FlagThis

The Silver Fox APT group is targeting organizations in Chinese-speaking regions using a multi-stage loader named PNGPlug to deliver the ValleyRAT malware. The attack begins with a phishing webpage that lures victims into downloading a malicious MSI package disguised as a legitimate application, using weaponized PNG files to deliver multi-stage malware.

The Lazarus Group, a North Korean cyber threat actor, is using LinkedIn to target organizations across various sectors. The group uses social engineering to establish contact, then moves communications to other platforms, and tricks victims into downloading malware. This includes posing as recruiters with fake job offers, which ultimately lead to malware infection. This activity highlights the risk of using LinkedIn for business purposes without proper security protocols and employee training and also indicates how social media can be used to target unsuspecting users and bypass common network security measures.

The Chinese state-sponsored hacking group ‘Silk Typhoon’ has been linked to a significant breach of a US Treasury agency in December 2024, with further reports indicating they also compromised the Committee on Foreign Investment in the United States (CFIUS), which assesses national security risks associated with foreign investments. The attackers are suspected to have stolen sensitive information from both the Treasury and the CFIUS, which has raised significant concerns in the US government. This coordinated attack demonstrates a pattern of sophisticated cyber espionage activities by the Silk Typhoon group.

A critical zero-day vulnerability, tracked as CVE-2025-0282, has been discovered in Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways. This stack-based buffer overflow allows unauthenticated remote attackers to achieve remote code execution. This is in addition to CVE-2025-0283 which is another stack-based buffer overflow, which requires a local authenticated attacker. This vulnerability is currently being actively exploited in the wild. Organizations are advised to apply the available patches immediately and perform factory resets to ensure complete removal of any potential malware. Ivanti has a long history of being targeted.

Chinese state-sponsored threat actors compromised the US Treasury Department by exploiting a vulnerability in a third-party software provider, BeyondTrust. The attackers accessed employee workstations and exfiltrated unclassified documents. This incident highlights the risk associated with third-party dependencies and supply chain attacks. The attackers gained remote access, raising concerns about the security posture of government agencies. The affected systems were not immediately identified but were confirmed to be workstations.

The Russian-aligned Gamaredon APT group has been attributed to the development and deployment of two new Android spyware families named BoneSpy and PlainGnome. BoneSpy has been active since 2021, while PlainGnome appeared in 2024. These tools are used to target former Soviet states, focusing on Russian-speaking victims, and are used for surveillance purposes. These sophisticated malwares collect sensitive data including SMS messages, call logs, device location, and contact lists. PlainGnome acts as a dropper for the surveillance payload, while BoneSpy is deployed as a standalone application.

The US Treasury Department has sanctioned Sichuan Silence, a Chinese cybersecurity company, and its employee Guan Tianfeng for their involvement in a global firewall compromise in April 2020. This hack exploited a zero-day vulnerability, impacting tens of thousands of firewalls, including those of critical infrastructure companies. Guan Tianfeng has also been indicted by the Department of Justice for developing and deploying malware, leading to a $10 million reward for information on the company or Guan. This coordinated action highlights the ongoing threat posed by Chinese cyber actors.

A sophisticated cyber espionage campaign, dubbed ‘Operation Digital Eye,’ targeted business-to-business IT service providers in Southern Europe. Attackers leveraged Visual Studio Code Tunnels and Azure infrastructure for command and control, exploiting the tunnels for stealthy remote access. The campaign lasted approximately three weeks, from late June to mid-July 2024.

The Russian state-sponsored APT group BlueAlpha is using Cloudflare Tunnels to distribute custom malware, such as GammaDrop and GammaLoad. They employ spearphishing with malicious HTML attachments to evade detection and maintain persistent access to compromised networks. This activity highlights the abuse of trusted infrastructure for malicious purposes.

The SmokeLoader malware has been observed in a new campaign targeting Taiwanese companies across various sectors, including manufacturing, healthcare, and IT. Unlike previous campaigns where SmokeLoader acted as a downloader for other malware, this campaign directly executes the attack by downloading and executing malicious plugins from its C2 server. This approach enhances its capability and evasiveness. The malware utilizes social engineering techniques, such as personalized emails with generic content, to enhance its success rate.

The Russian state-sponsored group Secret Blizzard has been found to have hijacked the infrastructure of other hacking groups for its operations, with a recent campaign targeting the Pakistan-based espionage cluster Storm-0156 (also known as SideCopy, Transparent Tribe, or APT36). Secret Blizzard’s actions involved installing backdoors, collecting intelligence, and compromising target devices in regions like South Asia and Ukraine. This sophisticated espionage operation highlights the increasing complexity of cyber threats and the ability of nation-state actors to leverage the resources of other groups for their malicious activities.