CyberSecurity news

FlagThis - #apt

Waqas@hackread.com //
Chinese cyber espionage group UNC3886 has been targeting Juniper Networks Junos OS MX routers that have reached their end-of-life. Researchers at Mandiant uncovered the attacks, which began in mid-2024, revealing that the group deployed custom backdoors to compromise these outdated systems. These backdoors allowed the attackers to bypass file integrity protections and maintain persistence, enabling them to steal data and conduct espionage.

Mandiant's investigation showed that UNC3886 exploited vulnerabilities in Junos OS, overcoming its protection subsystem, Veriexec, through a technique called process injection. The attackers injected malicious code into legitimate processes by gaining privileged access to a Juniper router from a terminal server using legitimate credentials. Juniper Networks and Mandiant recommend that organizations using these routers immediately upgrade their devices and run an integrity checker to confirm their systems are secure.

Recommended read:
References :
  • hackread.com: Chinese Cyber Espionage Group UNC3886 Backdoored Juniper Routers
  • www.cybersecuritydive.com: Juniper MX routers targeted by China-nexus threat group using custom backdoors
  • : Chinese Hackers Implant Backdoor Malware on Juniper Routers
  • BleepingComputer: Chinese hackers are deploying custom backdoors on Juniper Networks  Junos OS MX routers that have reached end-of-life (EoL) and no longer receive security updates.
  • www.csoonline.com: Chinese cyberespionage group deploys custom backdoors on Juniper routers
  • thehackernews.com: Chinese Hackers Breach Juniper Networks Routers With Custom Backdoors and Rootkits
  • The Register - Security: Expired Juniper routers find new life – as Chinese spy hubs
  • Cybernews: Chinese cyberespionage group is targeting Juniper routers with custom backdoors for outdated hardware.
  • BleepingComputer: Chinese hackers are deploying custom backdoors on Juniper Networks Junos OS MX routers that have reached end-of-life (EoL) and no longer receive security updates.
  • The DefendOps Diaries: Chinese Cyberspies Exploit Juniper Routers: A Deep Dive into Advanced Threats
  • Industrial Cyber: Mandiant uncovers custom backdoors on Juniper Junos OS routers, linked to Chinese espionage group UNC3886
  • The Record: Researchers said the Chinese state-backed group dubbed UNC3886 was behind a campaign to deploy custom backdoors on Juniper's Junos OS routers
  • securityaffairs.com: China-linked APT UNC3886 targets EoL Juniper routers
  • Security Risk Advisors: China-linked UNC3886 deploying custom backdoors on Juniper routers. Upgrade devices, run JMRT scans, implement MFA for network device management.
  • BleepingComputer: ​Juniper Networks has released emergency security updates to patch a Junos OS vulnerability exploited by Chinese hackers to backdoor routers for stealthy access.
  • securityaffairs.com: Researchers from Mandiant identified that threat actors have been deploying custom backdoors on Juniper Networks’ Junos OS routers. The group known as UNC3886, targeted critical infrastructure sectors.
  • Information Security Buzz: Google Uncovers China-Linked Espionage Campaign Targeting Juniper Routers
  • Virus Bulletin: Mandiant researchers describe UNC3886’s TTPs, and their focus on malware & capabilities that enable them to operate on network & edge devices that usually lack security monitoring & detection solutions. The espionage group targets Juniper routers with TINYSHELL-based backdoors.
  • securityaffairs.com: Mandiant researchers warn that China-linked actors are deploying custom backdoors on Juniper Networks Junos OS MX routers.
  • bsky.app: Juniper Networks has released emergency security updates to patch a Junos OS vulnerability exploited by Chinese hackers to backdoor routers for stealthy access. [...]
  • bsky.app: Juniper Networks has released emergency security updates to patch a Junos OS vulnerability exploited by Chinese hackers to backdoor routers for stealthy access.
  • Blog: China-linked threat actor deploys backdoors, rootkits on Junos OS routers
  • www.it-daily.net: Chinese espionage on old Juniper routers
  • www.scworld.com: Old Juniper routers targeted by Chinese hackers to deploy various payloads
  • www.techradar.com: Chinese hackers targeting Juniper Networks routers, so patch now
  • Rescana: Rescana Cybersecurity Report: Exploitation in the Wild of CVE-2025-21590
  • bsky.app: Description of Chinese hackers deploying custom backdoors on Juniper routers.
  • www.cysecurity.news: China-linked APT UNC3886 targets EoL Juniper routers
  • : Mandiant researchers warn that China-linked actors are deploying custom backdoors on Juniper Networks Junos OS MX routers.
  • securityonline.info: Security Advisory: Juniper Issues Urgent Fix for Actively Exploited Junos OS Flaw – CVE-2025-21590
  • iHLS: Chinese Cyberespionage Group Targets Defense and Technology Organizations’ Routers
  • www.techradar.com: Juniper patches security flaws which could have let hackers take over your router
  • www.scworld.com: Actively exploited Juniper router vulnerability addressed
  • www.scworld.com: The threat actor (UNC3886) was found to be targeting end-of-life Juniper Networks routers.
  • aboutdfir.com: InfoSec News Nuggets 3/17/2025 discusses a state-backed group from China targeting Juniper Networks routers with custom backdoors.
  • ASEC: A report on the deep web and dark web from February 2025 notes the espionage group UNC3886 operating out of China targeting routers made by Juniper Networks.

Bill Mann@CyberInsider //
A critical unpatched zero-day vulnerability in Microsoft Windows is being actively exploited by 11 state-sponsored threat groups for espionage, data theft, and financially motivated campaigns since 2017. The flaw, tracked as ZDI-CAN-25373, involves the use of crafted Windows Shortcut (.LNK) files to execute hidden malicious commands. This allows attackers to gain unauthorized access to systems, steal sensitive data, and potentially conduct cyber espionage activities targeting governments, private entities, financial organizations, think tanks, telecommunication service providers, and military/defense agencies across multiple countries.

The attacks leverage hidden command line arguments within the malicious .LNK files, making detection difficult by padding the arguments with whitespace characters. Nearly 1,000 .LNK file artifacts exploiting the vulnerability have been found, and linked to APT groups from China, Iran, North Korea, and Russia. In these attacks, the .LNK files act as a delivery vehicle for malware families like Lumma Stealer, GuLoader, and Remcos RAT. Microsoft considers the issue a low severity user interface misrepresentation and does not plan to release a fix.

Recommended read:
References :
  • The Hacker News: An unpatched security flaw impacting Microsoft Windows has been exploited by 11 state-sponsored groups from China, Iran, North Korea, and Russia as part of data theft, espionage, and financially motivated campaigns that date back to 2017.
  • ZDI: Published Advisories: ZDI-25-148: (0Day) Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability
  • The Register - Security: Microsoft isn't fixing 8-year-old shortcut exploit abused for spying
  • securityaffairs.com: State-Sponsored Actors and Cybercrime Gangs Abuse Malicious .lnk Files for Espionage and Data Theft
  • The DefendOps Diaries: Exploiting Windows Zero-Day Vulnerabilities: The Role of State-Sponsored Hacking Groups
  • BleepingComputer: New Windows zero-day exploited by 11 state hacking groups since 2017
  • CyberInsider: Microsoft Declines to Fix Actively Exploited Windows Zero-Day Vulnerability
  • socradar.io: Windows Shortcut Zero-Day (ZDI-CAN-25373) Exploited by State-Backed Threat Actors Since 2017: Overview of Key Details
  • Virus Bulletin: Trend Micro ZDI's Peter Girnus & Aliakbar Zahravi describe how researchers uncovered both state-sponsored and cybercriminal groups extensively exploiting ZDI-CAN-25373, a Windows .lnk file vulnerability that enables hidden command execution.
  • Tech Monitor: A Windows shortcut vulnerability, identified as ZDI-CAN-25373, has been exploited in widespread cyber espionage campaigns.
  • www.ghacks.net: Windows has an 8-year-old security issue that is exploited and known by Microsoft for some time
  • www.cybersecuritydive.com: 11 nation-state groups exploit unpatched Microsoft zero-day
  • www.techradar.com: An unpatched Windows zero-day flaw has been exploited by 11 nation-state attackers
  • Security Risk Advisors: APT Groups Exploit Unpatched Windows Shortcut Vulnerability for Espionage and Data Theft
  • hackread.com: 11 Nation-State Hackers Exploit Unpatched Windows Flaw Since 2017
  • : Windows Shortcut Flaw Exploited by 11 State-Sponsored Groups
  • securityonline.info: A recently uncovered vulnerability, ZDI-CAN-25373, identified by the Trend Zero Day Initiative (ZDI), is at the center of the
  • Blog: Microsoft reluctant to patch Windows zero-day exploited by nation-state hackers
  • Virus Bulletin: Trend Micro ZDI's Peter Girnus & Aliakbar Zahravi describe how researchers uncovered both state-sponsored and cybercriminal groups extensively exploiting ZDI-CAN-25373, a Windows .lnk file vulnerability that enables hidden command execution.
  • Sam Bent: Windows Shortcut Zero-Day Used by Nation-States
  • www.trendmicro.com: ZDI-CAN-25373: Windows Shortcut Exploit Abused as Zero-Day in Widespread APT Campaigns
  • Logpoint: Windows Shell Link Vulnerability ZDI-CAN-25373: Detecting Hidden Commands
  • SecureWorld News: Nation-State Hackers Exploit Windows Shortcut Zero-Day Vulnerability
  • Information Security Buzz: Windows Shortcut Zero-Day Under Active Attack
  • borncity.com: Windows shortcut exploit used by state hackers as a 0-day since 2017
  • Threats | CyberScoop: Nation-state groups hit hundreds of organizations with Microsoft Windows zero-day
  • Help Net Security: APTs have been using zero-day Windows shortcut exploit for eight years (ZDI-CAN-25373)
  • aboutdfir.com: Microsoft isn’t fixing 8-year-old shortcut exploit abused for spying
  • securityboulevard.com: Microsoft Won’t Fix This Bad Zero Day (Despite Wide Abuse)
  • aboutdfir.com: Microsoft isn’t fixing 8-year-old shortcut exploit abused for spying An exploitation avenue found by Trend Micro in Windows has been used in an eight-year-long spying campaign, but there’s no sign of a fix from Microsoft, which apparently considers this a low priority.

@World - CBSNews.com //
References: bsky.app , CyberInsider , bsky.app ...
The U.S. Justice Department has indicted 12 Chinese nationals for their alleged involvement in state-linked cyber operations. The individuals include employees of the Chinese technology firm i-Soon, members of the APT27 group (also known as Emissary Panda, TG-3390, Bronze Union, and Lucky Mouse), and two officers from China's Ministry of Public Security. These indictments shed light on the hacking tools and methods allegedly employed in a global hacking scandal. The Justice Department stated that the Ministry of State Security (MSS) and Ministry of Public Security (MPS) utilized an extensive network of private companies, including i-Soon, to conduct unauthorized computer intrusions in the U.S. and elsewhere.

The U.S. DoJ charges these individuals with data theft and suppressing dissent worldwide. i-Soon, identified as one of the private companies involved, allegedly provided tools and methods to customers and hacked for the PRC (People's Republic of China). These actions highlight a significant cybersecurity concern involving state-sponsored actors and their use of private firms to conduct cyber espionage.

Recommended read:
References :
  • bsky.app: US Justice Department has charged Chinese state security officers and APT27 and i-Soon Chinese hackers linked to network breaches and cyberattacks targeting victims worldwide since 2011.
  • CyberInsider: U.S. Charges 12 Chinese Nationals Over Decade-Long Cyber Espionage Campaign
  • The Cyber Express: The United States Department of Justice (DOJ) has taken action against a major cyber threat, opening indictments against 12 Chinese nationals, including two officers from China’s Ministry of Public Security (MPS) and several employees of the Chinese technology firm i-Soon.
  • bsky.app: USA accuses China's State of operating network of "hackers for hire". Accused 12 individuals, 2 officers of the PRC Ministry of Public Security (MPS), employees of a private company, Anxun Information Technology Co. Ltd, and members of APT27.
  • The Hacker News: U.S. Charges 12 Chinese Nationals in State-Backed Hacking Operations
  • securityaffairs.com: US DOJ charges 12 Chinese nationals for state-linked cyber operations
  • The Register - Security: Xi's freelance infosec warriors apparently paid up to $75K to crack a single American inbox US government agencies announced Wednesday criminal charges against alleged members of China's Silk Typhoon gang, plus internet domain seizures linked to a long-term Chinese espionage campaign that saw Beijing hire miscreants to compromise US government agencies and other major orgs.…
  • DataBreaches.Net: U.S. Charges 12 Chinese Contract Hackers and Law Enforcement Officers in Global Computer Intrusion Campaigns
  • bsky.app: The US Justice Department has charged Chinese state security officers and APT27 and i-Soon Chinese hackers linked to network breaches and cyberattacks targeting victims worldwide since 2011.
  • cyble.com: U.S. Indictments Shed Light on i-Soon Hacking Tools, Methods
  • Metacurity: US indicts twelve prolific Chinese hackers, including eight i-Soon staffers
  • Carly Page: The Department of Justice has announced criminal charges against 12 Chinese government-linked hackers who are accused of hacking over 100 American organizations, including the U.S. Treasury, over the course of a decade
  • Threats | CyberScoop: US indicts 12 Chinese nationals for vast espionage attack spree
  • BleepingComputer: The U.S. Justice Department has charged Chinese state security officers along with APT27 and i-Soon hackers for network breaches and cyberattacks that have targeted victims globally since 2011.
  • hackread.com: US Charges 12 in Chinese Hacker-for-Hire Network, Offers $10M Reward
  • Risky Business Media: US indicts the i-Soon and APT27 hackers, the BADBOX botnet gets disrupted again,authorities seize the Garantex crypto exchange, and the FBI arrests hackers who stole Taylor Swift concert tickets.
  • Security | TechRepublic: The article discusses the charges against Chinese hackers for their role in a global cyberespionage campaign.
  • techxplore.com: US indicts 12 Chinese nationals in hacking
  • : US Charges Members of Chinese Hacker-for-Hire Group i-Soon
  • Matthias Schulze: U.S. Charges 12 Chinese Nationals in State-Backed Hacking Operations
  • WIRED: US Charges 12 Alleged Spies in China’s Freewheeling Hacker-for-Hire Ecosystem
  • Blog: FieldEffect blog post about U.S. indicts 12 Chinese nationals for cyber espionage.
  • blog.knowbe4.com: U.S. Justice Department Charges China’s Hackers-for-Hire Working IT Contractor i-Soon
  • Talkback Resources: The article details the indictment of 12 Chinese individuals for hacking activities.
  • Schneier on Security: The article discusses the indictment of Chinese hackers for their involvement in global hacking activities.

Pierluigi Paganini@Security Affairs //
The Chinese espionage group Silk Typhoon is expanding its cyberattacks to target the global IT supply chain. Microsoft has warned that this group, backed by the Chinese state, has shifted its tactics to focus on remote management tools and cloud services. These supply chain attacks provide access to downstream customers, enabling the group to move laterally within networks and compromise various organizations.

US government agencies have announced criminal charges against alleged members of the Silk Typhoon gang, along with the seizure of internet domains linked to their long-term espionage campaign. The group is accused of compromising US government agencies and other major organizations. The Justice Department has stated that the Chinese government, including its Ministries of State and Public Security, has encouraged and supported private contractors and technology companies to hack and steal information, providing a form of plausible deniability.

Recommended read:
References :
  • bsky.app: Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
  • The Register - Security: They're good at zero-day exploits, too Silk Typhoon, the Chinese government crew believed to be behind the December US Treasury intrusions, has been abusing stolen API keys and cloud credentials in ongoing attacks targeting IT companies and state and local government agencies since late 2024, according to Microsoft Threat Intelligence.
  • BleepingComputer: Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
  • bsky.app: Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
  • securityaffairs.com: Microsoft warns that China-backed APT Silk Typhoon linked to US Treasury hack, is now targeting global IT supply chains, using IT firms to spy and move laterally.
  • cyberinsider.com: Microsoft Threat Intelligence has identified a shift in tactics by Silk Typhoon, a Chinese state-sponsored cyber-espionage group, which is now targeting IT supply chain providers, including remote management tools and cloud applications.
  • Information Security Buzz: China-linked APT Silk Typhoon targets IT Supply Chain
  • The Hacker News: China-Linked Silk Typhoon Expands Cyber Attacks to IT Supply Chains for Initial Access
  • thecyberexpress.com: The Chinese espionage group known as Silk Typhoon has expanded the cyberattacks to target the global IT supply chain. Microsoft Threat Intelligence has identified a shift in the group’s tactics, highlighting a new focus on commonly used IT solutions such as remote management tools and cloud applications.
  • gbhackers.com: Microsoft Warns Silk Typhoon Hackers Exploit Cloud Services to Attack IT Supply Chain
  • Cyber Security News: Microsoft Warns Silk Typhoon Hackers Exploit Cloud Services to Attack IT Supply Chain
  • The Register - Security: Feds name and charge alleged Silk Typhoon spies behind years of China-on-US attacks
  • Virus Bulletin: Microsoft Threat Intelligence has identified a shift in tactics used by Silk Typhoon. The espionage group is now targeting common IT solutions like remote management tools and cloud applications to gain initial access.
  • Source: Silk Typhoon targeting IT supply chain
  • www.scworld.com: Google's Threat Intelligence Group report on Silk Typhoon's new tactic highlights the group's shift towards IT supply chain attacks.
  • Threats | CyberScoop: Silk Typhoon shifted to specifically targeting IT management companies
  • Vulnerable U: Microsoft Details Silk Typhoon’s IT Supply Chain Attacks
  • bsky.app: Microsoft warns that Chinese cyber-espionage threat group "Silk Typhoon" has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
  • : Microsoft warns that Chinese espionage group Silk Typhoon is increasingly exploiting common IT solutions to infiltrate networks and exfiltrate data.
  • securityonline.info: Zero-Day Attacks & Stolen Keys: Silk Typhoon Breaches Networks
  • Security Risk Advisors: Chinese Silk Typhoon threat actor targets global IT supply chains. Consider patching vulnerabilities, enforce MFA, audit cloud access. #CyberThreat #CloudSecurity
  • Blog: Silk Typhoon levels up, goes after IT supply chains

Pierluigi Paganini@securityaffairs.com //
A China-linked advanced persistent threat (APT) group, known as Weaver Ant, has been discovered to have infiltrated the network of a major telecommunications services provider in Asia for over four years. The attackers managed to maintain a stealthy presence by compromising Zyxel CPE routers to conceal their traffic and infrastructure. This prolonged access allowed Weaver Ant to conduct extensive cyber espionage operations, highlighting the persistent nature of state-sponsored cyber threats.

Chinese Weaver Ant hackers utilized advanced techniques, including web shells and tunneling, to establish long-term access to the telco's network. A key element of their operation involved using compromised Zyxel CPE routers to hide traffic and infrastructure. The APT group employed an encrypted variant of the China Chopper web shell, along with a custom-built web shell named INMemory, to further enhance their ability to remain undetected while exfiltrating data and maintaining control over compromised systems. The Sygnia report also mentioned the use of a 'Web Shell Whisperer' that uses shells and tunnels to maintain access.

Recommended read:
References :
  • securityaffairs.com: Chinese APT Weaver Ant infiltrated a telco in Asia for over four years
  • The DefendOps Diaries: Explore the Weaver Ant cyber espionage campaign targeting telecom networks with advanced techniques and stealthy operations.
  • BleepingComputer: Chinese Weaver Ant hackers spied on telco network for 4 years
  • ciso2ciso.com: Weaver Ant, the Web Shell Whisperer: Tracking a Live China-nexus Operation
  • www.scworld.com: China-nexus advanced persistent threat Weaver Ant has compromised a major Asian telecommunications services provider's network with web shells and various payloads for more than four years as part of its cyberespionage efforts, according to Security Affairs.
  • The Hacker News: The Hacker News details the critical security flaws and potential impacts.
  • BleepingComputer: A recent cybersecurity investigation by Sygnia has exposed a sophisticated operation orchestrated by a China-nexus threat actor dubbed "Weaver Ant." This APT group has utilized web shells and tunneling techniques to maintain long-term access to a major Asian telecommunications provider, highlighting their persistent and stealthy approach to cyber espionage.
  • : Sygnia uncovered Weaver Ant, a Chinese threat actor that conducted persistent cyberespionage by spying on telecommunications networks for an extended period.
  • The Stack: A significant breach of a major telecommunications company in Asia has been revealed by incident response firm Sygnia. The breach lasted over four years and involved China-nexus advanced persistent threat Weaver Ant, whose attacks were so effective they remained undetected for a lengthy time.
  • Industrial Cyber: Sygnia details Weaver Ant tactics in battle against China-linked cyber threats on telecoms
  • PCMag UK security: Chinese Hackers Remained Inside an Asian Telecom Firm for 4+ Years
  • MSSP feed for Latest: Weaver Ant used web shells and various payloads to attack the Chinese telecom for more than four years.
  • www.scworld.com: Chinese hackers spend years roaming telecommunications service
  • Metacurity: Sygnia has uncovered the Weaver Ant group's cyberespionage methods and tactics which demonstrated persistent access to a major Asian telecommunications provider's network for over four years.
  • www.techradar.com: Information about the cyberespionage campaign targeting Asian telecom companies.

@cyberscoop.com //
The Chinese nation-state hacking group Salt Typhoon, despite facing US sanctions, continues to actively target telecommunications providers. Between December 2024 and January 2025, Recorded Future observed Salt Typhoon breaching five telecom firms, including a US-based affiliate of a UK telecom provider, a US internet service provider, and companies in Italy, South Africa, and Thailand. The group also performed reconnaissance on a Myanmar-based telecom provider.

Salt Typhoon exploited vulnerabilities in Cisco IOS XE software, specifically CVE-2023-20198 and CVE-2023-20273, to compromise unpatched Cisco devices. They attempted to compromise over 1,000 Cisco routers globally, focusing on those within telecom networks. Additionally, Salt Typhoon targeted universities, including the University of California and Utah Tech, potentially seeking access to research related to telecommunications and engineering.

Recommended read:
References :
  • cyberscoop.com: Salt Typhoon remains active, hits more telecom networks via Cisco routers
  • The Register - Security: More victims of China's Salt Typhoon crew emerge: Telcos just now hit via Cisco bugs
  • Carly Page: The China-backed Salt Typhoon group is still hacking telecommunications providers, despite government sanctions. Recorded Future says Salt Typhoon breached five firms between December and January, including a US affiliate of a prominent UK provider and a US-based ISP
  • techcrunch.com: The China-backed Salt Typhoon group is still hacking telecommunications providers, despite government sanctions.
  • www.wired.com: Wired's coverage of Salt Typhoon's ongoing hacking activities.
  • Threats | CyberScoop: Salt Typhoon remains active, hits more telecom networks via Cisco routers
  • cyberinsider.com: Chinese Hackers Breach Cisco Devices in Global Telecom Attacks
  • securebulletin.com: RedMike (Salt Typhoon) continues global Telecom attacks
  • CyberInsider: Chinese Hackers Breach Cisco Devices in Global Telecom Attacks
  • Secure Bulletin: Report on RedMike's continued attacks on telecom providers.
  • Talkback Resources: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks [exp] [net]
  • Talkback Resources: Chinese state-sponsored APT group Salt Typhoon targets telecommunications providers and universities by exploiting Cisco vulnerabilities, creating privileged accounts, bypassing firewalls, and exfiltrating data using GRE tunnels, prompting organizations to patch devices, enforce access controls, and monitor for unauthorized changes.
  • Talkback Resources: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks
  • PCMag UK security: China's Salt Typhoon Spies Are Still Eavesdropping on Global Networks
  • ciso2ciso.com: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks
  • ciso2ciso.com: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks – Source: www.securityweek.com
  • securityaffairs.com: China-linked APT Salt Typhoon breached telecoms by exploiting Cisco router flaws
  • securityaffairs.com: China-linked APT Salt Typhoon breached telecoms by exploiting Cisco router flaws
  • BleepingComputer: China's Salt Typhoon hackers are still actively targeting telecoms worldwide and have breached more U.S. telecommunications providers via unpatched Cisco IOS XE network devices.
  • industrialcyber.co: Insikt Group details RedMike cyber espionage campaign on telecom providers using Cisco vulnerabilities
  • securityonline.info: Cybersecurity researchers at Insikt Group have identified an ongoing cyber espionage campaign by RedMike (also tracked as Salt Typhoon).
  • Industrial Cyber: Insikt Group details RedMike cyber espionage campaign on telecom providers using Cisco vulnerabilities
  • SecureWorld News: Salt Typhoon Expands Espionage Campaign, Targets Cisco Routers
  • Cisco Talos Blog: Weathering the storm: In the midst of a Typhoon
  • cyberscoop.com: Cisco Talos observed the campaign targeting major U.S. telecommunication companies and observed the attackers primarily used legitimate login credentials to gain initial access, making detection and prevention difficult.
  • cyberscoop.com: Salt Typhoon gained initial access to telecoms through Cisco devices
  • securityaffairs.com: Salt Typhoon used custom malware JumbledPath to spy U.S. telecom providers

rohann@checkpoint.com@Check Point Blog //
References: Check Point Blog , bsky.app , bsky.app ...
Blind Eagle, one of Latin America's most dangerous cyber criminal groups, has been actively targeting Colombian institutions and government entities since November 2024. According to Check Point Research (CPR), this advanced persistent threat (APT) group, also tracked as APT-C-36, is using sophisticated techniques to bypass traditional security defenses. They leverage trusted platforms like Google Drive, Dropbox, GitHub, and Bitbucket to distribute their malicious payloads, and have recently been seen using a variant of an exploit for a now-patched Microsoft Windows flaw, CVE-2024-43451. This allows them to infect victims with a high rate of success.

CPR has uncovered that Blind Eagle incorporated this exploit a mere six days after Microsoft released the patch. They use malicious .URL files distributed via phishing emails, and victims are often unaware they are triggering the infection. The final payload is often the Remcos RAT, a remote access trojan that grants attackers complete control over infected systems, allowing for data theft, remote execution, and persistent access. In one campaign in December 2024, over 1,600 victims were affected, highlighting the group's efficiency and targeted approach.

Recommended read:
References :
  • Check Point Blog: The Growing Danger of Blind Eagle: One of Latin America’s Most Dangerous Cyber Criminal Groups Targets Colombia
  • bsky.app: Blind Eagle APT group has compromised over 1,600 victims inside Colombian institutions and government agencies. The campaign took place in November & December of last year and used an exploit similar to a zero-day exploited by Russian hackers in Ukraine.
  • The Hacker News: The threat actor known as Blind Eagle has been linked to a series of ongoing campaigns targeting Colombian institutions and government entities since November 2024.
  • bsky.app: The Blind Eagle APT group has compromised over 1,600 victims inside Colombian institutions and government agencies. The campaign took place in November & December of last year and used an exploit similar to a zero-day exploited by Russian hackers in Ukraine.
  • gbhackers.com: Blind Eagle Hackers Exploit Google Drive, Dropbox & GitHub to Evade Security Measures
  • : Blind Eagle has been running campaigns targeting the Colombian government with malicious .url files and phishing attacks
  • Talkback Resources: Blind Eagle Hacks Colombian Institutions Using NTLM Flaw, RATs and GitHub-Based Attacks
  • securityonline.info: Blind Eagle’s Rapid Adaptation: New Tactics Deployed Days After Patch
  • gbhackers.com: Blind Eagle Targets Organizations with Weaponized .URL Files to Steal User Hashes

Ridhika Singh@cysecurity.news //
A sophisticated cyber espionage campaign, dubbed UNK_CraftyCamel, is actively targeting aviation and satellite organizations in the United Arab Emirates (UAE). Cybersecurity researchers at Proofpoint discovered this attack in October 2024. The attackers are employing advanced techniques, including the use of polyglot files, a custom Go-based backdoor known as Sosano, and compromised business accounts, to evade detection. This highly targeted campaign leverages compromised business relationships and tailored lures to deliver a multi-stage infection chain.

The attack begins with phishing emails sent from the compromised account of an Indian electronics company, INDIC Electronics. These emails contain links to malicious ZIP files hosted on domains designed to mimic legitimate companies. The ZIP archives contain cleverly disguised malware components using polyglot files, a relatively rare technique in espionage operations. These files are structured so they can be interpreted as multiple file formats, allowing attackers to hide malicious content within seemingly legitimate files, making detection more difficult. The use of polyglot files demonstrates an advanced adversary with a focus on stealth and obfuscation.

Once executed, the polyglot malware installs Sosano, a custom Go-based backdoor designed for stealth and resilience. Sosano establishes a connection with a command-and-control server and waits for commands, which include listing directories, executing shell commands, and downloading additional payloads. While some tactics overlap with known Iranian-aligned threat actors, researchers have not definitively linked this activity to any previously identified group. The attackers’ focus on aviation and satellite communications in the UAE suggests a strategic intelligence-gathering motive.

Recommended read:
References :
  • Cyber Security News: Hackers Exploit Business Relationships to Attack Arab Emirates Aviation Sector
  • gbhackers.com: Hackers Exploiting Business Relationships to Attack Arab Emirates Aviation Sector
  • The Record: Proofpoint researchers say they spotted new backdoor malware that suspected Iranian regime-backed hackers have aimed at sectors such as aviation, satellite communications and critical transportation infrastructure in the United Arab Emirates.
  • Information Security Buzz: Highly Targeted Cyber Espionage Campaign Targeting UAE Aviation Sector
  • thehackernews.com: Suspected Iranian Hackers Used Compromised Indian Firm's Email to Target U.A.E. Aviation Sector
  • Virus Bulletin: Proofpoint researchers identified a highly targeted email-based campaign targeting UAE organizations. The malicious messages were sent from a compromised entity in a trusted business relationship with the targets, and used lures customized to every target.
  • www.cysecurity.news: A highly targeted cyber espionage campaign, dubbed UNK_CraftyCamel, is targeting aviation and satellite organizations in the UAE. Attackers use polyglot files, a custom Go-based backdoor (Sosano), and compromised business accounts to evade detection.
  • Vulnerable U: Highly Targeted Polyglot Malware Campaign Hits UAE Aviation and Satellite Firms
  • Industrial Cyber: Proofpoint details likely Iranian-backed Sosano malware targeting UAE’s critical sectors
  • : New Cyber-Espionage Campaign Targets UAE Aviation and Transport
  • www.scworld.com: New Sosano malware attacks target UAE
  • securityonline.info: UNK_CraftyCamel: New Threat Group Using Polyglot Malware in UAE
  • securityaffairs.com: A new cyber espionage campaign is targeting UAE aviation and satellite companies. Researchers have identified a custom Go-based backdoor, Sosano, being used in this operation.
  • www.redpacketsecurity.com: Researchers have identified a new cyber-espionage campaign targeting aviation and satellite organizations in the UAE.

solomon.klappholz@futurenet.com (Solomon@Latest from ITPro //
Cyber experts are raising serious concerns about operational technology (OT) security after the Volt Typhoon threat group went undetected within the US electric grid for almost a year. This prolonged compromise, lasting over 300 days, marks the first known infiltration of the US electric grid by the Voltzite subgroup, linked to the Chinese APT Volt Typhoon. The attackers targeted critical OT infrastructure data, underscoring the persistent and sophisticated cyber espionage efforts aimed at US infrastructure.

The security breach, discovered in November 2023, involved the Littleton Electric Light and Water Department (LELWD) in Massachusetts. Investigations revealed that Volt Typhoon likely gained access to LELWD's IT environment in February 2023. During the attack the Chinese hackers sought specific data related to operational technology operating procedures and spatial layout data relating to energy grid operations, The incident led to LELWD expediting the deployment of its OT security solutions.

Recommended read:
References :
  • hackread.com: Chinese Volt Typhoon Hackers Infiltrated US Electric Utility for Nearly a Year
  • PCMag UK security: Chinese Hackers Sat Undetected in Small Massachusetts Power Utility for Months
  • www.itpro.com: Cybersecurity firm Dragos has revealed the Volt Typhoon threat group remained undetected in the US electric grid for nearly a year.
  • www.scworld.com: US electric utility subjected to almost year-long Volt Typhoon compromise
  • CyberInsider: Revealing the Volt Typhoon threat group's covert access to a Massachusetts electric utility network.
  • bsky.app: Massachusetts Power Utility hacked by Chinese 'hackers' (cyber operators) for more than 300 days.
  • : Volt Typhoon Accessed US OT Network for Nearly a Year
  • Information Security Buzz: Volt Typhoon Found Inside Massachusetts Electric Utility for Nearly a Year
  • Industrial Cyber: Dragos details the hacking of LELWD and the VOLTZITE group.
  • Matthias Schulze: China’s Volt Typhoon Hackers Dwelled in US Electric Grid for 300 Days

@www.bleepingcomputer.com //
Chinese-linked threat actor Mustang Panda has been observed exploiting the Microsoft Application Virtualization Injector (MAVInject.exe) utility to evade antivirus detection. According to research from Trend Micro, the group injects malicious payloads into legitimate processes, such as waitfor.exe, using MAVInject.exe, a LOLBIN (Living Off the Land Binary). This allows the malware to operate without being flagged by security software. This technique involves combining legitimate software components with malicious code to bypass security measures and maintain control of compromised systems.

Researchers discovered that Mustang Panda initially drops multiple files, including legitimate executables and malicious components, and deploys a decoy PDF. A legitimate Electronic Arts application ("OriginLegacyCLI.exe") is executed to sideload a modified version of the TONESHELL backdoor. The malware then checks for ESET antivirus processes and, if detected, uses "waitfor.exe" and "MAVInject.exe" to inject malicious code. This allows them to evade detection and maintain persistence in compromised systems, ultimately establishing connections with a remote server to receive commands and exfiltrate data.

Recommended read:
References :
  • www.trendmicro.com: Trend Micro’s Nathaniel Morales & Nick Dai discuss the latest technique used by Earth Preta (Mustang Panda), in which the APT group leverages MAVInject & Setup Factory to deploy payloads, bypass ESET antivirus, & maintain control over compromised systems.
  • securityonline.info: Researchers from Trend Micro’s Threat Hunting team have discovered a new campaign by the advanced persistent threat (APT) The post appeared first on .
  • Talkback Resources: Trend Micro's Threat Hunting team discovered Earth Preta (Mustang Panda) using legitimate and malicious components in a new campaign targeting government entities in the Asia-Pacific region, urging vigilance among cybersecurity professionals, particularly those using ESET antivirus applications.
  • Talkback Resources: Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection [app] [mal]
  • securityonline.info: Earth Preta APT Group Evades Detection with Legitimate and Malicious Components
  • aboutdfir.com: InfoSec News Nuggets on Chinese APT group abuse of Microsoft's Application Virtualization Injector utility.
  • The Hacker News: Chinese Hackers Exploit MAVInject.exe to Evade Detection in Targeted Cyber Attacks
  • www.bleepingcomputer.com: Chinese hackers abuse Microsoft APP-v tool to evade antivirus
  • Anonymous ???????? :af:: hacking group "Mustang Panda" has been spotted abusing the Microsoft Application Virtualization Injector utility as a LOLBIN to inject malicious payloads into legitimate processes to evade detection by antivirus software.
  • BleepingComputer: The Chinese APT hacking group "Mustang Panda" has been spotted abusing the Microsoft Application Virtualization Injector utility as a LOLBIN to inject malicious payloads into legitimate processes to evade detection by antivirus software.
  • Know Your Adversary: Here's How Mustang Panda Evades AV and How to Detect It
  • BleepingComputer: Infosec Exchange Post about Mustang Panda abusing Microsoft APP-V tool to evade antivirus.
  • BleepingComputer: The Chinese APT hacking group "Mustang Panda" has been spotted abusing the Microsoft Application Virtualization Injector utility as a LOLBIN to inject malicious payloads into legitimate processes to evade detection by antivirus software.
  • Information Security Buzz: Mustang Panda APT Exploits Windows Utilities to Slip Through Security Nets
  • aboutdfir.com: Chinese hackers abuse Microsoft APP-v tool to evade antivirus The Chinese APT hacking group “Mustang Pandaâ€� has been spotted abusing the Microsoft Application Virtualization Injector utility as a LOLBIN to inject malicious payloads into legitimate processes to evade detection by antivirus software.
  • Talkback Resources: Chinese state-sponsored threat actor Mustang Panda is using a novel technique involving MAVInject.exe to inject malicious payloads into external processes, dropping multiple files and deploying a decoy PDF to distract victims, while evading detection and maintaining persistence in compromised systems.

@cyberalerts.io //
UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, has been actively targeting critical infrastructure entities in Taiwan since at least 2023. Cisco Talos researchers have been tracking this campaign. The group utilizes a combination of web shells, such as the Chopper web shell, and open-sourced tooling to conduct post-compromise activities, focusing on persistence in victim environments for information theft and credential harvesting. UAT-5918 exploits N-day vulnerabilities in unpatched web and application servers exposed to the internet to gain initial access.

UAT-5918's post-compromise activities involve manual operations, emphasizing network reconnaissance and credential harvesting using tools like Mimikatz, LaZagne, and browser credential extractors. The threat actor deploys web shells across discovered sub-domains and internet-accessible servers, establishing multiple entry points. Their tactics, techniques, and procedures (TTPs) overlap with other APT groups like Volt Typhoon and Flax Typhoon, suggesting shared strategic goals in targeting geographies and industry verticals such as telecommunications, healthcare, and information technology sectors in Taiwan.

Recommended read:
References :
  • Cisco Talos Blog: UAT-5918 targets critical infrastructure entities in Taiwan
  • Industrial Cyber: UAT-5918 APT group targets Taiwan critical infrastructure, possible linkage to Volt Typhoon
  • thehackernews.com: UAT-5918 Targets Taiwan's Critical Infrastructure Using Web Shells and Open-Source Tools
  • Talkback Resources: UAT-5918 Targets Taiwan's Critical Infrastructure Using Web Shells and Open-Source Tools [ics] [net]
  • Cyber Security News: UAT-5918 Threat Actors Target Exposed Web and Application Servers via N-Day Vulnerabilities
  • gbhackers.com: UAT-5918 Hackers Exploit N-Day Vulnerabilities in Exposed Web and Application Servers
  • The DefendOps Diaries: UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim environments for information theft and credential harvesting.
  • securityaffairs.com: UAT-5918 ATP group targets critical Taiwan
  • www.scworld.com: UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim systems.
  • Virus Bulletin: Cisco Talos researchers Jung soo An, Asheer Malhotra, Brandon White & Vitor Ventura analyse a UAT-5918 malicious campaign targeting critical infrastructure entities in Taiwan.

info@thehackernews.com (The@The Hacker News //
The APT group SideWinder is expanding its attacks, now targeting maritime, nuclear, and IT sectors across Asia, the Middle East, and Africa. Previously focused on government, military, and diplomatic institutions, the group has shifted its attention to maritime infrastructure, logistics companies, nuclear power plants, and energy facilities. The attacks, observed by Kaspersky, have spread across multiple countries including Bangladesh, Cambodia, Djibouti, Egypt, the United Arab Emirates, and Vietnam.

Kaspersky experts have noted an increase in attacks on nuclear power plants and energy generation facilities with the attackers utilizing spear-phishing emails and malicious documents containing industry-specific terminology to gain trust. The group exploits an older Microsoft Office vulnerability (CVE-2017-11882) to bypass detection systems and access operational data, research projects, and personnel data. According to Kaspersky researchers Giampaolo Dedola and Vasily Berdnikov, SideWinder constantly works to improve its toolsets, stay ahead of security software detections, extend persistence on compromised networks, and hide its presence on infected systems.

Recommended read:
References :
  • The Register - Security: Sidewinder goes nuclear, charts course for maritime mayhem in tactics shift
  • The Hacker News: SideWinder APT Targets Maritime, Nuclear, and IT Sectors Across Asia, Middle East, and Africa
  • www.it-daily.net: SideWinder now also attacks nuclear power plants
  • securityaffairs.com: SideWinder APT targets maritime and nuclear sectors with enhanced toolset
  • Rescana: Inside the Mind of Sidewinder: A Real-World Look at a Sophisticated Cyber Adversary

@Talkback Resources //
Cybersecurity researchers have unveiled advanced obfuscation tactics employed by APT28, a Russian state-sponsored threat actor, in their HTA Trojan. The investigation focuses on espionage campaigns targeting Central Asia and Kazakhstan diplomatic relations, revealing intricate multi-layer obfuscation strategies designed to evade detection. The analysis highlights the use of Microsoft’s VBE technique within HTA files as a core component of APT28’s malware delivery mechanism. This encoding method, facilitated by the Windows Script Encoder, transforms VBScript and JavaScript files into obfuscated formats that remain executable while concealing their true functionality.

The investigation uncovered that the malware leverages Windows’ vbscript.dll to generate embedded strings dynamically during execution. By analyzing these strings and their interaction with memory addresses, researchers were able to reconstruct the original VBScript payload hidden within the HTA file. Using publicly available tools like “vbe-decoder.py,” they successfully deobfuscated the encoded scripts, exposing the final malicious payload designed for espionage activities. This discovery underscores the need for robust malware analysis capabilities and proactive threat intelligence sharing within the cybersecurity community.

Recommended read:
References :
  • Virus Bulletin: Cisco Talos researcher Joey Chen describes how Lotus Blossom uses Sagerunex and other hacking tools for post-compromise activities. The espionage operation targets government, manufacturing, telecommunications & media organizations from Philippines, Vietnam, Hong Kong & Taiwan.
  • gbhackers.com: Lotus Blossom Hacker Group Uses Dropbox, Twitter, and Zimbra for C2 Communications
  • Talkback Resources: Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools
  • www.cysecurity.news: Cisco Talos Uncovers Lotus Blossom’s Multi-Campaign Cyber Espionage Operations
  • Cyber Security News: Researchers Unveil APT28’s Advanced HTA Trojan Obfuscation Tactics in Detail
  • gbhackers.com: Researchers Unveil APT28’s Advanced HTA Trojan Obfuscation Tactics
  • securityaffairs.com: Chinese Lotus Blossom APT targets multiple sectors with Sagerunex backdoor

drewt@secureworldexpo.com (Drew Todd)@SecureWorld News //
The Chinese state-sponsored hacking group Salt Typhoon is expanding its espionage campaign, targeting U.S. telecommunication providers and other networks globally. The group, active since at least 2019, has been breaching major companies like AT&T, Verizon, and Lumen Technologies. Between December 2024 and January 2025, Salt Typhoon compromised additional telecom networks across the globe. The attacks involve a custom utility called JumbledPath, used to stealthily monitor network traffic and potentially capture sensitive data.

Salt Typhoon gains initial access through stolen credentials and exploiting vulnerabilities in Cisco routers. Specifically, they target internet-exposed Cisco network routers, leveraging CVE-2023-20198 and CVE-2023-20273 to escalate privileges and gain root access. Once inside, they extract credentials by intercepting authentication traffic, modify network configurations, and create hidden accounts to maintain persistent access. The group's objectives include intercepting sensitive communications, tracking political activists, and stealing research from academic institutions.

Recommended read:
References :
  • bsky.app: The Chinese state-sponsored Salt Typhoon hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • BleepingComputer: The Chinese state-sponsored Salt Typhoon hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • securityaffairs.com: Salt Typhoon used custom malware JumbledPath to spy U.S. telecom providers
  • www.bleepingcomputer.com: state-sponsored hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • Anonymous ???????? :af:: state-sponsored hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • BleepingComputer: The Chinese state-sponsored Salt Typhoon hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • Carly Page: state-sponsored hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • Blog: New Details: Salt Typhoon Used Leaked Creds in Telecom Attack
  • SecureWorld News: Chinese cyber espionage group Salt Typhoon has made headlines in the last year, breaching major , including AT&T, Verizon, and Lumen Technologies.
  • cyberscoop.com: Salt Typhoon gained initial access to telecoms through Cisco devices
  • www.bleepingcomputer.com: Chinese hackers breach more U.S. telecoms via unpatched Cisco routers
  • gbhackers.com: Gbhackers news on Salt Typhoon Hackers Exploit Cisco Vulnerability
  • www.the420.in: The 420 news on Chinese Hackers Target US Telecom Giants

@www.bleepingcomputer.com //
Chinese APT groups are actively targeting U.S. telecom providers and European healthcare organizations using sophisticated cyberattacks. The attacks involve custom malware, such as JumbledPath used by Salt Typhoon to spy on U.S. telecom networks, and the exploitation of vulnerabilities like the Check Point flaw (CVE-2024-24919). These campaigns are characterized by the deployment of advanced tools like ShadowPad and NailaoLocker ransomware, indicating a blend of espionage and financially-motivated cybercrime.

These threat actors gain initial access through exploited vulnerabilities, then move laterally within the networks using techniques like RDP to obtain elevated privileges. The attackers then deploy ShadowPad and PlugX, before deploying the NailaoLocker ransomware in the final stages, encrypting files and demanding Bitcoin payments. These findings highlight the evolving tactics of Chinese APT groups and the challenges in attributing these attacks, given the blurring lines between state-sponsored espionage and financially driven operations.

Recommended read:
References :

Mandvi@Cyber Security News //
The FishMonger APT, a Chinese cyber-espionage group with ties to the cybersecurity contractor I-SOON, has been implicated in a global espionage operation known as Operation FishMedley. This campaign, active in 2022, targeted a diverse range of entities, including governments, non-governmental organizations (NGOs), and think tanks across Asia, Europe, and the United States. These findings come as the US Department of Justice unsealed an indictment against I-SOON employees for their alleged involvement in espionage campaigns spanning from 2016 to 2023.

The attacks involved sophisticated malware implants such as ShadowPad, Spyder, and SodaMaster, tools frequently associated with China-aligned threat actors. These implants facilitated data theft, surveillance, and network penetration. One case revealed attackers used the Impacket tool to escalate privileges, execute commands, and extract sensitive authentication data from a US-based NGO. ESET's independent research confirms FishMonger is an espionage team operated by I-SOON, highlighting the ongoing threat posed by China-aligned APT groups to sensitive sectors worldwide.

Recommended read:
References :
  • Cyber Security News: Chinese FishMonger APT Linked to I-SOON Targets Governments and NGOs
  • Virus Bulletin: ESET's Matthieu Faou writes about Operation FishMedley, a global espionage operation by FishMonger, the China-aligned APT group run by I-SOON. In the victims list: governments, NGOs and think tanks across Asia, Europe and the United States.
  • : FishMonger APT Group Linked to I-SOON in Espionage Campaigns
  • gbhackers.com: GB Hackers: I-SOON’s ‘Chinese Fishmonger’ APT Targets Government Entities and NGOs
  • Talkback Resources: Talkback: Chinese I-Soon Hackers Hit 7 Organizations in Operation FishMedley [net] [rev] [mal]

Aman Mishra@gbhackers.com //
A new malware campaign, named "Squidoor," is targeting governments, defense, telecommunications, education, and aviation sectors in Southeast Asia and South America. Researchers at Palo Alto Networks, Lior Rochberger and Tom Fakterman, have analyzed the backdoor, attributing it to a suspected Chinese threat actor known as CL-STA-0049. Squidoor is a multi-vector modular backdoor designed for stealth and adaptability.

This sophisticated malware exploits techniques such as abusing cdb.exe, Outlook API, DNS, and ICMP tunneling for command and control (C2). Attackers gain initial access by exploiting vulnerabilities and deploying web shells. The backdoor is dropped using weaponized Excel documents and deploys a stealthy RAT and additional payloads. Squidoor employs LOLBAS techniques, like using Microsoft’s Console Debugger, to load shellcode directly into memory, bypassing traditional antivirus detection.

Recommended read:
References :
  • gbhackers.com: Squidoor: Multi-Vector Malware Exploiting Outlook API, DNS & ICMP Tunneling for C2
  • Virus Bulletin: Palo Alto Networks researchers Lior Rochberger & Tom Fakterman analyse Squidoor. The backdoor was used in a malicious activity cluster targeting governments, defence, telecommunication, education and aviation sectors in Southeast Asia and South America.
  • Anonymous ???????? :af:: Have you heard of the rarely observed technique abusing cdb.exe? A new backdoor called Squidoor utilizes this technique, and is in the toolkit of a suspected Chinese threat actor targeting multiple countries and sectors.
  • Talkback Resources: Squidoor: Suspected Chinese Threat Actor’s Backdoor Targets Global Organizations
  • www.cysecurity.news: New Malware Targets Aviation and Satellite Firms