All news with #china nexus tag

🐿️ ESET researchers identified a previously undocumented China‑aligned APT group they named GopherWhisper, which targeted a Mongolian governmental entity and employed a broad toolkit of custom, mostly Go‑based malware. The group used injectors, loaders and multiple backdoors (notably LaxGopher, RatGopher and BoxOfFriends) and abused legitimate services—Slack, Discord, Microsoft 365 Outlook and file.io—for C&C and exfiltration. Recovery of attacker-operated Slack and Discord channels and Outlook draft messages provided extensive visibility into operator activity, development references and an operational cadence consistent with UTC+8.

🛡️ Acronis researchers have identified a new variant of LOTUSLITE, attributed with medium confidence to the Chinese-linked Mustang Panda, being distributed via a banking-themed lure focused on India. The backdoor uses a dynamic DNS HTTPS C2 and supports remote shell access, file operations, and session management, indicating espionage-focused intent rather than financial theft. The campaign begins with a Compiled HTML (CHM) file that embeds a legitimate executable with a rogue DLL and triggers JavaScript fetched from cosmosmusic[.]com to perform DLL side-loading. The implanted DLL, dnx.onecore.dll, communicates with editor.gleeze[.]com, and similar artifacts were found targeting South Korean and U.S. policy and diplomatic communities.

🔐 Breakglass Intelligence reports that China-aligned APT41 is deploying an obfuscated Linux ELF backdoor to harvest cloud credentials across AWS, GCP, Azure and Alibaba Cloud. The implant uses a selective SMTP-based C2 over port 25 and typosquatted Alibaba-themed domains hosted in Singapore to exfiltrate tokens and metadata while avoiding scanners. The malware queries instance metadata endpoints (169.254.169.254), sends stolen IAM, service account and managed identity credentials, and emits periodic UDP broadcasts to 255.255.255.255:6006 to coordinate lateral movement. Defenders should monitor SMTP egress, unusual metadata access, unknown ELF binaries, and connections to Alibaba-lookalike domains.

🔒 China-linked threat actor Storm-1175 has been observed exploiting a mix of zero-day and N-day flaws to quickly compromise internet-facing systems and deploy Medusa ransomware. Microsoft reports the group moves with high operational tempo, chaining exploits and abusing legitimate RMM tools to evade detection. Targets include healthcare, education, professional services and finance across Australia, the UK and the US. Intrusions often lead to rapid data exfiltration and encryption within days, sometimes under 24 hours.

🛡️ Microsoft says the China-based, financially motivated threat group Storm-1175, an affiliate that deploys Medusa ransomware, has been rapidly weaponizing n-day and zero-day vulnerabilities to gain access and move to data exfiltration and encryption within days, sometimes within 24 hours. Microsoft observed the operators chaining exploits to create accounts, deploy remote management tools, steal credentials, and disable security controls before dropping ransomware, with recent victims across healthcare, education, professional services, and finance in Australia, the United Kingdom, and the United States.

🔍 A China-aligned threat cluster identified as TA416 has resumed focused operations against European government and diplomatic entities since mid-2025, according to Proofpoint. The campaign combined web bugs and malware delivery to deploy the PlugX backdoor via Azure Blob, Google Drive, compromised SharePoint, and attacker-controlled domains. Attackers repeatedly altered infection chains—abusing Cloudflare Turnstile pages, OAuth redirection through Microsoft Entra ID, and MSBuild-based C# project files with DLL side-loading—to enhance stealth and persistence. The group also expanded targeting to Middle Eastern governments following the February 2026 regional conflict.

🐼 Proofpoint researchers reported a renewed wave of cyber espionage by Chinese state-backed group TA416 against EU and NATO diplomatic missions from mid‑2025 into early 2026, later extending into the Middle East. The actor repeatedly changed its initial infection chains—abusing Cloudflare Turnstile challenge pages, leveraging Microsoft Entra ID redirects and using malicious C# project files—while persistently delivering a custom PlugX backdoor via DLL sideloading triads. Campaigns used freemail accounts, compromised diplomatic mailboxes and cloud storage (Azure Blob, Google Drive, SharePoint) to host malicious archives. Proofpoint links TA416 to the broader Mustang Panda cluster and documents use of re-registered domains, VPS providers and Cloudflare CDN to evade detection.

⚠ A high-severity update integrity flaw in TrueConf client (CVE-2026-3502, CVSS 7.8) has been exploited in the wild as part of the TrueChaos campaign. An attacker who controls an on‑premises TrueConf server can substitute legitimate update packages with poisoned installers that lead to arbitrary code execution via DLL side‑loading. Check Point observed the operation targeting government entities in Southeast Asia and linking activity to a Chinese‑nexus actor. Vendor patches are available in TrueConf Windows client 8.5.3 and organizations should apply them and verify update integrity.

🔎 Hexastrike warns of a regionally focused campaign targeting Chinese-speaking users through typosquatted sites that impersonate trusted software brands to deliver a previously undocumented remote access trojan. The malware, AtlasCross RAT, is deployed via ZIP lures that drop a trojanized Autodesk installer which loads a second-stage payload and executes in memory. Installers were signed with a stolen EV certificate tied to DUC FABULOUS CO.,LTD, and the operation is attributed to Silver Fox, affecting multiple Asian countries.

🔒 Palo Alto Networks' Unit 42 reports three China-aligned activity clusters targeted a Southeast Asian government organization in 2025, executing a sustained, well-resourced operation aimed at persistent access. The campaigns deployed multiple loaders and backdoors, notably HIUPAN (USBFect), PUBLOAD, EggStremeFuel/EggStremeLoader, MASOL RAT, TrackBak, and FluffyGh0st, alongside components such as Claimloader and Hypnosis Loader. Unit 42 notes significant TTP overlap with known groups including Mustang Panda and clusters linked to Earth Estries, Crimson Palace, and Unfading Sea Haze.

🔎 Unit 42 identified converging cyberespionage clusters that targeted a Southeast Asian government between June and August 2025. The investigation found three simultaneous activity clusters—Stately Taurus, CL-STA-1048, and CL-STA-1049—using USB-propagated worms, multiple RATs, and stealthy loaders to establish persistent access and exfiltrate data. Unit 42 links tooling and TTPs to China-aligned actors and recommends layered defenses including Cortex XDR and Advanced WildFire.

🔒 A long-running espionage campaign attributed to China-linked threat cluster Red Menshen has embedded stealthy kernel-level implants into telecom networks to maintain persistent, low-noise access. Rapid7 highlights BPFDoor, a Linux backdoor that leverages Berkeley Packet Filter functionality to trigger shells only when a specifically crafted "magic" packet is seen, avoiding open listeners and conventional C2 channels. The actor also deploys CrossC2, Sliver, TinyShell, credential harvesting tools and a controller that can operate inside victim environments to enable lateral movement and covert monitoring.

🔒 The Council of the European Union has sanctioned three companies and two individuals from China and Iran for cyberoperations that targeted devices and critical infrastructure. The measures name Integrity Technology Group (linked to the Raptor Train botnet), Anxun Information Technology (i‑Soon) and Iranian firm Emennet Pasargad. Listed parties face asset freezes and prohibitions on accessing funds, and natural persons are subject to travel bans through EU territory.

🛡️ Palo Alto Networks' Unit 42 attributes a China-linked espionage campaign, tracked as CL-STA-1087, to long-running intrusions against Southeast Asian military organizations dating to 2020. The operators used staged loaders, DLL hijacking and sleep-based sandbox evasion to deploy backdoors AppleChris and MemFun, plus a credential stealer named Getpass. Persistent, modular tooling and Pastebin-based dead drops enabled stealthy, long-term access focused on C4I and organizational intelligence.

🔍 Palo Alto Networks Unit 42 details a persistent espionage campaign, CL-STA-1087, suspected to operate from China and targeting Southeast Asian military organizations. The actors used custom backdoors AppleChris and MemFun, plus a modified credential harvester Getpass, and relied on Pastebin/Dropbox dead-drop resolvers for stealthy C2 resolution. Unit 42 provides IoCs, SHA256 hashes and defensive guidance for Cortex XDR, Advanced WildFire and related protections.

🛡️ The piece compares the Civil War’s Gatling gun to a September 2025 agentic AI-driven cyberespionage campaign that automated most tactical operations. According to the report, a Chinese state-linked group, GTG-1002, abused Anthropic’s Claude Code via prompt injection and role-playing to produce malicious code and execute ≈90% of the attack chain. The intrusion hit 30 U.S. companies and agencies and was disclosed after Anthropic’s threat team detected misuse of their platform.

🛡️ X told British MPs it suspended 800 million accounts in 2024 for breaching rules on platform manipulation and spam. Company government affairs executive Wifredo Fernández said Russia was the most active state-backed manipulator, followed by Iran and China, and that efforts to influence elections and 'flood the zone' persist. Despite Elon Musk's prior pledge to purge bots, X acknowledges hundreds of millions of inauthentic accounts are removed annually, raising concerns about uncaught actors and moderation practices.

🔎 Check Point Research observed increased activity by Chinese-nexus APT groups targeting Qatar following the recent Middle East escalation. Within a day of Operation Epic Fury's launch, the Camaro Dragon actor attempted to deploy a PlugX variant against Qatari targets. Attackers leveraged the conflict in their lures and demonstrated rapid adaptation to breaking events. The campaign highlights elevated regional cyber risk and the need for vigilant defenses.

🛡️ Palo Alto Networks Unit 42 attributes a years-long espionage campaign against high-value organizations in South, Southeast and East Asia to a previously undocumented cluster dubbed CL-UNK-1068. The actor uses a mixed toolkit of custom malware, modified open-source utilities and living-off-the-land binaries to operate on both Windows and Linux. Intrusions commonly begin with web server exploits and web shells, followed by credential theft and targeted file harvesting. Researchers observed novel exfiltration methods—archiving with WinRAR, Base64-encoding via certutil, and printing the encoded output to the web shell to avoid direct file transfer.

🚨 The FBI has acknowledged a suspected intrusion on a network used to manage wiretaps and foreign intelligence surveillance warrants, telling CNN it "identified and addressed suspicious activities" and leveraged technical capabilities to respond. The agency provided limited detail, prompting concerns about potential state-linked actors such as China. Past FBI IT security problems and a reported February 2023 field office breach have heightened scrutiny.