< ciso
brief />
Tag Banner

All news with #apt tag

96 articles

China-linked APT expands relay network and malware

🔍 Cisco Talos reports a China-nexus APT tracked as UAT-7810 has expanded a network of hijacked routers and devices called Operational Relay Boxes (ORBs) to hide other attackers' traffic. The group maintained a long-running LapDogs relay infrastructure and exploited unpatched Ruckus and ASUS router vulnerabilities to recruit devices. Researchers uncovered an upgraded backdoor, LONGLEASH, plus two new tools, DOGLEASH and JARLEASH, with evidence suggesting Chinese-speaking operators. Talos says the group's servers and malware remain active.
read more →

New Iran-linked hacking group targets Israeli IT

🛡️ Check Point Research has identified a new Iran-linked cyber threat group, dubbed Cavern Manticore, targeting Israeli government and IT organizations since early 2026. The group leverages abused RMM tools and browser-based remote desktop features for initial access and persistence, often deploying malicious updates via SysAid. Researchers observed a previously undocumented modular .NET-based C2 framework composed of a persistent Cavern agent and specialized Cavern modules, designed to evade detection and hinder forensic analysis.
read more →

FBI warns of Russian targeting Signal backup keys

🔔 The FBI has issued a public service announcement warning that multiple clusters of Russian intelligence actors, including FSB officers and military hackers, are targeting high-risk users to steal Signal Backup Recovery Keys. The campaign uses phishing messages masquerading as messaging app support to elicit verification codes, account PINs, and recovery keys. Victims include government officials, military personnel, journalists and Ukrainian officials. Users are advised to only trust official support channels and to generate a new recovery key to invalidate older backups.
read more →

Chinese APT UNC5221 uses new backdoors to persist

🛡️ Volexity researchers attribute prolonged intrusions to the Chinese espionage group UNC5221 (aka VerdantBamboo), which used the Brickstorm backdoor plus previously undocumented malware Plenet and AgentPSD to maintain access. The actor compromised an MSP and victim systems, remaining undetected for at least 18 months and returning after remediation. Plenet is a cross-platform .NET backdoor; AgentPSD is a Python reverse shell used as fallback persistence.
read more →

Chinese-linked Hackers Exploit Middle East Conflict

🔎 ESET warns that China-aligned APT groups have been exploiting the Middle East war to target maritime, energy and political organizations, while continuing global espionage aligned with Beijing’s strategic priorities. The report covers October 2025–March 2026 and highlights activity against Syria, Central and South America, and an attempted intrusion into an AI and robotics firm in South Korea. Russia-aligned actors focused on Ukraine and destructive campaigns, while Iran-aligned activity shifted to proxy and hacktivist actions amid internet disruptions.
read more →

ESET APT Activity Report Q4 2025–Q1 2026

📄 ESET summarizes notable APT activity observed between October 2025 and March 2026, highlighting China-, Iran-, North Korea-, and Russia-aligned operations alongside unattributed clusters. The report illustrates geopolitical drivers behind campaigns, describes new tooling and supply-chain compromises such as a trojanized axios package, and notes destructive incidents impacting critical infrastructure. ESET confirms protections by its products and notes the report reflects a subset of its Threat Intelligence.
read more →

Ghostwriter Targets Ukrainian Government via Prometheus Lures

📄 The Belarus-aligned threat actor Ghostwriter (aka UAC-0057/UNC1151) is using Prometheus e-learning themed phishing lures targeting Ukrainian government entities. CERT-UA reports the campaign, active since spring 2026, uses PDF links to deliver a ZIP with JavaScript that stages multiple payloads: OYSTERFRESH, OYSTERBLUES, and OYSTERSHUCK. The operation harvests system data and ultimately deploys Cobalt Strike, with advice to restrict wscript.exe for standard users to reduce risk.
read more →

AI-Enabled Attacks Shift from Labs to Live Threats

🛡️ Check Point Research’s March–April 2026 Threat Landscape Digest documents that AI-powered attacks have moved from experimental and state-sponsored exercises into routine criminal deployment. The report details a campaign in Mexico where a single operator used commercial AI to compromise nine government agencies, leveraging persistent jailbreaks, weaponized agent configuration files, and commodified attack platforms like EvilTokens. It warns that stolen AI provider keys, rapid exploit timelines, and shadow AI use create urgent operational and supply-chain risks for organizations.
read more →

Webworm APT Expands into Europe, Deploys New Backdoors

🔒 ESET researchers report that the China-aligned APT group Webworm expanded operations in 2025 to target European government organizations in Belgium, Italy, Poland, Serbia and Spain, and also compromised a university in South Africa. Analysis presented at ESET World on 19 May by Robert Lipovsky described the campaign as largely semi-opportunistic, with some cases linked to legacy vulnerabilities such as a discontinued SquirrelMail flaw. The group introduced two new backdoors — Discord-based EchoCreep and Microsoft Graph-based GraphWorm — and continues to use a complex set of proxy tools and cloud-based data exfiltration techniques.
read more →

Kazuar: Anatomy of a Nation-State P2P Botnet Operations

🔍 Kazuar, attributed to the Russian state actor Secret Blizzard, has progressed from a traditional backdoor into a modular peer-to-peer botnet engineered for espionage and persistent access. Its architecture separates functionality into Kernel, Bridge, and Worker modules, enabling leader election and SILENT-mode behavior to minimize external visibility. Delivery methods include the Pelmeni dropper and .NET loaders that bind payloads to targeted hosts. The malware uses named pipes, mailslots, and window messaging with AES-encrypted IPC and multiple C2 transports for resilience and stealth.
read more →

China-linked UAT-8302 Targets Governments in 2024–2025

🔐 Cisco Talos attributes a China-nexus APT it tracks as UAT-8302 to sustained attacks on government entities in South America since late 2024 and on agencies in southeastern Europe in 2025. The actor deploys custom backdoors, notably a .NET implant called NetDraft (aka NosyDoor), and leverages tools such as CloudSorcerer, VShell and SNOWLIGHT/SNOWRUST. Talos highlights reuse of malware linked to multiple China-aligned clusters and extensive reconnaissance, lateral movement, and proxy/VPN-based persistence.
read more →

UAT-8302: China-Nexus APT Targeting Government Networks

🔒 Cisco Talos discloses UAT-8302, a China-nexus APT targeting government entities in South America and southeastern Europe since late 2024 into 2025. Post-compromise activity includes reconnaissance, credential theft, and lateral movement using tools like Impacket, plus deployment of multiple custom backdoors such as NetDraft, CloudSorcerer v3, and VSHELL with stagers SNOWLIGHT and SNOWRUST. Talos links these artifacts to other China-nexus clusters and publishes IOCs, ClamAV signatures, and Snort rules to assist defenders.
read more →

ScarCruft Supply-Chain Delivers BirdCall to Android, Windows

⚠️ ESET reports that the North Korea‑aligned threat group ScarCruft compromised the sqgame[.]net gaming platform in a targeted supply‑chain operation to deploy the BirdCall backdoor to Android and Windows users. The compromise, active since late 2024, trojanized Android APKs for two games and delivered a malicious Windows update DLL that used RokRAT as a loader. BirdCall — an evolution of RokRAT — harvests contacts, SMS, call logs, media, screenshots, keystrokes and ambient audio, and leverages legitimate cloud services for command‑and‑control.
read more →

ScarCruft Delivers BirdCall Android Spyware via Game Site

📱 ESET researchers report that North Korean-linked APT37 (ScarCruft) developed an Android variant of the BirdCall backdoor and distributed it through trojanized APKs on the sqgame.net game platform. The Android implant, first seen around October 2024 and produced in at least seven variants, collects contacts, call logs, SMS, device identifiers, location and system metrics, takes periodic screenshots, records audio during evening hours, and exfiltrates targeted files to a C2. The campaign focused on users in the Yanbian region and underscores ScarCruft’s continued use of supply-chain tactics; users are advised to download apps only from official marketplaces and trusted publishers.
read more →

ScarCruft Supply-Chain Compromise Targets Yanbian Gamers

🕵️ ESET researchers uncovered a supply‑chain attack by North Korea‑aligned APT ScarCruft that trojanized a Yanbian‑focused gaming platform. The operation used a malicious Windows update to deploy RokRAT and ultimately the sophisticated BirdCall backdoor, while repackaged Android APKs contained a newly identified Android port of BirdCall. The backdoor harvests files, contacts, screenshots and ambient audio for targeted espionage.
read more →

Critical cPanel Flaw Hits Southeast Asian Government Sites

🔒 A previously unknown actor exploited CVE-2026-41940, a critical authentication-bypass in cPanel/WHM, to target government and military domains in Southeast Asia and a smaller cluster of MSPs and hosting providers worldwide. The activity, observed by Ctrl-Alt-Intel on May 2, 2026, originated from IP 95.111.250[.]175 and used public proof-of-concepts alongside a separate custom exploit chain against an Indonesian defense portal. The attacker abused hard-coded credentials and a CAPTCHA bypass to perform authenticated SQL injection and RCE, then deployed AdapdixC2, OpenVPN, Ligolo and systemd-based persistence to pivot and exfiltrate sensitive documents. Researchers report rapid, widespread weaponization of the vulnerability by multiple third parties, including Mirai variants and a ransomware strain.
read more →

TGR-STA-1030 Targets New Activity in Central America

🔎 Since February, Unit 42 has observed sustained operations by TGR-STA-1030 across multiple countries, with a pronounced concentration in Central and South America. The observed intrusions reuse the same tactics, techniques, and procedures previously attributed to this group, indicating continuity with prior espionage campaigns. Analysts reference The Shadow Campaigns: Uncovering Global Espionage for historical context, and advise organizations in affected regions to review detections and strengthen defensive controls.
read more →

CISA Warns of FIRESTARTER Targeting Cisco ASA Devices

🔒 CISA published a malware analysis on FIRESTARTER, a backdoor that enables remote access and persistent control of Cisco Firepower and Secure Firewall devices running ASA or FTD software. The report, co-sealed with NCSC-UK, attributes exploitation to an APT using CVE-2025-20333 and CVE-2025-20362. CISA issued Emergency Directive 25-03 requiring FCEB agencies to identify affected devices, collect forensic data, apply vendor updates, and report findings to mitigate ongoing risk.
read more →

China-aligned GopherWhisper APT Targets Mongolian Government

🛡️ ESET reports a previously undocumented China-aligned APT, tracked as GopherWhisper, has compromised Mongolian governmental systems with a modular suite of backdoors and loaders. The actor primarily uses tools written in Go and abuses legitimate services — including Discord, Slack, Microsoft 365 Outlook, and file[.]io — for command-and-control and data exfiltration. ESET found about 12 infected systems at one institution and telemetry from attacker-controlled Discord and Slack suggests additional victims. Message timestamps and Slack locale align with China Standard Time, supporting a China-aligned assessment.
read more →

GopherWhisper: China-aligned APT uses Go-based malware

🐿️ ESET researchers identified a previously undocumented China‑aligned APT group they named GopherWhisper, which targeted a Mongolian governmental entity and employed a broad toolkit of custom, mostly Go‑based malware. The group used injectors, loaders and multiple backdoors (notably LaxGopher, RatGopher and BoxOfFriends) and abused legitimate services—Slack, Discord, Microsoft 365 Outlook and file.io—for C&C and exfiltration. Recovery of attacker-operated Slack and Discord channels and Outlook draft messages provided extensive visibility into operator activity, development references and an operational cadence consistent with UTC+8.
read more →