit Check Point Flaw to Deploy ShadowPad and Ransomware
- www.bleepingcomputer.com: Salt Typhoon uses JumbledPath malware to spy on US telecom networks
@www.bleepingcomputer.com
//
The North Korean hacking group Kimsuky has been observed using a custom-built RDP Wrapper and proxy tools in recent cyber espionage campaigns. According to reports from the AhnLab Security Intelligence Center (ASEC), these tools enable the group to directly access infected machines and maintain persistent access, representing a shift in tactics from relying solely on noisy backdoors like PebbleDash. The group also utilizes the forceCopy stealer malware.
Kimsuky's attack strategy typically begins with spear-phishing emails containing malicious shortcut (.LNK) files disguised as legitimate documents. When opened, these files execute PowerShell or Mshta scripts to download malware, including the custom RDP Wrapper. This wrapper is designed to bypass security measures by modifying export functions, making it difficult for security tools to detect. The group also uses keyloggers to capture user keystrokes and proxy malware to bypass network restrictions, facilitating remote access to compromised systems even within private networks.
Recommended read:
References :
- ciso2ciso.com: Kimsuky APT group used custom RDP Wrapper version and forceCopy stealer – Source: securityaffairs.com
- securityaffairs.com: Kimsuky APT group used custom RDP Wrapper version and forceCopy stealer.
- securityonline.info: Kimsuky Group Leverages RDP Wrapper for Persistent Cyber Espionage.
- www.bleepingcomputer.com: Kimsuky hackers use new custom RDP wrapper for remote access.
- www.microsoft.com: Microsoft details Kimsuky's new PowerShell-based attack tactic.
- www.scworld.com: PowerShell exploited in new Kimsuky intrusions
Aman Mishra@gbhackers.com
//
A new malware campaign, named "Squidoor," is targeting governments, defense, telecommunications, education, and aviation sectors in Southeast Asia and South America. Researchers at Palo Alto Networks, Lior Rochberger and Tom Fakterman, have analyzed the backdoor, attributing it to a suspected Chinese threat actor known as CL-STA-0049. Squidoor is a multi-vector modular backdoor designed for stealth and adaptability.
This sophisticated malware exploits techniques such as abusing cdb.exe, Outlook API, DNS, and ICMP tunneling for command and control (C2). Attackers gain initial access by exploiting vulnerabilities and deploying web shells. The backdoor is dropped using weaponized Excel documents and deploys a stealthy RAT and additional payloads. Squidoor employs LOLBAS techniques, like using Microsoft’s Console Debugger, to load shellcode directly into memory, bypassing traditional antivirus detection.
Recommended read:
References :
- gbhackers.com: Squidoor: Multi-Vector Malware Exploiting Outlook API, DNS & ICMP Tunneling for C2
- Virus Bulletin: Palo Alto Networks researchers Lior Rochberger & Tom Fakterman analyse Squidoor. The backdoor was used in a malicious activity cluster targeting governments, defence, telecommunication, education and aviation sectors in Southeast Asia and South America.
- Anonymous ???????? :af:: Have you heard of the rarely observed technique abusing cdb.exe? A new backdoor called Squidoor utilizes this technique, and is in the toolkit of a suspected Chinese threat actor targeting multiple countries and sectors.
- Talkback Resources: Squidoor: Suspected Chinese Threat Actor’s Backdoor Targets Global Organizations
- www.cysecurity.news: New Malware Targets Aviation and Satellite Firms
|
|
FlagThis - #APT