CyberSecurity news

FlagThis - #cyberespionage

Waqas@hackread.com //
Chinese cyber espionage group UNC3886 has been targeting Juniper Networks Junos OS MX routers that have reached their end-of-life. Researchers at Mandiant uncovered the attacks, which began in mid-2024, revealing that the group deployed custom backdoors to compromise these outdated systems. These backdoors allowed the attackers to bypass file integrity protections and maintain persistence, enabling them to steal data and conduct espionage.

Mandiant's investigation showed that UNC3886 exploited vulnerabilities in Junos OS, overcoming its protection subsystem, Veriexec, through a technique called process injection. The attackers injected malicious code into legitimate processes by gaining privileged access to a Juniper router from a terminal server using legitimate credentials. Juniper Networks and Mandiant recommend that organizations using these routers immediately upgrade their devices and run an integrity checker to confirm their systems are secure.

Recommended read:
References :
  • hackread.com: Chinese Cyber Espionage Group UNC3886 Backdoored Juniper Routers
  • www.cybersecuritydive.com: Juniper MX routers targeted by China-nexus threat group using custom backdoors
  • : Chinese Hackers Implant Backdoor Malware on Juniper Routers
  • BleepingComputer: Chinese hackers are deploying custom backdoors on Juniper Networks  Junos OS MX routers that have reached end-of-life (EoL) and no longer receive security updates.
  • www.csoonline.com: Chinese cyberespionage group deploys custom backdoors on Juniper routers
  • thehackernews.com: Chinese Hackers Breach Juniper Networks Routers With Custom Backdoors and Rootkits
  • The Register - Security: Expired Juniper routers find new life – as Chinese spy hubs
  • Cybernews: Chinese cyberespionage group is targeting Juniper routers with custom backdoors for outdated hardware.
  • BleepingComputer: Chinese hackers are deploying custom backdoors on Juniper Networks Junos OS MX routers that have reached end-of-life (EoL) and no longer receive security updates.
  • The DefendOps Diaries: Chinese Cyberspies Exploit Juniper Routers: A Deep Dive into Advanced Threats
  • Industrial Cyber: Mandiant uncovers custom backdoors on Juniper Junos OS routers, linked to Chinese espionage group UNC3886
  • The Record: Researchers said the Chinese state-backed group dubbed UNC3886 was behind a campaign to deploy custom backdoors on Juniper's Junos OS routers
  • securityaffairs.com: China-linked APT UNC3886 targets EoL Juniper routers
  • Security Risk Advisors: China-linked UNC3886 deploying custom backdoors on Juniper routers. Upgrade devices, run JMRT scans, implement MFA for network device management.
  • BleepingComputer: ​Juniper Networks has released emergency security updates to patch a Junos OS vulnerability exploited by Chinese hackers to backdoor routers for stealthy access.
  • securityaffairs.com: Researchers from Mandiant identified that threat actors have been deploying custom backdoors on Juniper Networks’ Junos OS routers. The group known as UNC3886, targeted critical infrastructure sectors.
  • Information Security Buzz: Google Uncovers China-Linked Espionage Campaign Targeting Juniper Routers
  • Virus Bulletin: Mandiant researchers describe UNC3886’s TTPs, and their focus on malware & capabilities that enable them to operate on network & edge devices that usually lack security monitoring & detection solutions. The espionage group targets Juniper routers with TINYSHELL-based backdoors.
  • securityaffairs.com: Mandiant researchers warn that China-linked actors are deploying custom backdoors on Juniper Networks Junos OS MX routers.
  • bsky.app: Juniper Networks has released emergency security updates to patch a Junos OS vulnerability exploited by Chinese hackers to backdoor routers for stealthy access. [...]
  • bsky.app: Juniper Networks has released emergency security updates to patch a Junos OS vulnerability exploited by Chinese hackers to backdoor routers for stealthy access.
  • Blog: China-linked threat actor deploys backdoors, rootkits on Junos OS routers
  • www.it-daily.net: Chinese espionage on old Juniper routers
  • www.scworld.com: Old Juniper routers targeted by Chinese hackers to deploy various payloads
  • www.techradar.com: Chinese hackers targeting Juniper Networks routers, so patch now
  • Rescana: Rescana Cybersecurity Report: Exploitation in the Wild of CVE-2025-21590
  • bsky.app: Description of Chinese hackers deploying custom backdoors on Juniper routers.
  • www.cysecurity.news: China-linked APT UNC3886 targets EoL Juniper routers
  • : Mandiant researchers warn that China-linked actors are deploying custom backdoors on Juniper Networks Junos OS MX routers.
  • securityonline.info: Security Advisory: Juniper Issues Urgent Fix for Actively Exploited Junos OS Flaw – CVE-2025-21590
  • iHLS: Chinese Cyberespionage Group Targets Defense and Technology Organizations’ Routers
  • www.techradar.com: Juniper patches security flaws which could have let hackers take over your router
  • www.scworld.com: Actively exploited Juniper router vulnerability addressed
  • www.scworld.com: The threat actor (UNC3886) was found to be targeting end-of-life Juniper Networks routers.
  • aboutdfir.com: InfoSec News Nuggets 3/17/2025 discusses a state-backed group from China targeting Juniper Networks routers with custom backdoors.
  • ASEC: A report on the deep web and dark web from February 2025 notes the espionage group UNC3886 operating out of China targeting routers made by Juniper Networks.

Bill Mann@CyberInsider //
Multiple state-backed hacking groups, including those from North Korea, Iran, Russia, and China, have been exploiting a Windows zero-day vulnerability since 2017 for data theft and cyber espionage. The vulnerability lies in malicious .LNK shortcut files rigged with commands to download malware, effectively hiding malicious payloads from users. Security researchers at Trend Micro's Zero Day Initiative discovered nearly 1,000 tampered .LNK files, though they believe the actual number of attacks could be much higher.

Microsoft has chosen not to address this vulnerability with a security update, classifying it as a low priority issue not meeting their bar for servicing. This decision comes despite the fact that the exploitation avenue has been used in an eight-year-long spying campaign, relying on hiding commands using megabytes of whitespace to bury the actual commands deep out of sight in the user interface. Dustin Childs of the Zero Day Initiative told *The Register* that while this is one of many bugs used by attackers, its unpatched status makes it a significant concern.

Recommended read:
References :
  • The Hacker News: An unpatched security flaw impacting Microsoft Windows has been exploited by 11 state-sponsored groups from China, Iran, North Korea, and Russia as part of data theft, espionage, and financially motivated campaigns that date back to 2017.
  • ZDI: Published Advisories: ZDI-25-148: (0Day) Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability
  • The Register - Security: Microsoft isn't fixing 8-year-old shortcut exploit abused for spying
  • securityaffairs.com: State-Sponsored Actors and Cybercrime Gangs Abuse Malicious .lnk Files for Espionage and Data Theft
  • CyberInsider: Microsoft has acknowledged that its latest Windows update has unintentionally uninstalled the Copilot app from some Windows 11 devices.
  • BleepingComputer: New Windows zero-day exploited by 11 state hacking groups since 2017
  • The DefendOps Diaries: Exploiting Windows Zero-Day Vulnerabilities: The Role of State-Sponsored Hacking Groups
  • securityonline.info: Hidden Threat: Zero-Day Windows Shortcut Exploited by Global APT Networks
  • www.it-daily.net: Critical Windows security vulnerability discovered
  • socradar.io: Windows Shortcut Zero-Day (ZDI-CAN-25373) Exploited by State-Backed Threat Actors Since 2017: Overview of Key Details
  • Virus Bulletin: Trend Micro ZDI's Peter Girnus & Aliakbar Zahravi describe how researchers uncovered both state-sponsored and cybercriminal groups extensively exploiting ZDI-CAN-25373, a Windows .lnk file vulnerability that enables hidden command execution.
  • Tech Monitor: Windows shortcut exploit used as zero-day in global cyber espionage campaigns
  • www.ghacks.net: Windows has an 8-year-old security issue that is exploited and known by Microsoft for some time
  • www.cybersecuritydive.com: A vulnerability that allows for malicious payloads to be delivered via Windows shortcut files has not yet been addressed by Microsoft and has been under active attack for eight years.
  • www.techradar.com: An unpatched Windows zero-day flaw has been exploited by 11 nation-state attackers
  • Security Risk Advisors: 🚩APT Groups Exploit Unpatched Windows Shortcut Vulnerability for Espionage and Data Theft
  • hackread.com: 11 Nation-State Hackers Exploit Unpatched Windows Flaw Since 2017
  • : Windows Shortcut Flaw Exploited by 11 State-Sponsored Groups
  • Blog: Microsoft reluctant to patch Windows zero-day exploited by nation-state hackers
  • Virus Bulletin: Trend Micro ZDI's Peter Girnus & Aliakbar Zahravi describe how researchers uncovered both state-sponsored and cybercriminal groups extensively exploiting ZDI-CAN-25373, a Windows .lnk file vulnerability that enables hidden command execution.
  • Sam Bent: Windows Shortcut Zero-Day Used by Nation-States
  • Jon Greig: Researchers Trend Micro's Zero Day Initiative said they have identified multiple campaigns from nation-state groups in North Korea, China and Russia exploiting an issue impacting .lnk files Microsoft said the report "does not meet the bar for immediate servicing"
  • Threats | CyberScoop: Trend Micro researchers discovered and reported the eight-year-old defect to Microsoft six months ago. The company hasn’t made any commitments to patch or remediate the issue.
  • Jon Greig: Researchers Trend Micro's Zero Day Initiative said they have identified multiple campaigns from nation-state groups in North Korea, China and Russia exploiting an issue impacting .lnk files Microsoft said the report "does not meet the bar for immediate servicing"
  • www.trendmicro.com: ZDI-CAN-25373: Windows Shortcut Exploit Abused as Zero-Day in Widespread APT Campaigns
  • Logpoint: Windows Shell Link Vulnerability ZDI-CAN-25373: Detecting Hidden Commands
  • SecureWorld News: Nation-State Hackers Exploit Windows Shortcut Zero-Day Vulnerability
  • Information Security Buzz: Windows Shortcut Zero-Day Under Active Attack
  • borncity.com: Windows shortcut exploit used by state hackers as a 0-day since 2017
  • Help Net Security: APTs have been using zero-day Windows shortcut exploit for eight years (ZDI-CAN-25373)
  • aboutdfir.com: Microsoft isn’t fixing 8-year-old shortcut exploit abused for spying An exploitation avenue found by Trend Micro in Windows has been used in an eight-year-long spying campaign, but there’s no sign of a fix from Microsoft, which apparently considers this a low priority.
  • securityboulevard.com: Microsoft Won’t Fix This Bad Zero Day (Despite Wide Abuse)
  • aboutdfir.com: Microsoft isn’t fixing 8-year-old shortcut exploit abused for spying An exploitation avenue found by Trend Micro in Windows has been used in an eight-year-long spying campaign, but there’s no sign of a fix from Microsoft, which apparently considers this a low priority.

@World - CBSNews.com //
References: bsky.app , CyberInsider , bsky.app ...
The U.S. Justice Department has indicted 12 Chinese nationals for their alleged involvement in state-linked cyber operations. The individuals include employees of the Chinese technology firm i-Soon, members of the APT27 group (also known as Emissary Panda, TG-3390, Bronze Union, and Lucky Mouse), and two officers from China's Ministry of Public Security. These indictments shed light on the hacking tools and methods allegedly employed in a global hacking scandal. The Justice Department stated that the Ministry of State Security (MSS) and Ministry of Public Security (MPS) utilized an extensive network of private companies, including i-Soon, to conduct unauthorized computer intrusions in the U.S. and elsewhere.

The U.S. DoJ charges these individuals with data theft and suppressing dissent worldwide. i-Soon, identified as one of the private companies involved, allegedly provided tools and methods to customers and hacked for the PRC (People's Republic of China). These actions highlight a significant cybersecurity concern involving state-sponsored actors and their use of private firms to conduct cyber espionage.

Recommended read:
References :
  • bsky.app: US Justice Department has charged Chinese state security officers and APT27 and i-Soon Chinese hackers linked to network breaches and cyberattacks targeting victims worldwide since 2011.
  • CyberInsider: U.S. Charges 12 Chinese Nationals Over Decade-Long Cyber Espionage Campaign
  • The Cyber Express: The United States Department of Justice (DOJ) has taken action against a major cyber threat, opening indictments against 12 Chinese nationals, including two officers from China’s Ministry of Public Security (MPS) and several employees of the Chinese technology firm i-Soon.
  • bsky.app: USA accuses China's State of operating network of "hackers for hire". Accused 12 individuals, 2 officers of the PRC Ministry of Public Security (MPS), employees of a private company, Anxun Information Technology Co. Ltd, and members of APT27.
  • The Hacker News: U.S. Charges 12 Chinese Nationals in State-Backed Hacking Operations
  • securityaffairs.com: US DOJ charges 12 Chinese nationals for state-linked cyber operations
  • The Register - Security: Xi's freelance infosec warriors apparently paid up to $75K to crack a single American inbox US government agencies announced Wednesday criminal charges against alleged members of China's Silk Typhoon gang, plus internet domain seizures linked to a long-term Chinese espionage campaign that saw Beijing hire miscreants to compromise US government agencies and other major orgs.…
  • DataBreaches.Net: U.S. Charges 12 Chinese Contract Hackers and Law Enforcement Officers in Global Computer Intrusion Campaigns
  • bsky.app: The US Justice Department has charged Chinese state security officers and APT27 and i-Soon Chinese hackers linked to network breaches and cyberattacks targeting victims worldwide since 2011.
  • cyble.com: U.S. Indictments Shed Light on i-Soon Hacking Tools, Methods
  • Metacurity: US indicts twelve prolific Chinese hackers, including eight i-Soon staffers
  • Carly Page: The Department of Justice has announced criminal charges against 12 Chinese government-linked hackers who are accused of hacking over 100 American organizations, including the U.S. Treasury, over the course of a decade
  • Threats | CyberScoop: US indicts 12 Chinese nationals for vast espionage attack spree
  • BleepingComputer: The U.S. Justice Department has charged Chinese state security officers along with APT27 and i-Soon hackers for network breaches and cyberattacks that have targeted victims globally since 2011.
  • hackread.com: US Charges 12 in Chinese Hacker-for-Hire Network, Offers $10M Reward
  • Risky Business Media: US indicts the i-Soon and APT27 hackers, the BADBOX botnet gets disrupted again,authorities seize the Garantex crypto exchange, and the FBI arrests hackers who stole Taylor Swift concert tickets.
  • Security | TechRepublic: The article discusses the charges against Chinese hackers for their role in a global cyberespionage campaign.
  • techxplore.com: US indicts 12 Chinese nationals in hacking
  • : US Charges Members of Chinese Hacker-for-Hire Group i-Soon
  • Matthias Schulze: U.S. Charges 12 Chinese Nationals in State-Backed Hacking Operations
  • WIRED: US Charges 12 Alleged Spies in China’s Freewheeling Hacker-for-Hire Ecosystem
  • Blog: FieldEffect blog post about U.S. indicts 12 Chinese nationals for cyber espionage.
  • blog.knowbe4.com: U.S. Justice Department Charges China’s Hackers-for-Hire Working IT Contractor i-Soon
  • Talkback Resources: The article details the indictment of 12 Chinese individuals for hacking activities.
  • Schneier on Security: The article discusses the indictment of Chinese hackers for their involvement in global hacking activities.

Pierluigi Paganini@Security Affairs //
The Chinese espionage group Silk Typhoon is expanding its cyberattacks to target the global IT supply chain. Microsoft has warned that this group, backed by the Chinese state, has shifted its tactics to focus on remote management tools and cloud services. These supply chain attacks provide access to downstream customers, enabling the group to move laterally within networks and compromise various organizations.

US government agencies have announced criminal charges against alleged members of the Silk Typhoon gang, along with the seizure of internet domains linked to their long-term espionage campaign. The group is accused of compromising US government agencies and other major organizations. The Justice Department has stated that the Chinese government, including its Ministries of State and Public Security, has encouraged and supported private contractors and technology companies to hack and steal information, providing a form of plausible deniability.

Recommended read:
References :
  • bsky.app: Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
  • The Register - Security: They're good at zero-day exploits, too Silk Typhoon, the Chinese government crew believed to be behind the December US Treasury intrusions, has been abusing stolen API keys and cloud credentials in ongoing attacks targeting IT companies and state and local government agencies since late 2024, according to Microsoft Threat Intelligence.
  • BleepingComputer: Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
  • bsky.app: Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
  • securityaffairs.com: Microsoft warns that China-backed APT Silk Typhoon linked to US Treasury hack, is now targeting global IT supply chains, using IT firms to spy and move laterally.
  • cyberinsider.com: Microsoft Threat Intelligence has identified a shift in tactics by Silk Typhoon, a Chinese state-sponsored cyber-espionage group, which is now targeting IT supply chain providers, including remote management tools and cloud applications.
  • Information Security Buzz: China-linked APT Silk Typhoon targets IT Supply Chain
  • The Hacker News: China-Linked Silk Typhoon Expands Cyber Attacks to IT Supply Chains for Initial Access
  • thecyberexpress.com: The Chinese espionage group known as Silk Typhoon has expanded the cyberattacks to target the global IT supply chain. Microsoft Threat Intelligence has identified a shift in the group’s tactics, highlighting a new focus on commonly used IT solutions such as remote management tools and cloud applications.
  • gbhackers.com: Microsoft Warns Silk Typhoon Hackers Exploit Cloud Services to Attack IT Supply Chain
  • Cyber Security News: Microsoft Warns Silk Typhoon Hackers Exploit Cloud Services to Attack IT Supply Chain
  • The Register - Security: Feds name and charge alleged Silk Typhoon spies behind years of China-on-US attacks
  • Virus Bulletin: Microsoft Threat Intelligence has identified a shift in tactics used by Silk Typhoon. The espionage group is now targeting common IT solutions like remote management tools and cloud applications to gain initial access.
  • Source: Silk Typhoon targeting IT supply chain
  • www.scworld.com: Google's Threat Intelligence Group report on Silk Typhoon's new tactic highlights the group's shift towards IT supply chain attacks.
  • Threats | CyberScoop: Silk Typhoon shifted to specifically targeting IT management companies
  • Vulnerable U: Microsoft Details Silk Typhoon’s IT Supply Chain Attacks
  • bsky.app: Microsoft warns that Chinese cyber-espionage threat group "Silk Typhoon" has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
  • : Microsoft warns that Chinese espionage group Silk Typhoon is increasingly exploiting common IT solutions to infiltrate networks and exfiltrate data.
  • securityonline.info: Zero-Day Attacks & Stolen Keys: Silk Typhoon Breaches Networks
  • Security Risk Advisors: Chinese Silk Typhoon threat actor targets global IT supply chains. Consider patching vulnerabilities, enforce MFA, audit cloud access. #CyberThreat #CloudSecurity
  • Blog: Silk Typhoon levels up, goes after IT supply chains

Pierluigi Paganini@securityaffairs.com //
A China-linked advanced persistent threat (APT) group, known as Weaver Ant, has been discovered to have infiltrated the network of a major telecommunications services provider in Asia for over four years. The attackers managed to maintain a stealthy presence by compromising Zyxel CPE routers to conceal their traffic and infrastructure. This prolonged access allowed Weaver Ant to conduct extensive cyber espionage operations, highlighting the persistent nature of state-sponsored cyber threats.

Chinese Weaver Ant hackers utilized advanced techniques, including web shells and tunneling, to establish long-term access to the telco's network. A key element of their operation involved using compromised Zyxel CPE routers to hide traffic and infrastructure. The APT group employed an encrypted variant of the China Chopper web shell, along with a custom-built web shell named INMemory, to further enhance their ability to remain undetected while exfiltrating data and maintaining control over compromised systems. The Sygnia report also mentioned the use of a 'Web Shell Whisperer' that uses shells and tunnels to maintain access.

Recommended read:
References :
  • securityaffairs.com: Chinese APT Weaver Ant infiltrated a telco in Asia for over four years
  • The DefendOps Diaries: Explore the Weaver Ant cyber espionage campaign targeting telecom networks with advanced techniques and stealthy operations.
  • BleepingComputer: Chinese Weaver Ant hackers spied on telco network for 4 years
  • ciso2ciso.com: Weaver Ant, the Web Shell Whisperer: Tracking a Live China-nexus Operation
  • www.scworld.com: China-nexus advanced persistent threat Weaver Ant has compromised a major Asian telecommunications services provider's network with web shells and various payloads for more than four years as part of its cyberespionage efforts, according to Security Affairs.
  • The Hacker News: The Hacker News details the critical security flaws and potential impacts.
  • BleepingComputer: A recent cybersecurity investigation by Sygnia has exposed a sophisticated operation orchestrated by a China-nexus threat actor dubbed "Weaver Ant." This APT group has utilized web shells and tunneling techniques to maintain long-term access to a major Asian telecommunications provider, highlighting their persistent and stealthy approach to cyber espionage.
  • : Sygnia uncovered Weaver Ant, a Chinese threat actor that conducted persistent cyberespionage by spying on telecommunications networks for an extended period.
  • The Stack: A significant breach of a major telecommunications company in Asia has been revealed by incident response firm Sygnia. The breach lasted over four years and involved China-nexus advanced persistent threat Weaver Ant, whose attacks were so effective they remained undetected for a lengthy time.
  • Industrial Cyber: Sygnia details Weaver Ant tactics in battle against China-linked cyber threats on telecoms
  • PCMag UK security: Chinese Hackers Remained Inside an Asian Telecom Firm for 4+ Years
  • MSSP feed for Latest: Weaver Ant used web shells and various payloads to attack the Chinese telecom for more than four years.
  • www.scworld.com: Chinese hackers spend years roaming telecommunications service
  • Metacurity: Sygnia has uncovered the Weaver Ant group's cyberespionage methods and tactics which demonstrated persistent access to a major Asian telecommunications provider's network for over four years.
  • www.techradar.com: Information about the cyberespionage campaign targeting Asian telecom companies.

rohann@checkpoint.com@Check Point Blog //
References: Check Point Blog , bsky.app , bsky.app ...
Blind Eagle, one of Latin America's most dangerous cyber criminal groups, has been actively targeting Colombian institutions and government entities since November 2024. According to Check Point Research (CPR), this advanced persistent threat (APT) group, also tracked as APT-C-36, is using sophisticated techniques to bypass traditional security defenses. They leverage trusted platforms like Google Drive, Dropbox, GitHub, and Bitbucket to distribute their malicious payloads, and have recently been seen using a variant of an exploit for a now-patched Microsoft Windows flaw, CVE-2024-43451. This allows them to infect victims with a high rate of success.

CPR has uncovered that Blind Eagle incorporated this exploit a mere six days after Microsoft released the patch. They use malicious .URL files distributed via phishing emails, and victims are often unaware they are triggering the infection. The final payload is often the Remcos RAT, a remote access trojan that grants attackers complete control over infected systems, allowing for data theft, remote execution, and persistent access. In one campaign in December 2024, over 1,600 victims were affected, highlighting the group's efficiency and targeted approach.

Recommended read:
References :
  • Check Point Blog: The Growing Danger of Blind Eagle: One of Latin America’s Most Dangerous Cyber Criminal Groups Targets Colombia
  • bsky.app: Blind Eagle APT group has compromised over 1,600 victims inside Colombian institutions and government agencies. The campaign took place in November & December of last year and used an exploit similar to a zero-day exploited by Russian hackers in Ukraine.
  • The Hacker News: The threat actor known as Blind Eagle has been linked to a series of ongoing campaigns targeting Colombian institutions and government entities since November 2024.
  • bsky.app: The Blind Eagle APT group has compromised over 1,600 victims inside Colombian institutions and government agencies. The campaign took place in November & December of last year and used an exploit similar to a zero-day exploited by Russian hackers in Ukraine.
  • gbhackers.com: Blind Eagle Hackers Exploit Google Drive, Dropbox & GitHub to Evade Security Measures
  • : Blind Eagle has been running campaigns targeting the Colombian government with malicious .url files and phishing attacks
  • Talkback Resources: Blind Eagle Hacks Colombian Institutions Using NTLM Flaw, RATs and GitHub-Based Attacks
  • securityonline.info: Blind Eagle’s Rapid Adaptation: New Tactics Deployed Days After Patch
  • gbhackers.com: Blind Eagle Targets Organizations with Weaponized .URL Files to Steal User Hashes

Ridhika Singh@cysecurity.news //
A sophisticated cyber espionage campaign, dubbed UNK_CraftyCamel, is actively targeting aviation and satellite organizations in the United Arab Emirates (UAE). Cybersecurity researchers at Proofpoint discovered this attack in October 2024. The attackers are employing advanced techniques, including the use of polyglot files, a custom Go-based backdoor known as Sosano, and compromised business accounts, to evade detection. This highly targeted campaign leverages compromised business relationships and tailored lures to deliver a multi-stage infection chain.

The attack begins with phishing emails sent from the compromised account of an Indian electronics company, INDIC Electronics. These emails contain links to malicious ZIP files hosted on domains designed to mimic legitimate companies. The ZIP archives contain cleverly disguised malware components using polyglot files, a relatively rare technique in espionage operations. These files are structured so they can be interpreted as multiple file formats, allowing attackers to hide malicious content within seemingly legitimate files, making detection more difficult. The use of polyglot files demonstrates an advanced adversary with a focus on stealth and obfuscation.

Once executed, the polyglot malware installs Sosano, a custom Go-based backdoor designed for stealth and resilience. Sosano establishes a connection with a command-and-control server and waits for commands, which include listing directories, executing shell commands, and downloading additional payloads. While some tactics overlap with known Iranian-aligned threat actors, researchers have not definitively linked this activity to any previously identified group. The attackers’ focus on aviation and satellite communications in the UAE suggests a strategic intelligence-gathering motive.

Recommended read:
References :
  • Cyber Security News: Hackers Exploit Business Relationships to Attack Arab Emirates Aviation Sector
  • gbhackers.com: Hackers Exploiting Business Relationships to Attack Arab Emirates Aviation Sector
  • The Record: Proofpoint researchers say they spotted new backdoor malware that suspected Iranian regime-backed hackers have aimed at sectors such as aviation, satellite communications and critical transportation infrastructure in the United Arab Emirates.
  • Information Security Buzz: Highly Targeted Cyber Espionage Campaign Targeting UAE Aviation Sector
  • thehackernews.com: Suspected Iranian Hackers Used Compromised Indian Firm's Email to Target U.A.E. Aviation Sector
  • Virus Bulletin: Proofpoint researchers identified a highly targeted email-based campaign targeting UAE organizations. The malicious messages were sent from a compromised entity in a trusted business relationship with the targets, and used lures customized to every target.
  • www.cysecurity.news: A highly targeted cyber espionage campaign, dubbed UNK_CraftyCamel, is targeting aviation and satellite organizations in the UAE. Attackers use polyglot files, a custom Go-based backdoor (Sosano), and compromised business accounts to evade detection.
  • Vulnerable U: Highly Targeted Polyglot Malware Campaign Hits UAE Aviation and Satellite Firms
  • Industrial Cyber: Proofpoint details likely Iranian-backed Sosano malware targeting UAE’s critical sectors
  • : New Cyber-Espionage Campaign Targets UAE Aviation and Transport
  • www.scworld.com: New Sosano malware attacks target UAE
  • securityonline.info: UNK_CraftyCamel: New Threat Group Using Polyglot Malware in UAE
  • securityaffairs.com: A new cyber espionage campaign is targeting UAE aviation and satellite companies. Researchers have identified a custom Go-based backdoor, Sosano, being used in this operation.
  • www.redpacketsecurity.com: Researchers have identified a new cyber-espionage campaign targeting aviation and satellite organizations in the UAE.

do son@securityonline.info //
Cybercriminals are actively exploiting the Signal messaging application to distribute an information-stealing Remote Access Trojan (RAT), raising serious privacy concerns. According to a recently published report, a cybercriminal group identified as UNC-200 is behind the campaign, which involves targeting high-value individuals within Ukraine's defense sector. The Computer Emergency Response Team of Ukraine (CERT-UA) has issued warnings about this campaign, which utilizes the Dark Crystal RAT (aka DCRat) to compromise systems.

This malicious activity involves distributing messages via Signal that contain what appears to be meeting minutes. These messages are sent from compromised accounts to enhance credibility, enticing unsuspecting users to download malicious archive files. The archives contain a decoy PDF and an executable that deploys the DCRat malware, giving attackers remote access and control, stealing valuable information and executing arbitrary commands. CERT-UA attributes this activity to UAC-0200, active since summer 2024, who noted that the use of popular messengers increases the attack surface, including due to the creation of uncontrolled information exchange channels.

Recommended read:
References :
  • cyberinsider.com: Ukraine Warns Signal Used for Spreading RATs on High-Value Targets
  • securityonline.info: CERT-UA Alert: DarkCrystal RAT Deployed via Signal in Ukraine
  • SOC Prime Blog: Detect UAC-0200 Attacks Using DarkCrystal RAT
  • The DefendOps Diaries: Russian Cyber Espionage Targets Ukrainian Military via Signal
  • BleepingComputer: Ukrainian military targeted in new Signal spear-phishing attacks
  • BleepingComputer: Ukraine's Computer Emergency Response Team (CERT-UA) is warning about highly targeted attacks employing compromised Signal accounts to send malware to employees of defense industry firms and members of the country's army forces.
  • securityaffairs.com: CERT-UA warns of cyber espionage against the Ukrainian defense industry using Dark Crystal RAT
  • The Hacker News: CERT-UA Warns: Dark Crystal RAT Targets Ukrainian Defense via Malicious Signal Messages
  • BleepingComputer: Ukraine's Computer Emergency Response Team (CERT-UA) is warning about highly targeted attacks employing compromised Signal accounts to send malware to employees of defense industry firms and members of the country's army forces.
  • Sam Bent: Report: Cybercriminals Leverage Signal App to Deploy Info-Stealing RAT, Raising Privacy Concerns
  • bsky.app: CERT-UA warns of cyber espionage against the Ukrainian defense industry using Dark Crystal RAT
  • www.scworld.com: Attackers, tracked under the UAC-0200 threat cluster, leveraged the Signal messaging app to deliver messages purportedly containing minutes of the meeting reports as archive files.

Andy Greenberg@Security Latest //
References: Source , Security | TechRepublic , WIRED ...
The US Justice Department has charged 12 Chinese nationals, including government officials and alleged hackers, in connection with a broad cyberespionage campaign. The individuals are accused of participating in a decade-long wave of cyberattacks around the globe, including a breach of the US Treasury Department. The charges highlight the existence of a "hackers for hire" system, allegedly supported by the Chinese government, to carry out digital intrusions worldwide.

Silk Typhoon, identified as the Chinese hacker group APT27, is among those implicated in the US Treasury breach. This group is a Chinese state actor focused on espionage campaigns targeting a wide range of industries in the US and throughout the world. Microsoft Threat Intelligence has tracked Silk Typhoon's ongoing attacks since late 2024, revealing their preferred method of breaking into victims' environments using stolen API keys and cloud credentials, particularly targeting IT companies and government agencies.

Recommended read:
References :
  • Source: Silk Typhoon is a Chinese state actor focused on espionage campaigns targeting a wide range of industries in the US and throughout the world.
  • Security | TechRepublic: DoJ Busts Alleged Global Hacking-for-Hire Network of ‘Cyber Mercenaries’
  • The Register - Security: China's Silk Typhoon, tied to US Treasury break-in, now hammers IT and govt targets
  • WIRED: US Charges 12 Alleged Spies in China’s Freewheeling Hacker-for-Hire Ecosystem

Pierluigi Paganini@Security Affairs //
A Russian zero-day broker known as Operation Zero is offering up to $4 million for zero-day exploits targeting the Telegram messaging app. This broker exclusively sells vulnerabilities to Russian government and private organizations, suggesting a significant interest from these entities in exploiting Telegram's security flaws. The high bounty offered indicates the immense value of potential targets to these organizations and their willingness to invest heavily in acquiring such exploits.

Operation Zero has released multiple bounty tiers for security vulnerabilities targeting Telegram, with the price depending on the user interaction required. Remote code execution vulnerabilities needing one user interaction fetch $500,000, while a zero-click RCE vulnerability is valued at $1.5 million. A complete exploit chain capable of compromising the entire system may command up to $4 million. This highlights the potential for targeted attacks on individuals or user groups through the platform, given Telegram's user base of over a billion.

Recommended read:
References :
  • CyberInsider: Russian Zero-Day Firm Offers Record $4 Million for Telegram Exploits
  • infosec.exchange: NEW: A zero-day provider that exclusively sells to the Russian government is offering up to $4 million for flaws in Telegram. This announcement offers a glimpse into what the Russian government may be especially interested in, and willing to pay (even at a premium), right now. Sources in the industry tell me the prices offered are broadly right.
  • techcrunch.com: Russian zero-day seller is offering up to $4 million for Telegram exploits
  • securityaffairs.com: Zero-day broker Operation Zero offers up to $4 million for Telegram exploits
  • securityonline.info: The Russian vulnerability broker, Operation Zero, is a company specializing in the acquisition and sale of security vulnerabilities—whether The post appeared first on .
  • Davey Winder: The Russian exploit brokerage firm, Operation Zero, is offering up to $4 million for zero-day vulnerabilities in Telegram. This signifies heightened state-sponsored interest in hacking Telegram.
  • hackread.com: A broker that only sells to Russian private and government organizations has just offered $4 million for a zero-day hack attack against the Telegram messenger app.

@cyberalerts.io //
UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, has been actively targeting critical infrastructure entities in Taiwan since at least 2023. Cisco Talos researchers have been tracking this campaign. The group utilizes a combination of web shells, such as the Chopper web shell, and open-sourced tooling to conduct post-compromise activities, focusing on persistence in victim environments for information theft and credential harvesting. UAT-5918 exploits N-day vulnerabilities in unpatched web and application servers exposed to the internet to gain initial access.

UAT-5918's post-compromise activities involve manual operations, emphasizing network reconnaissance and credential harvesting using tools like Mimikatz, LaZagne, and browser credential extractors. The threat actor deploys web shells across discovered sub-domains and internet-accessible servers, establishing multiple entry points. Their tactics, techniques, and procedures (TTPs) overlap with other APT groups like Volt Typhoon and Flax Typhoon, suggesting shared strategic goals in targeting geographies and industry verticals such as telecommunications, healthcare, and information technology sectors in Taiwan.

Recommended read:
References :
  • Cisco Talos Blog: UAT-5918 targets critical infrastructure entities in Taiwan
  • Industrial Cyber: UAT-5918 APT group targets Taiwan critical infrastructure, possible linkage to Volt Typhoon
  • thehackernews.com: UAT-5918 Targets Taiwan's Critical Infrastructure Using Web Shells and Open-Source Tools
  • Talkback Resources: UAT-5918 Targets Taiwan's Critical Infrastructure Using Web Shells and Open-Source Tools [ics] [net]
  • Cyber Security News: UAT-5918 Threat Actors Target Exposed Web and Application Servers via N-Day Vulnerabilities
  • gbhackers.com: UAT-5918 Hackers Exploit N-Day Vulnerabilities in Exposed Web and Application Servers
  • The DefendOps Diaries: UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim environments for information theft and credential harvesting.
  • securityaffairs.com: UAT-5918 ATP group targets critical Taiwan
  • www.scworld.com: UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim systems.
  • Virus Bulletin: Cisco Talos researchers Jung soo An, Asheer Malhotra, Brandon White & Vitor Ventura analyse a UAT-5918 malicious campaign targeting critical infrastructure entities in Taiwan.

info@thehackernews.com (The@The Hacker News //
The APT group SideWinder is expanding its attacks, now targeting maritime, nuclear, and IT sectors across Asia, the Middle East, and Africa. Previously focused on government, military, and diplomatic institutions, the group has shifted its attention to maritime infrastructure, logistics companies, nuclear power plants, and energy facilities. The attacks, observed by Kaspersky, have spread across multiple countries including Bangladesh, Cambodia, Djibouti, Egypt, the United Arab Emirates, and Vietnam.

Kaspersky experts have noted an increase in attacks on nuclear power plants and energy generation facilities with the attackers utilizing spear-phishing emails and malicious documents containing industry-specific terminology to gain trust. The group exploits an older Microsoft Office vulnerability (CVE-2017-11882) to bypass detection systems and access operational data, research projects, and personnel data. According to Kaspersky researchers Giampaolo Dedola and Vasily Berdnikov, SideWinder constantly works to improve its toolsets, stay ahead of security software detections, extend persistence on compromised networks, and hide its presence on infected systems.

Recommended read:
References :
  • The Register - Security: Sidewinder goes nuclear, charts course for maritime mayhem in tactics shift
  • The Hacker News: SideWinder APT Targets Maritime, Nuclear, and IT Sectors Across Asia, Middle East, and Africa
  • www.it-daily.net: SideWinder now also attacks nuclear power plants
  • securityaffairs.com: SideWinder APT targets maritime and nuclear sectors with enhanced toolset
  • Rescana: Inside the Mind of Sidewinder: A Real-World Look at a Sophisticated Cyber Adversary

@Talkback Resources //
Cybersecurity researchers have unveiled advanced obfuscation tactics employed by APT28, a Russian state-sponsored threat actor, in their HTA Trojan. The investigation focuses on espionage campaigns targeting Central Asia and Kazakhstan diplomatic relations, revealing intricate multi-layer obfuscation strategies designed to evade detection. The analysis highlights the use of Microsoft’s VBE technique within HTA files as a core component of APT28’s malware delivery mechanism. This encoding method, facilitated by the Windows Script Encoder, transforms VBScript and JavaScript files into obfuscated formats that remain executable while concealing their true functionality.

The investigation uncovered that the malware leverages Windows’ vbscript.dll to generate embedded strings dynamically during execution. By analyzing these strings and their interaction with memory addresses, researchers were able to reconstruct the original VBScript payload hidden within the HTA file. Using publicly available tools like “vbe-decoder.py,” they successfully deobfuscated the encoded scripts, exposing the final malicious payload designed for espionage activities. This discovery underscores the need for robust malware analysis capabilities and proactive threat intelligence sharing within the cybersecurity community.

Recommended read:
References :
  • Virus Bulletin: Cisco Talos researcher Joey Chen describes how Lotus Blossom uses Sagerunex and other hacking tools for post-compromise activities. The espionage operation targets government, manufacturing, telecommunications & media organizations from Philippines, Vietnam, Hong Kong & Taiwan.
  • gbhackers.com: Lotus Blossom Hacker Group Uses Dropbox, Twitter, and Zimbra for C2 Communications
  • Talkback Resources: Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools
  • www.cysecurity.news: Cisco Talos Uncovers Lotus Blossom’s Multi-Campaign Cyber Espionage Operations
  • Cyber Security News: Researchers Unveil APT28’s Advanced HTA Trojan Obfuscation Tactics in Detail
  • gbhackers.com: Researchers Unveil APT28’s Advanced HTA Trojan Obfuscation Tactics
  • securityaffairs.com: Chinese Lotus Blossom APT targets multiple sectors with Sagerunex backdoor