Sergiu Gatlan@BleepingComputer
//
Google has released a critical security update for its Chrome browser to address a high-severity zero-day vulnerability, identified as CVE-2025-2783. This vulnerability was actively exploited in a sophisticated espionage campaign targeting Russian organizations, specifically media companies, educational institutions, and government entities. According to Kaspersky, the vulnerability allowed attackers to bypass Chrome’s sandbox protections, gaining unauthorized access to affected systems without requiring further user interaction. This incident marks the first actively exploited Chrome zero-day since the start of the year, underscoring the persistent threat landscape faced by internet users.
Kaspersky's investigation, dubbed "Operation ForumTroll," revealed that the attacks were initiated through personalized phishing emails disguised as invitations to the "Primakov Readings" forum. Clicking the malicious link led victims to a compromised website that immediately exploited the zero-day vulnerability. The technical sophistication of the exploit chain points to a highly skilled Advanced Persistent Threat (APT) group. Google urges users to update their Chrome browsers immediately to version 134.0.6998.177/.178 for Windows to mitigate the risk.
Recommended read:
References :
- cyberinsider.com: Google has released a security update for Chrome to address a high-severity zero-day vulnerability that was actively exploited in a sophisticated espionage campaign targeting Russian organizations.
- thehackernews.com: Zero-Day Alert: Google Releases Chrome Patch for Exploit Used in Russian Espionage Attacks
- securityaffairs.com: Google fixed the first actively exploited Chrome zero-day since the start of the year
- techcrunch.com: Google fixes Chrome zero-day security flaw used in hacking campaign targeting journalists
- thecyberexpress.com: Google has rolled out a new security update for Chrome users, following the discovery of a vulnerability, CVE-2025-2783, affecting the Windows version of the browser.
- The DefendOps Diaries: Google Chrome Vulnerability CVE-2025-2783: A Closer Look
- Cybernews: Google has patched a dangerous zero-day vulnerability that has already been exploited by sophisticated threat actors in the wild
- Zack Whittaker: New: Google has fixed a zero-day bug in Chrome that was being actively exploited as part of a hacking campaign. Kaspersky says the bug was exploited to target journalists and employees at educational institutions.
- Kaspersky official blog: Kaspersky’s GReAT experts have discovered the Operation ForumTroll APT attack, which used a zero-day vulnerability in Google Chrome.
- bsky.app: Google has fixed a high-severity Chrome zero-day vulnerability exploited to escape the browser's sandbox and deploy malware in espionage attacks targeting Russian organizations.
- Cyber Security News: Operation ForumTroll: APT Hackers Use Chrome Zero-Day to Evade Sandbox Protections.
- www.bleepingcomputer.com: Google has released out-of-band fixes to address a high-severity security flaw in Chrome browser for Windows that has been actively exploited.
- Help Net Security: Help Net Security: Google fixes exploited Chrome sandbox bypass zero-day (CVE-2025-2783)
- securityonline.info: CVE-2025-2783: Chrome Zero-Day Exploited in State-Sponsored Espionage Campaign
- MSSP feed for Latest: Google remediated the high-severity Chrome for Windows zero-day vulnerability.
- The Register - Security: After Chrome patches zero-day used to target Russians, Firefox splats similar bug
- thecyberexpress.com: CISA Issues Urgent Security Alerts: Critical Vulnerabilities in Schneider Electric, Chrome, and Sitecore
- PCMag UK security: Details about Firefox also being affected by Chrome zero-day flaw
- CyberInsider: Firefox Says It’s Vulnerable to Chrome’s Zero-Day Used in Espionage Attacks
- iHLS: Google Patches Dangerous Zero-Day Flaw in Chrome
- PCMag UK security: Time to Patch: Google Chrome Flaw Used to Spread Spyware
- MSPoweruser: Google patches a Chrome zero-day vulnerability used in espionage
- gbhackers.com: Mozilla is working to patch the vulnerability, tracked as CVE-2025-2857, with security updates for Firefox 136.0.4 and Firefox ESR versions 128.8.1 and 115.21.1.
- Security Affairs: Mozilla addressed a critical vulnerability, tracked as CVE-2025-2857, impacting its Firefox browser for Windows.
- The DefendOps Diaries: Mozilla warns of a critical Firefox vulnerability allowing sandbox escapes, posing significant security risks to Windows users.
- The Hacker News: Mozilla has released updates to address a critical security flaw impacting its Firefox browser for Windows, merely days after Google patched a similar flaw in Chrome that came under active exploitation as a zero-day.
- Blog: Mozilla has released updates to fix a critical security flaw in its Firefox browser for Windows. The vulnerability, designated CVE-2025-2857, stems from improper handling within the browser's inter-process communication (IPC) code, which could allow a compromised child process to gain elevated privileges by manipulating the parent process into returning a powerful handle, potentially leading to sandbox escape.
- techcrunch.com: Mozilla patches Firefox bug ‘exploited in the wild,’ similar to bug attacking Chrome
- securityaffairs.com: Google addressed a critical vulnerability, tracked as CVE-2025-2783, impacting its Chrome browser for Windows.
- securityaffairs.com: U.S. CISA adds Google Chromium Mojo flaw to its Known Exploited Vulnerabilities catalog
- www.scworld.com: Mozilla Patches Firefox Bug Exploited in the Wild, Similar to Chrome Zero-Day
- OODAloop: Firefox Affected by Flaw Similar to Chrome Zero-Day Exploited in Russia
Bill Mann@CyberInsider
//
A critical unpatched zero-day vulnerability in Microsoft Windows is being actively exploited by 11 state-sponsored threat groups for espionage, data theft, and financially motivated campaigns since 2017. The flaw, tracked as ZDI-CAN-25373, involves the use of crafted Windows Shortcut (.LNK) files to execute hidden malicious commands. This allows attackers to gain unauthorized access to systems, steal sensitive data, and potentially conduct cyber espionage activities targeting governments, private entities, financial organizations, think tanks, telecommunication service providers, and military/defense agencies across multiple countries.
The attacks leverage hidden command line arguments within the malicious .LNK files, making detection difficult by padding the arguments with whitespace characters. Nearly 1,000 .LNK file artifacts exploiting the vulnerability have been found, and linked to APT groups from China, Iran, North Korea, and Russia. In these attacks, the .LNK files act as a delivery vehicle for malware families like Lumma Stealer, GuLoader, and Remcos RAT. Microsoft considers the issue a low severity user interface misrepresentation and does not plan to release a fix.
Recommended read:
References :
- The Hacker News: An unpatched security flaw impacting Microsoft Windows has been exploited by 11 state-sponsored groups from China, Iran, North Korea, and Russia as part of data theft, espionage, and financially motivated campaigns that date back to 2017.
- ZDI: Published Advisories: ZDI-25-148: (0Day) Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability
- The Register - Security: Microsoft isn't fixing 8-year-old shortcut exploit abused for spying
- securityaffairs.com: State-Sponsored Actors and Cybercrime Gangs Abuse Malicious .lnk Files for Espionage and Data Theft
- The DefendOps Diaries: Exploiting Windows Zero-Day Vulnerabilities: The Role of State-Sponsored Hacking Groups
- BleepingComputer: New Windows zero-day exploited by 11 state hacking groups since 2017
- CyberInsider: Microsoft Declines to Fix Actively Exploited Windows Zero-Day Vulnerability
- socradar.io: Windows Shortcut Zero-Day (ZDI-CAN-25373) Exploited by State-Backed Threat Actors Since 2017: Overview of Key Details
- Virus Bulletin: Trend Micro ZDI's Peter Girnus & Aliakbar Zahravi describe how researchers uncovered both state-sponsored and cybercriminal groups extensively exploiting ZDI-CAN-25373, a Windows .lnk file vulnerability that enables hidden command execution.
- Tech Monitor: A Windows shortcut vulnerability, identified as ZDI-CAN-25373, has been exploited in widespread cyber espionage campaigns.
- www.ghacks.net: Windows has an 8-year-old security issue that is exploited and known by Microsoft for some time
- www.cybersecuritydive.com: 11 nation-state groups exploit unpatched Microsoft zero-day
- www.techradar.com: An unpatched Windows zero-day flaw has been exploited by 11 nation-state attackers
- Security Risk Advisors: APT Groups Exploit Unpatched Windows Shortcut Vulnerability for Espionage and Data Theft
- hackread.com: 11 Nation-State Hackers Exploit Unpatched Windows Flaw Since 2017
- : Windows Shortcut Flaw Exploited by 11 State-Sponsored Groups
- securityonline.info: A recently uncovered vulnerability, ZDI-CAN-25373, identified by the Trend Zero Day Initiative (ZDI), is at the center of the
- Blog: Microsoft reluctant to patch Windows zero-day exploited by nation-state hackers
- Virus Bulletin: Trend Micro ZDI's Peter Girnus & Aliakbar Zahravi describe how researchers uncovered both state-sponsored and cybercriminal groups extensively exploiting ZDI-CAN-25373, a Windows .lnk file vulnerability that enables hidden command execution.
- Sam Bent: Windows Shortcut Zero-Day Used by Nation-States
- www.trendmicro.com: ZDI-CAN-25373: Windows Shortcut Exploit Abused as Zero-Day in Widespread APT Campaigns
- Logpoint: Windows Shell Link Vulnerability ZDI-CAN-25373: Detecting Hidden Commands
- SecureWorld News: Nation-State Hackers Exploit Windows Shortcut Zero-Day Vulnerability
- Information Security Buzz: Windows Shortcut Zero-Day Under Active Attack
- borncity.com: Windows shortcut exploit used by state hackers as a 0-day since 2017
- Threats | CyberScoop: Nation-state groups hit hundreds of organizations with Microsoft Windows zero-day
- Help Net Security: APTs have been using zero-day Windows shortcut exploit for eight years (ZDI-CAN-25373)
- aboutdfir.com: Microsoft isn’t fixing 8-year-old shortcut exploit abused for spying
- securityboulevard.com: Microsoft Won’t Fix This Bad Zero Day (Despite Wide Abuse)
- aboutdfir.com: Microsoft isn’t fixing 8-year-old shortcut exploit abused for spying An exploitation avenue found by Trend Micro in Windows has been used in an eight-year-long spying campaign, but there’s no sign of a fix from Microsoft, which apparently considers this a low priority.
@World - CBSNews.com
//
The U.S. Justice Department has indicted 12 Chinese nationals for their alleged involvement in state-linked cyber operations. The individuals include employees of the Chinese technology firm i-Soon, members of the APT27 group (also known as Emissary Panda, TG-3390, Bronze Union, and Lucky Mouse), and two officers from China's Ministry of Public Security. These indictments shed light on the hacking tools and methods allegedly employed in a global hacking scandal. The Justice Department stated that the Ministry of State Security (MSS) and Ministry of Public Security (MPS) utilized an extensive network of private companies, including i-Soon, to conduct unauthorized computer intrusions in the U.S. and elsewhere.
The U.S. DoJ charges these individuals with data theft and suppressing dissent worldwide. i-Soon, identified as one of the private companies involved, allegedly provided tools and methods to customers and hacked for the PRC (People's Republic of China). These actions highlight a significant cybersecurity concern involving state-sponsored actors and their use of private firms to conduct cyber espionage.
Recommended read:
References :
- bsky.app: US Justice Department has charged Chinese state security officers and APT27 and i-Soon Chinese hackers linked to network breaches and cyberattacks targeting victims worldwide since 2011.
- CyberInsider: U.S. Charges 12 Chinese Nationals Over Decade-Long Cyber Espionage Campaign
- The Cyber Express: The United States Department of Justice (DOJ) has taken action against a major cyber threat, opening indictments against 12 Chinese nationals, including two officers from China’s Ministry of Public Security (MPS) and several employees of the Chinese technology firm i-Soon.
- bsky.app: USA accuses China's State of operating network of "hackers for hire". Accused 12 individuals, 2 officers of the PRC Ministry of Public Security (MPS), employees of a private company, Anxun Information Technology Co. Ltd, and members of APT27.
- The Hacker News: U.S. Charges 12 Chinese Nationals in State-Backed Hacking Operations
- securityaffairs.com: US DOJ charges 12 Chinese nationals for state-linked cyber operations
- The Register - Security: Xi's freelance infosec warriors apparently paid up to $75K to crack a single American inbox US government agencies announced Wednesday criminal charges against alleged members of China's Silk Typhoon gang, plus internet domain seizures linked to a long-term Chinese espionage campaign that saw Beijing hire miscreants to compromise US government agencies and other major orgs.…
- DataBreaches.Net: U.S. Charges 12 Chinese Contract Hackers and Law Enforcement Officers in Global Computer Intrusion Campaigns
- bsky.app: The US Justice Department has charged Chinese state security officers and APT27 and i-Soon Chinese hackers linked to network breaches and cyberattacks targeting victims worldwide since 2011.
- cyble.com: U.S. Indictments Shed Light on i-Soon Hacking Tools, Methods
- Metacurity: US indicts twelve prolific Chinese hackers, including eight i-Soon staffers
- Carly Page: The Department of Justice has announced criminal charges against 12 Chinese government-linked hackers who are accused of hacking over 100 American organizations, including the U.S. Treasury, over the course of a decade
- Threats | CyberScoop: US indicts 12 Chinese nationals for vast espionage attack spree
- BleepingComputer: The U.S. Justice Department has charged Chinese state security officers along with APT27 and i-Soon hackers for network breaches and cyberattacks that have targeted victims globally since 2011.
- hackread.com: US Charges 12 in Chinese Hacker-for-Hire Network, Offers $10M Reward
- Risky Business Media: US indicts the i-Soon and APT27 hackers, the BADBOX botnet gets disrupted again,authorities seize the Garantex crypto exchange, and the FBI arrests hackers who stole Taylor Swift concert tickets.
- Security | TechRepublic: The article discusses the charges against Chinese hackers for their role in a global cyberespionage campaign.
- techxplore.com: US indicts 12 Chinese nationals in hacking
- : US Charges Members of Chinese Hacker-for-Hire Group i-Soon
- Matthias Schulze: U.S. Charges 12 Chinese Nationals in State-Backed Hacking Operations
- WIRED: US Charges 12 Alleged Spies in China’s Freewheeling Hacker-for-Hire Ecosystem
- Blog: FieldEffect blog post about U.S. indicts 12 Chinese nationals for cyber espionage.
- blog.knowbe4.com: U.S. Justice Department Charges China’s Hackers-for-Hire Working IT Contractor i-Soon
- Talkback Resources: The article details the indictment of 12 Chinese individuals for hacking activities.
- Schneier on Security: The article discusses the indictment of Chinese hackers for their involvement in global hacking activities.
Pierluigi Paganini@Security Affairs
//
The Chinese espionage group Silk Typhoon is expanding its cyberattacks to target the global IT supply chain. Microsoft has warned that this group, backed by the Chinese state, has shifted its tactics to focus on remote management tools and cloud services. These supply chain attacks provide access to downstream customers, enabling the group to move laterally within networks and compromise various organizations.
US government agencies have announced criminal charges against alleged members of the Silk Typhoon gang, along with the seizure of internet domains linked to their long-term espionage campaign. The group is accused of compromising US government agencies and other major organizations. The Justice Department has stated that the Chinese government, including its Ministries of State and Public Security, has encouraged and supported private contractors and technology companies to hack and steal information, providing a form of plausible deniability.
Recommended read:
References :
- bsky.app: Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
- The Register - Security: They're good at zero-day exploits, too Silk Typhoon, the Chinese government crew believed to be behind the December US Treasury intrusions, has been abusing stolen API keys and cloud credentials in ongoing attacks targeting IT companies and state and local government agencies since late 2024, according to Microsoft Threat Intelligence.
- BleepingComputer: Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
- bsky.app: Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
- securityaffairs.com: Microsoft warns that China-backed APT Silk Typhoon linked to US Treasury hack, is now targeting global IT supply chains, using IT firms to spy and move laterally.
- cyberinsider.com: Microsoft Threat Intelligence has identified a shift in tactics by Silk Typhoon, a Chinese state-sponsored cyber-espionage group, which is now targeting IT supply chain providers, including remote management tools and cloud applications.
- Information Security Buzz: China-linked APT Silk Typhoon targets IT Supply Chain
- The Hacker News: China-Linked Silk Typhoon Expands Cyber Attacks to IT Supply Chains for Initial Access
- thecyberexpress.com: The Chinese espionage group known as Silk Typhoon has expanded the cyberattacks to target the global IT supply chain. Microsoft Threat Intelligence has identified a shift in the group’s tactics, highlighting a new focus on commonly used IT solutions such as remote management tools and cloud applications.
- gbhackers.com: Microsoft Warns Silk Typhoon Hackers Exploit Cloud Services to Attack IT Supply Chain
- Cyber Security News: Microsoft Warns Silk Typhoon Hackers Exploit Cloud Services to Attack IT Supply Chain
- The Register - Security: Feds name and charge alleged Silk Typhoon spies behind years of China-on-US attacks
- Virus Bulletin: Microsoft Threat Intelligence has identified a shift in tactics used by Silk Typhoon. The espionage group is now targeting common IT solutions like remote management tools and cloud applications to gain initial access.
- Source: Silk Typhoon targeting IT supply chain
- www.scworld.com: Google's Threat Intelligence Group report on Silk Typhoon's new tactic highlights the group's shift towards IT supply chain attacks.
- Threats | CyberScoop: Silk Typhoon shifted to specifically targeting IT management companies
- Vulnerable U: Microsoft Details Silk Typhoon’s IT Supply Chain Attacks
- bsky.app: Microsoft warns that Chinese cyber-espionage threat group "Silk Typhoon" has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
- : Microsoft warns that Chinese espionage group Silk Typhoon is increasingly exploiting common IT solutions to infiltrate networks and exfiltrate data.
- securityonline.info: Zero-Day Attacks & Stolen Keys: Silk Typhoon Breaches Networks
- Security Risk Advisors: Chinese Silk Typhoon threat actor targets global IT supply chains. Consider patching vulnerabilities, enforce MFA, audit cloud access. #CyberThreat #CloudSecurity
- Blog: Silk Typhoon levels up, goes after IT supply chains
@cyberscoop.com
//
The Chinese nation-state hacking group Salt Typhoon, despite facing US sanctions, continues to actively target telecommunications providers. Between December 2024 and January 2025, Recorded Future observed Salt Typhoon breaching five telecom firms, including a US-based affiliate of a UK telecom provider, a US internet service provider, and companies in Italy, South Africa, and Thailand. The group also performed reconnaissance on a Myanmar-based telecom provider.
Salt Typhoon exploited vulnerabilities in Cisco IOS XE software, specifically CVE-2023-20198 and CVE-2023-20273, to compromise unpatched Cisco devices. They attempted to compromise over 1,000 Cisco routers globally, focusing on those within telecom networks. Additionally, Salt Typhoon targeted universities, including the University of California and Utah Tech, potentially seeking access to research related to telecommunications and engineering.
Recommended read:
References :
- cyberscoop.com: Salt Typhoon remains active, hits more telecom networks via Cisco routers
- The Register - Security: More victims of China's Salt Typhoon crew emerge: Telcos just now hit via Cisco bugs
- Carly Page: The China-backed Salt Typhoon group is still hacking telecommunications providers, despite government sanctions. Recorded Future says Salt Typhoon breached five firms between December and January, including a US affiliate of a prominent UK provider and a US-based ISP
- techcrunch.com: The China-backed Salt Typhoon group is still hacking telecommunications providers, despite government sanctions.
- www.wired.com: Wired's coverage of Salt Typhoon's ongoing hacking activities.
- Threats | CyberScoop: Salt Typhoon remains active, hits more telecom networks via Cisco routers
- cyberinsider.com: Chinese Hackers Breach Cisco Devices in Global Telecom Attacks
- securebulletin.com: RedMike (Salt Typhoon) continues global Telecom attacks
- CyberInsider: Chinese Hackers Breach Cisco Devices in Global Telecom Attacks
- Secure Bulletin: Report on RedMike's continued attacks on telecom providers.
- Talkback Resources: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks [exp] [net]
- Talkback Resources: Chinese state-sponsored APT group Salt Typhoon targets telecommunications providers and universities by exploiting Cisco vulnerabilities, creating privileged accounts, bypassing firewalls, and exfiltrating data using GRE tunnels, prompting organizations to patch devices, enforce access controls, and monitor for unauthorized changes.
- Talkback Resources: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks
- PCMag UK security: China's Salt Typhoon Spies Are Still Eavesdropping on Global Networks
- ciso2ciso.com: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks
- ciso2ciso.com: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks – Source: www.securityweek.com
- securityaffairs.com: China-linked APT Salt Typhoon breached telecoms by exploiting Cisco router flaws
- securityaffairs.com: China-linked APT Salt Typhoon breached telecoms by exploiting Cisco router flaws
- BleepingComputer: China's Salt Typhoon hackers are still actively targeting telecoms worldwide and have breached more U.S. telecommunications providers via unpatched Cisco IOS XE network devices.
- industrialcyber.co: Insikt Group details RedMike cyber espionage campaign on telecom providers using Cisco vulnerabilities
- securityonline.info: Cybersecurity researchers at Insikt Group have identified an ongoing cyber espionage campaign by RedMike (also tracked as Salt Typhoon).
- Industrial Cyber: Insikt Group details RedMike cyber espionage campaign on telecom providers using Cisco vulnerabilities
- SecureWorld News: Salt Typhoon Expands Espionage Campaign, Targets Cisco Routers
- Cisco Talos Blog: Weathering the storm: In the midst of a Typhoon
- cyberscoop.com: Cisco Talos observed the campaign targeting major U.S. telecommunication companies and observed the attackers primarily used legitimate login credentials to gain initial access, making detection and prevention difficult.
- cyberscoop.com: Salt Typhoon gained initial access to telecoms through Cisco devices
- securityaffairs.com: Salt Typhoon used custom malware JumbledPath to spy U.S. telecom providers
Pierluigi Paganini@Security Affairs
//
A Russian zero-day broker known as Operation Zero is offering up to $4 million for zero-day exploits targeting the Telegram messaging app. This broker exclusively sells vulnerabilities to Russian government and private organizations, suggesting a significant interest from these entities in exploiting Telegram's security flaws. The high bounty offered indicates the immense value of potential targets to these organizations and their willingness to invest heavily in acquiring such exploits.
Operation Zero has released multiple bounty tiers for security vulnerabilities targeting Telegram, with the price depending on the user interaction required. Remote code execution vulnerabilities needing one user interaction fetch $500,000, while a zero-click RCE vulnerability is valued at $1.5 million. A complete exploit chain capable of compromising the entire system may command up to $4 million. This highlights the potential for targeted attacks on individuals or user groups through the platform, given Telegram's user base of over a billion.
Recommended read:
References :
- CyberInsider: Russian Zero-Day Firm Offers Record $4 Million for Telegram Exploits
- infosec.exchange: NEW: A zero-day provider that exclusively sells to the Russian government is offering up to $4 million for flaws in Telegram. This announcement offers a glimpse into what the Russian government may be especially interested in, and willing to pay (even at a premium), right now. Sources in the industry tell me the prices offered are broadly right.
- techcrunch.com: Russian zero-day seller is offering up to $4 million for Telegram exploits
- securityaffairs.com: Zero-day broker Operation Zero offers up to $4 million for Telegram exploits
- securityonline.info: The Russian vulnerability broker, Operation Zero, is a company specializing in the acquisition and sale of security vulnerabilities—whether The post appeared first on .
- Davey Winder: The Russian exploit brokerage firm, Operation Zero, is offering up to $4 million for zero-day vulnerabilities in Telegram. This signifies heightened state-sponsored interest in hacking Telegram.
- hackread.com: A broker that only sells to Russian private and government organizations has just offered $4 million for a zero-day hack attack against the Telegram messenger app.
info@thehackernews.com (The@The Hacker News
//
The APT group SideWinder is expanding its attacks, now targeting maritime, nuclear, and IT sectors across Asia, the Middle East, and Africa. Previously focused on government, military, and diplomatic institutions, the group has shifted its attention to maritime infrastructure, logistics companies, nuclear power plants, and energy facilities. The attacks, observed by Kaspersky, have spread across multiple countries including Bangladesh, Cambodia, Djibouti, Egypt, the United Arab Emirates, and Vietnam.
Kaspersky experts have noted an increase in attacks on nuclear power plants and energy generation facilities with the attackers utilizing spear-phishing emails and malicious documents containing industry-specific terminology to gain trust. The group exploits an older Microsoft Office vulnerability (CVE-2017-11882) to bypass detection systems and access operational data, research projects, and personnel data. According to Kaspersky researchers Giampaolo Dedola and Vasily Berdnikov, SideWinder constantly works to improve its toolsets, stay ahead of security software detections, extend persistence on compromised networks, and hide its presence on infected systems.
Recommended read:
References :
- The Register - Security: Sidewinder goes nuclear, charts course for maritime mayhem in tactics shift
- The Hacker News: SideWinder APT Targets Maritime, Nuclear, and IT Sectors Across Asia, Middle East, and Africa
- www.it-daily.net: SideWinder now also attacks nuclear power plants
- securityaffairs.com: SideWinder APT targets maritime and nuclear sectors with enhanced toolset
- Rescana: Inside the Mind of Sidewinder: A Real-World Look at a Sophisticated Cyber Adversary
@www.silentpush.com
//
A sophisticated phishing campaign, suspected to be backed by Russian Intelligence Services, has been uncovered targeting individuals sympathetic to Ukraine, including Russian citizens and informants. The operation involves creating fake websites impersonating organizations such as the CIA, the Russian Volunteer Corps (RVC), Legion Liberty, and "Hochuzhit" ("I Want to Live"), an appeals hotline for Russian service members operated by Ukrainian intelligence. These deceptive sites aim to collect personal information from unsuspecting visitors, exploiting anti-war sentiment within Russia, where such activities are illegal and punishable by law.
Researchers at Silent Push discovered four distinct phishing clusters using tactics such as static HTML, JavaScript, and Google Forms to steal data. The threat actors are utilizing a bulletproof hosting provider, Nybula LLC, to host the fake websites, which are designed to mimic legitimate organizations. The goal is to gather intelligence and potentially identify dissidents within Russia. The campaign highlights the ongoing digital dimension of the Russia-Ukraine conflict and underscores the need for increased vigilance and improved digital hygiene among potential targets.
Recommended read:
References :
- gbhackers.com: reports on the Russian attempts to steal Ukraine Defense Intelligence data
- hackread.com: Russian Phishing Uses Fake CIA Sites to Target Anti-war, Ukraine Supporters
- www.silentpush.com: Russian Intelligence Service-backed Campaigns Impersonate the CIA to Target Ukraine Sympathizers, Russian Citizens and Informants
- Cyber Security News: In a sophisticated cyber espionage campaign recently uncovered, Russian hackers have been impersonating the U.S. Central Intelligence Agency (CIA) and other organizations to harvest sensitive information from Ukrainian sympathizers and potential Russian defectors.
- securityonline.info: Silent Push Threat Analysts uncover a multi-cluster phishing operation leveraging fake CIA and anti-Putin group websites to harvest
Pierluigi Paganini@securityaffairs.com
//
Russian state-aligned hackers are exploiting the "Linked Devices" feature in Signal Messenger to conduct cyber-espionage campaigns. Google's Threat Intelligence Group (GTIG) has uncovered these campaigns, revealing that the hackers are using phishing tactics to gain unauthorized access to Signal accounts. These campaigns involve tricking users into linking their devices to systems controlled by the attackers.
Russian threat actors are launching phishing campaigns that exploit the legitimate "Linked Devices" feature in the Signal messaging app to gain unauthorized access to accounts of interest. The hackers employ sophisticated methods to trick targets into linking their Signal account to a device controlled by the attacker, compromising their secure communications.
Recommended read:
References :
- cyberinsider.com: Russian Hackers Exploit Signal’s Linked Devices to Spy on Users
- BleepingComputer: Russian threat actors have been launching phishing campaigns that exploit the legitimate "Linked Devices" feature in the Signal messaging app to gain unauthorized access to accounts of interest.
- www.bleepingcomputer.com: Russian threat actors have been launching phishing campaigns that exploit the legitimate "Linked Devices" feature in the Signal messaging app to gain unauthorized access to accounts of interest.
- CyberInsider: Google's Threat Intelligence Group (GTIG) has uncovered a series of cyber-espionage campaigns by Russian state-aligned hackers targeting Signal Messenger accounts.
- securebulletin.com: Russia-Aligned actors intensify targeting of Signal Messenger
- securityaffairs.com: Russia-linked threat actors exploit Signal messenger
- Talkback Resources: Russian Groups Target Signal Messenger in Spy Campaign [app] [social]
- cloud.google.com: Russian Threat Actors targeting Signal messenger accounts used by individuals of interest to Russia's intelligence services. The goal seems to be espionage or military reconnaissance in context of war in Ukraine.
- bsky.app: Russian Threat Actors targeting Signal messenger accounts used by individuals of interest to Russia's intelligence services. The goal seems to be espionage or military reconnaissance in context of war in Ukraine. https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger
- cyble.com: Russia-Linked Actors Exploiting Signal Messenger’s “Linked Devices� Feature for Espionage in Ukraine
- Talkback Resources: State-aligned threat actors, particularly from Russia, are targeting Signal Messenger accounts through phishing campaigns to access sensitive government and military communications, exploiting the app's "linked devices" feature for eavesdropping on secure conversations.
- cyberscoop.com: Russian-aligned threat groups dupe Ukrainian targets via Signal
- Talkback Resources: Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger [social]
- Threats | CyberScoop: Russia-aligned threat groups dupe Ukrainian targets via Signal
- www.onfocus.com: Google Threats on Signals of Trouble
- cyberriskleaders.com: Russian Hackers Targeting Ukrainian Signal Users with Malicious QR Codes
- arstechnica.com: Russia-aligned hackers are targeting Signal users with device-linking QR codes Swapping QR codes in group invites and artillery targeting are latest ploys.
- MeatMutts: Google Warns of Russian Hacking Campaign Targeting Ukraine’s Military on Signal
- Talkback Resources: Hackers Exploit Signal's Linked Devices Feature to Hijack Accounts via Malicious QR Codes
- thecyberexpress.com: Russian state-sponsored hackers are ramping up efforts to compromise Signal messenger accounts, particularly those used by Ukrainian military personnel, government officials, and other key figures.
Pierluigi Paganini@Security Affairs
//
The Polish Space Agency (POLSA) has shut down its systems and disconnected from the internet following a major cyberattack detected over the weekend. The agency confirmed the unauthorized intrusion into its IT infrastructure, prompting an immediate response to secure sensitive data. Cybersecurity teams are actively working to restore operations, with the Polish Computer Security Incident Response Team (CSIRT NASK) and the Polish Military CSIRT (CSIRT MON) assisting POLSA in securing affected systems.
Poland's Minister of Digital Affairs, Krzysztof Gawkowski, stated that the systems under attack were secured and that intensive operational activities are underway to identify the perpetrators behind the cyberattack. While the exact nature of the breach remains undisclosed, sources suggest that POLSA’s internal email systems were compromised, forcing employees to communicate via phone. Amid escalating cyber threats, Poland is significantly ramping up its cybersecurity defenses, with suspicions pointing towards Russian involvement.
Recommended read:
References :
- Report Boom: Reportboom article on Polish Space Agency cyberattack.
- techcrunch.com: Details on the Polish Space Agency (POLSA) IT infrastructure breach
- thecyberexpress.com: Cyberattack on POLSA
- securityaffairs.com: Polish Space Agency POLSA disconnected its network following a cyberattack
- www.cysecurity.news: Poland’s space agency, POLSA, has reported a cyberattack on its systems, prompting an ongoing investigation.
@cyberinsider.com
//
A new malware family, dubbed FinalDraft, has been discovered using Microsoft Outlook drafts for command-and-control (C2) communication. This covert method allows the malware to blend into typical Microsoft 365 traffic, making it harder to detect. The malware has been used in attacks against a ministry in a South American country and was identified by Elastic Security Labs during an investigation into the REF7707 intrusion set.
The FinalDraft toolkit includes a loader, named PathLoader, a backdoor, and multiple submodules. PathLoader is a lightweight Windows PE executable that downloads AES-encrypted shellcode from attacker-controlled infrastructure, decrypts it, and executes it in memory, avoiding static analysis through API hashing and obfuscation. FinalDraft itself is a 64-bit malware written in C++ focused on data exfiltration and process injection, exploiting Outlook's mail drafts as a C2 channel. The malware creates session draft emails, reads and deletes command request drafts generated by the attackers, executes commands, and writes responses as draft emails.
Recommended read:
References :
- cyberinsider.com: Elastic Security Labs has identified a new malware family named FinalDraft, that uses Microsoft’s Graph API to communicate through Outlook email drafts, allowing attackers to bypass traditional network monitoring.
- Virus Bulletin: infosec.exchange post on finaldraft
- The Hacker News: FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux
- BleepingComputer: A new malware called FinalDraft has been using Outlook email drafts for command-and-control communication in attacks against a ministry in a South American country.
- securityonline.info: SecurityOnline article detailing how FinalDraft malware uses Outlook drafts for covert communication.
- www.bleepingcomputer.com: BleepingComputer news article on FinalDraft malware abusing Outlook email drafts for command-and-control.
- securityonline.info: In a recent investigation into the REF7707 intrusion set, Elastic Security Labs has identified a new malware family The post appeared first on .
- Anonymous ???????? :af:: A new malware called FinalDraft has been using email drafts for command-and-control communication in attacks against a ministry in a South American country.
drewt@secureworldexpo.com (Drew Todd)@SecureWorld News
//
The Chinese state-sponsored hacking group Salt Typhoon is expanding its espionage campaign, targeting U.S. telecommunication providers and other networks globally. The group, active since at least 2019, has been breaching major companies like AT&T, Verizon, and Lumen Technologies. Between December 2024 and January 2025, Salt Typhoon compromised additional telecom networks across the globe. The attacks involve a custom utility called JumbledPath, used to stealthily monitor network traffic and potentially capture sensitive data.
Salt Typhoon gains initial access through stolen credentials and exploiting vulnerabilities in Cisco routers. Specifically, they target internet-exposed Cisco network routers, leveraging CVE-2023-20198 and CVE-2023-20273 to escalate privileges and gain root access. Once inside, they extract credentials by intercepting authentication traffic, modify network configurations, and create hidden accounts to maintain persistent access. The group's objectives include intercepting sensitive communications, tracking political activists, and stealing research from academic institutions.
Recommended read:
References :
- bsky.app: The Chinese state-sponsored Salt Typhoon hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
- BleepingComputer: The Chinese state-sponsored Salt Typhoon hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
- securityaffairs.com: Salt Typhoon used custom malware JumbledPath to spy U.S. telecom providers
- www.bleepingcomputer.com: state-sponsored hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
- Anonymous ???????? :af:: state-sponsored hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
- BleepingComputer: The Chinese state-sponsored Salt Typhoon hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
- Carly Page: state-sponsored hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
- Blog: New Details: Salt Typhoon Used Leaked Creds in Telecom Attack
- SecureWorld News: Chinese cyber espionage group
Salt Typhoon has made headlines in the last year, breaching major , including AT&T, Verizon, and Lumen Technologies.
- cyberscoop.com: Salt Typhoon gained initial access to telecoms through Cisco devices
- www.bleepingcomputer.com: Chinese hackers breach more U.S. telecoms via unpatched Cisco routers
- gbhackers.com: Gbhackers news on Salt Typhoon Hackers Exploit Cisco Vulnerability
- www.the420.in: The 420 news on Chinese Hackers Target US Telecom Giants
@www.bleepingcomputer.com
//
Chinese APT groups are actively targeting U.S. telecom providers and European healthcare organizations using sophisticated cyberattacks. The attacks involve custom malware, such as JumbledPath used by Salt Typhoon to spy on U.S. telecom networks, and the exploitation of vulnerabilities like the Check Point flaw (CVE-2024-24919). These campaigns are characterized by the deployment of advanced tools like ShadowPad and NailaoLocker ransomware, indicating a blend of espionage and financially-motivated cybercrime.
These threat actors gain initial access through exploited vulnerabilities, then move laterally within the networks using techniques like RDP to obtain elevated privileges. The attackers then deploy ShadowPad and PlugX, before deploying the NailaoLocker ransomware in the final stages, encrypting files and demanding Bitcoin payments. These findings highlight the evolving tactics of Chinese APT groups and the challenges in attributing these attacks, given the blurring lines between state-sponsored espionage and financially driven operations.
Recommended read:
References :
- securityaffairs.com: Salt Typhoon used custom malware JumbledPath to spy U.S. telecom providers
- The Hacker News: Chinese-Linked Attackers Exploit Check Point Flaw to Deploy ShadowPad and Ransomware
- www.bleepingcomputer.com: Salt Typhoon uses JumbledPath malware to spy on US telecom networks
Mandvi@Cyber Security News
//
The FishMonger APT, a Chinese cyber-espionage group with ties to the cybersecurity contractor I-SOON, has been implicated in a global espionage operation known as Operation FishMedley. This campaign, active in 2022, targeted a diverse range of entities, including governments, non-governmental organizations (NGOs), and think tanks across Asia, Europe, and the United States. These findings come as the US Department of Justice unsealed an indictment against I-SOON employees for their alleged involvement in espionage campaigns spanning from 2016 to 2023.
The attacks involved sophisticated malware implants such as ShadowPad, Spyder, and SodaMaster, tools frequently associated with China-aligned threat actors. These implants facilitated data theft, surveillance, and network penetration. One case revealed attackers used the Impacket tool to escalate privileges, execute commands, and extract sensitive authentication data from a US-based NGO. ESET's independent research confirms FishMonger is an espionage team operated by I-SOON, highlighting the ongoing threat posed by China-aligned APT groups to sensitive sectors worldwide.
Recommended read:
References :
- Cyber Security News: Chinese FishMonger APT Linked to I-SOON Targets Governments and NGOs
- Virus Bulletin: ESET's Matthieu Faou writes about Operation FishMedley, a global espionage operation by FishMonger, the China-aligned APT group run by I-SOON. In the victims list: governments, NGOs and think tanks across Asia, Europe and the United States.
- : FishMonger APT Group Linked to I-SOON in Espionage Campaigns
- gbhackers.com: GB Hackers: I-SOON’s ‘Chinese Fishmonger’ APT Targets Government Entities and NGOs
- Talkback Resources: Talkback: Chinese I-Soon Hackers Hit 7 Organizations in Operation FishMedley [net] [rev] [mal]
|
|
FlagThis - #espionage