< ciso
brief />
Tag Banner

All news with #china nexus tag

229 articles

Rival Chinese and Indian Cyber Espionage Hits Pakistan

🔒 SentinelLabs reports that suspected China- and India-linked cyber operators targeted multiple Pakistani law enforcement systems between February 2024 and April 2026, focusing on Balochistan Police. The compromise affected servers hosting biometric records, case files and tenant registrations, and included implants in a public Complaint Management System. Analysts linked PlugX, ShadowPad and Cobalt Strike to China-nexus activity and Remcos to a suspected India-nexus actor. The incidents underscore risks from centralized police IT systems and concentrated intelligence value.
read more →

Multiple nation-linked groups target Pakistani police

🛡️ Cybersecurity researchers disclosed sustained espionage targeting Pakistani law enforcement between February 2024 and April 2026, impacting Balochistan Police and other agencies. Compromised assets included network appliances, web servers for police applications, and a Fortinet FortiMail gateway, with a Complaint Management System used to host implants. Four threat clusters deployed PlugX, ShadowPad, Cobalt Strike, and Remcos RAT, linking the activity to China- and India-nexus actors. The dual targeting by adversaries and partners underscores the high intelligence value of law enforcement systems.
read more →

New MODBEACON Rust RAT Uses gRPC Streaming

🛡️ QiAnXin attributes a new Rust-based remote access trojan named MODBEACON to the China-linked Silver Fox cluster. The memory-resident implant uses a modular, plugin-based architecture and leverages gRPC tunnel streaming with transport borrowed from open-source proxy tools (Xray/V2Ray) for its C2 channel. Distributors push the malware via counterfeit installers promoted through SEO poisoning and host C2 infrastructure on Amazon and Cloudflare CDNs.
read more →

Winning 54% of the Time: SOC Decisions and Threats

🎾 This week’s Threat Source reflects on decision-making in cybersecurity through a tennis analogy, arguing defenders need context and resilience rather than perfection. Cisco Talos details the China-nexus actor UAT-7810 expanding ORB networks by exploiting Ruckus and ASUS router vulnerabilities and deploying new backdoors like LONGLEASH and DOGLEASH. Additional briefs cover an AI-assisted ransomware incident, AirDrop/Quick Share flaws, a Tenda firmware backdoor, Estonia’s AI agent IDs, and new phishing and coinminer detections.
read more →

China-linked APT expands relay network and malware

🔍 Cisco Talos reports a China-nexus APT tracked as UAT-7810 has expanded a network of hijacked routers and devices called Operational Relay Boxes (ORBs) to hide other attackers' traffic. The group maintained a long-running LapDogs relay infrastructure and exploited unpatched Ruckus and ASUS router vulnerabilities to recruit devices. Researchers uncovered an upgraded backdoor, LONGLEASH, plus two new tools, DOGLEASH and JARLEASH, with evidence suggesting Chinese-speaking operators. Talos says the group's servers and malware remain active.
read more →

China‑Aligned Cluster Exploits Roundcube Mail Servers

🔒 New research from Proofpoint identified a suspected China-aligned cluster, tracked as UNK_MassTraction, exploiting vulnerable Roundcube webmail instances at US and Canadian universities. The attackers targeted physics and engineering departments using known Roundcube vulnerabilities to steal credentials, deploy webshells and establish persistent access. The campaign leveraged malicious JavaScript (IceCube) and exploited CVE-2025-49113 to load the VShell backdoor in memory, enabling lateral movement and espionage-focused intrusions.
read more →

Universities targeted via Roundcube zero‑day chain

🛡️ A suspected China-aligned threat cluster exploited patched and unpatched Roundcube webmail flaws to target physics and engineering departments at U.S. and Canadian universities. The campaign, tracked as UNK_MassTraction and first seen in May 2026, used CVE-2024-42009 XSS to steal credentials and a follow-up RCE CVE-2025-49113 to drop web shells or deploy VShell. The payload, dubbed IceCube, siphons credentials, 2FA tokens and cookies, then attempts persistent access via SquareShell or VShell.
read more →

Suspected China-Nexus Campaign Targets Indian Taxpayers

🛡️ Seqrite Labs uncovered a targeted multi-stage phishing operation, dubbed Operation DragonReturn, impersonating India's Income Tax Department to deliver a remote access trojan. First observed on May 18, 2026, the campaign uses carefully crafted bilingual lures, malicious PDF attachments, and a ZIP-based DLL side-loading chain to install persistence and exfiltrate sensitive financial and credential data. The activity shows links to China-hosted infrastructure and overlaps with known tax-themed threat groups.
read more →

Counterfeit USBs Infected JGSDF Networks Nearly Year

🔍 Leaked documents reveal that counterfeit USB flash drives carrying malware entered Japan's Ground Self-Defense Force (JGSDF) networks after being distributed during 2024 earthquake relief operations. The malicious drives, traced to sellers in China and priced below market rates, were discovered in February 2025 and found on over 50 computers, nearly half handling classified data. Investigators linked the malware to a strain previously associated with a China-linked hacking group, while authorities maintain the infection showed only self-replication behavior.
read more →

Mustang Panda uses cloud service for stealth C2

🛡️ A China-aligned espionage group, Mustang Panda, has run two campaigns targeting Indian government and hydropower-related networks, using new malware and abusing Zoho WorkDrive as a covert command-and-control channel. Acronis Threat Research Unit found active compromises affecting senior administrative systems, worked with CERT-In for remediation, and detailed three tools: SHARDLOADER, MINIRECON, and ZOHOMURK. The intrusions leveraged DLL sideloading via signed binaries and spear-phishing lures themed to hydropower and bilateral memoranda, with beaconing recorded from June 12–22, 2026.
read more →

China-linked group exploited REDCap to target research

🔒 Google warns that a China-associated threat actor, UNC6508, ran a prolonged espionage campaign targeting US and Canadian research environments by abusing legacy versions of REDCap. The attackers trojanized upgrade processes with modular malware called INFINITERED to achieve persistence, harvest credentials, and maintain a backdoor. GTIG recommends inspecting REDCap files, validating upgrades, and enforcing stronger authentication and DLP controls.
read more →

Windows SprySOCKS Variants Expand China‑linked Threat

🛡️ ESET researchers uncovered two Windows variants of the previously Linux-only backdoor SprySOCKS, internally tagged as WIN_DRV and WIN_PLUS. Both maintain the original C&C protocol and support TCP, UDP, and WebSocket channels, offering more than 30 commands for reconnaissance and remote control. WIN_DRV uses kernel drivers to hide activity and enable TCP traffic diversion, while WIN_PLUS abuses the Print Spooler to load the backdoor. Artifacts point to deployments between 2023–2024 against government targets in multiple countries, and there are limited indications of a UEFI bootkit being involved.
read more →

Windows SprySOCKS variants used in gov’t targeting

🔎 ESET researchers report Windows versions of the SprySOCKS malware, linked to the Chinese threat actor Earth Lusca, were used in 2023–2024 attacks against government organizations in Taiwan, Thailand, Pakistan, and Honduras. The Windows family includes WIN_DRV with kernel drivers for rootkit-like stealth and WIN_PLUS, a lighter backdoor. Both support TCP/UDP/WebSocket communications, SOCKS proxying, extensive C2 commands, file and process management, and data collection such as keystrokes and clipboard contents.
read more →

China-linked actors breach REDCap servers, steal research

🔒 Google Threat Intelligence Group attributes a long-running espionage campaign to UNC6508, a China-linked actor, which exploited exposed REDCap servers to deploy the custom Infinitered malware and exfiltrate sensitive medical research. The intrusion began in September 2023 and persisted through November 2025, with attackers harvesting credentials, maintaining persistent backdoors, and using enterprise email compliance rules to siphon data. Administrators are urged to update REDCap, enable MFA/2SV, and apply provided YARA rules and IoCs to detect infections.
read more →

FBI disrupts large AI-driven Outsider phishing network

🔎 The FBI, collaborating with Google and Black Lotus Labs, dismantled a China-linked phishing-as-a-service operation called Outsider Enterprise that used AI and distributed phishing kits across thousands of fraudulent websites and over a million URLs. Authorities seized administrative servers, a Shopify storefront, testing accounts, and roughly $100,000 in USDT, while redirecting many malicious domains to an FBI splash page. Google reports hundreds of thousands of affected users and has filed a civil suit against the infrastructure while coordinating with carriers to block fraudulent SMS campaigns.
read more →

China-linked hackers backdoor Linux login components

🔒Sygnia reports a China-nexus group, tracked as Velvet Ant, backdoored Linux login components including PAM and OpenSSH, embedding long-term access where routine cleanup would not reach. The actor altered trusted login programs to capture credentials, record sessions, or allow secret logins, with traces dating back to 2016. Isolation was bypassed by staging through internet-facing systems and bridging into air-gapped segments.
read more →

China-linked JDY botnet accelerates enterprise risk

🔍 Lumen’s Black Lotus Labs reports a China-linked botnet called JDY has grown to over 1,500 compromised SOHO and IoT devices used to rapidly discover and fingerprint internet-facing systems after public vulnerability disclosures. The activity, tied to nation-state actors including Volt Typhoon, enables persistent, distributed reconnaissance that can evade geofencing and IP-reputation controls. Researchers warn this marks a shift toward industrialized pre-exploitation scanning and undermines traditional perimeter patch and monitoring assumptions.
read more →

China-linked JDY botnet broadens US military focus

🛡️ JDY is a distributed reconnaissance botnet tied to China-nexus actors that has expanded from ~650 to over 1,500 compromised SOHO and IoT devices, with a heavy focus on U.S. military and associated networks. Researchers at Black Lotus Labs observed JDY rapidly scanning for newly disclosed vulnerabilities, collecting banners, TLS certificates, and protocol fingerprints. The botnet uses Tor-hidden services and a central Dispatch Service to receive scanning tasks and exfiltrate results, and supports TCP/SSL/UDP/ICMP scanning plus service fingerprinting.
read more →

Weekly cyber recap: supply chain worm and hacks

⚠️ Last week saw a range of high-impact incidents, from the Miasma worm compromising 73 Microsoft GitHub repositories to targeted mailbox espionage and an Instagram account compromise via an AI support tool. Vendors patched active Android flaws, researchers flagged malicious npm packages and a compromised Hola Browser installer, and U.S. agencies disrupted transnational investment fraud. Multiple threat clusters, including China-linked espionage groups and financially motivated actors, broadened their geographic scope and tactics, while many critical CVEs remain urgent for defenders to patch.
read more →

Chinese APT UNC5221 uses new backdoors to persist

🛡️ Volexity researchers attribute prolonged intrusions to the Chinese espionage group UNC5221 (aka VerdantBamboo), which used the Brickstorm backdoor plus previously undocumented malware Plenet and AgentPSD to maintain access. The actor compromised an MSP and victim systems, remaining undetected for at least 18 months and returning after remediation. Plenet is a cross-platform .NET backdoor; AgentPSD is a Python reverse shell used as fallback persistence.
read more →