All news with #china nexus tag

🔎 ESET warns that China-aligned APT groups have been exploiting the Middle East war to target maritime, energy and political organizations, while continuing global espionage aligned with Beijing’s strategic priorities. The report covers October 2025–March 2026 and highlights activity against Syria, Central and South America, and an attempted intrusion into an AI and robotics firm in South Korea. Russia-aligned actors focused on Ukraine and destructive campaigns, while Iran-aligned activity shifted to proxy and hacktivist actions amid internet disruptions.

📄 ESET summarizes notable APT activity observed between October 2025 and March 2026, highlighting China-, Iran-, North Korea-, and Russia-aligned operations alongside unattributed clusters. The report illustrates geopolitical drivers behind campaigns, describes new tooling and supply-chain compromises such as a trojanized axios package, and notes destructive incidents impacting critical infrastructure. ESET confirms protections by its products and notes the report reflects a subset of its Threat Intelligence.

🔍 ESET researchers observed that China-aligned Webworm expanded its toolkit in 2025 with two new backdoors—EchoCreep and GraphWorm—that use Discord and the Microsoft Graph API for C2 communications. The actor increasingly favors proxy-based utilities and staging techniques such as SoftEther VPN and GitHub repositories to blend malicious traffic. Targets include government and enterprise entities across Asia and Europe, while older RATs appear to be abandoned.

🔒 ESET researchers report that the China-aligned APT group Webworm expanded operations in 2025 to target European government organizations in Belgium, Italy, Poland, Serbia and Spain, and also compromised a university in South Africa. Analysis presented at ESET World on 19 May by Robert Lipovsky described the campaign as largely semi-opportunistic, with some cases linked to legacy vulnerabilities such as a discontinued SquirrelMail flaw. The group introduced two new backdoors — Discord-based EchoCreep and Microsoft Graph-based GraphWorm — and continues to use a complex set of proxy tools and cloud-based data exfiltration techniques.

🔍 Cato Networks' Cyber Threats Research Lab (CTRL) identified an undocumented Go-based implant called TencShell while responding to an April 2026 intrusion attempt against the Indian branch of a global manufacturer. The operation used a first-stage dropper, Donut shellcode, a disguised .woff web-font resource, memory injection and web-like C2 traffic. Cato blocked the intrusion and published technical findings in a May 13 report, linking the implant to an altered Rshell C2 lineage and Tencent-like API impersonation.

🔒 Anthropic's Mythos Preview, shared last month with a limited set of security partners, has demonstrated the ability to autonomously find zero-day vulnerabilities across major operating systems and browsers. Anthropic paired the release with Project Glasswing and $100 million in usage credits to help defenders, but reports of unauthorized access and denied requests from Chinese entities have already emerged. The development challenges the assumption of a durable US lead and has injected cybersecurity into high-level US–China summit talks, prompting urgent questions about access, regulation, and international cooperation.

🔒 Bitdefender links a multi-wave intrusion against an Azerbaijani oil and gas company to the China-affiliated group FamousSparrow, observed between December 2025 and February 2026. The adversary repeatedly exploited a Microsoft Exchange Server ProxyNotShell chain to deploy alternating backdoors — Deed RAT and TernDoor — across three waves. Attackers used evolved DLL side-loading via the legitimate LogMeIn Hamachi binary, attempted web shell persistence and lateral movement, and re-entered the environment despite remediation efforts.

🔐 Cisco Talos attributes a China-nexus APT it tracks as UAT-8302 to sustained attacks on government entities in South America since late 2024 and on agencies in southeastern Europe in 2025. The actor deploys custom backdoors, notably a .NET implant called NetDraft (aka NosyDoor), and leverages tools such as CloudSorcerer, VShell and SNOWLIGHT/SNOWRUST. Talos highlights reuse of malware linked to multiple China-aligned clusters and extensive reconnaissance, lateral movement, and proxy/VPN-based persistence.

🔒 Cisco Talos discloses UAT-8302, a China-nexus APT targeting government entities in South America and southeastern Europe since late 2024 into 2025. Post-compromise activity includes reconnaissance, credential theft, and lateral movement using tools like Impacket, plus deployment of multiple custom backdoors such as NetDraft, CloudSorcerer v3, and VSHELL with stagers SNOWLIGHT and SNOWRUST. Talos links these artifacts to other China-nexus clusters and publishes IOCs, ClamAV signatures, and Snort rules to assist defenders.

🚨 A China-based cybercrime group known as Silver Fox ran tax-themed phishing campaigns that deployed a newly identified Python backdoor called ABCDoor. The attacks used PDFs linking to ZIP/RAR archives on abc.haijing88[.]com or malicious attachments and relied on a modified RustSL loader to fetch an encrypted ValleyRAT implant, whose plugin installed ABCDoor. Kaspersky and S2W observed over 1,600 phishing emails across waves targeting India, Russia, Indonesia and others. Organizations should treat unsolicited tax correspondence with suspicion, validate attachments out-of-band, and monitor for modified RustSL and HTTPS C2 activity.

🔒 Trend Micro disclosed a China-aligned espionage campaign tracked as SHADOW-EARTH-053 that exploited N-day flaws in internet-facing Microsoft Exchange and IIS servers to deploy web shells (including Godzilla) and persistently stage the ShadowPad backdoor via DLL sideloading and AnyDesk. Targets spanned Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, Taiwan and one NATO member, Poland. Citizen Lab separately reported two phishing clusters, GLITTER CARP and SEQUIN CARP, impersonating journalists and tech/security alerts to harvest credentials and OAuth tokens. Researchers recommend urgent patching, virtual patching with WAF/IPS, and heightened monitoring for tunneling tools, web shells, and lateral-movement artifacts.

🛡️ Xu Zewei, a 34-year-old accused of working for China's Ministry of State Security and linked to the state-backed hacking group Hafnium (also called Silk Typhoon), has been extradited from Italy to the United States and arrived in Houston. He pleaded not guilty at a federal hearing and is being held at the Federal Detention Center. U.S. prosecutors allege Xu targeted COVID-19 researchers in early 2020 and participated in the 2021 Microsoft Exchange zero-day campaign; if convicted on charges including wire fraud, conspiracy to damage protected computers, and aggravated identity theft, he faces decades in prison.

🔒 Xu Zewei, a 34-year-old Chinese national, has been extradited to the US and charged in connection with a series of intrusions between February 2020 and June 2021 allegedly tied to the Silk Typhoon campaign. US prosecutors allege Xu acted under direction of China's Ministry of State Security and used a private contractor, Shanghai Powerock Network Co. Ltd., to obscure government involvement. Authorities say early intrusions targeted US universities and COVID-19 researchers and later exploited Microsoft Exchange vulnerabilities; Xu faces counts including wire fraud, unauthorized access and identity theft, and his co-defendant remains at large.

🛰️ The NASA Office of Inspector General (OIG) says a Chinese national, identified in a 2024 indictment as Song Wu, posed as U.S. researchers to obtain sensitive aerospace modeling software and source code from NASA employees, universities, and private firms. The campaign ran from January 2017 through December 2021 and also targeted multiple U.S. government agencies. Song faces wire fraud and aggravated identity theft charges and remains at large.

🛡️ Zscaler ThreatLabz attributes a new campaign to Tropic Trooper that uses a trojanized SumatraPDF installer to deliver the AdaptixC2 Beacon post‑exploitation agent. Victims—primarily Chinese‑speaking individuals in Taiwan, with some targets in South Korea and Japan—are lured via military‑themed ZIP archives that show a decoy PDF while fetching encrypted shellcode. The backdoored reader launches a Xiangoop‑derived loader called TOSHIS, which stages payloads and only escalates to installing Visual Studio Code and configuring VS Code tunnels for persistent remote access on high‑value hosts.

⚠️ The UK’s National Cyber Security Centre (NCSC-UK), alongside international partners, warns that China‑nexus threat actors are increasingly using large proxy networks of compromised consumer devices to route traffic and evade detection. These covert networks are largely composed of compromised SOHO routers, IoT cameras, DVRs, and NAS devices, and enable traffic to exit near intended targets to defeat geographic and static-IP defenses. Authorities point to large botnets such as Raptor Train (over 260,000 infected devices in 2024) and disrupted operations like KV‑Botnet; defenders are urged to deploy multifactor authentication, map edge devices, consume dynamic threat feeds, use allowlists, and adopt zero-trust and machine certificate verification.

🔐 A previously undocumented state-linked threat cluster dubbed GopherWhisper has been observed using a Go-based toolkit and legitimate services such as Microsoft 365 Outlook (via the Microsoft Graph API), Slack, and Discord to perform command-and-control and payload delivery. ESET identified the campaign targeting a Mongolian government entity and uncovered multiple backdoors — including LaxGopher, RatGopher, and BoxOfFriends — plus an exfiltration utility that uploads stolen archives to file.io. Analysts recovered thousands of Slack and Discord messages from attacker accounts, and telemetry including UTC+8 activity helped link the group to China.

🔒 This advisory from CISA and international partners, informed by UK NCSC analysis, describes a tactical shift by China‑nexus actors toward externally provisioned, large‑scale covert networks of compromised edge devices. Such networks—made up of SOHO routers, IoT cameras, NAS units and firewalls—are used for reconnaissance, malware delivery, multi‑hop C2 proxying and data exfiltration. The guidance urges organizations to map and inventory edge assets, baseline normal connections, leverage dynamic threat feeds, and enforce multifactor authentication to reduce exposure and improve detection.

🛡️ CISA and the U.K. NCSC, together with federal and international partners, released an advisory on deniable, dynamic covert networks exploited by Chinese government-linked actors. The advisory outlines how threat groups leverage weak home, small-office, and IoT devices to build large botnets that enable espionage, intrusion, device takeover, and data theft. It provides actionable detection and mitigation steps — including asset mapping, connection baselining, persistent log collection, and multifactor authentication — to help organizations protect critical infrastructure.

🛡️ ESET reports a previously undocumented China-aligned APT, tracked as GopherWhisper, has compromised Mongolian governmental systems with a modular suite of backdoors and loaders. The actor primarily uses tools written in Go and abuses legitimate services — including Discord, Slack, Microsoft 365 Outlook, and file[.]io — for command-and-control and data exfiltration. ESET found about 12 infected systems at one institution and telemetry from attacker-controlled Discord and Slack suggests additional victims. Message timestamps and Slack locale align with China Standard Time, supporting a China-aligned assessment.