All news with #china nexus tag

🔍 Cisco Talos researchers uncovered DKnife, a Linux-based gateway-monitoring and adversary-in-the-middle framework used since at least 2019 and active through January 2026. The toolkit targets routers and edge devices running CentOS/Red Hat Enterprise Linux, using seven ELF components to perform DPI, traffic interception, DNS hijacking and in-line substitution of Android and Windows downloads. Talos attributes the framework with high confidence to Chinese-nexus actors and notes overlaps with campaigns delivering WizardNet, DarkNimbus and ShadowPad.

🔒 Cisco Talos researchers disclosed DKnife, a modular Linux-based adversary-in-the-middle (AitM) framework used by China-linked actors since at least 2019. The toolkit deploys seven router-focused implants to perform deep packet inspection, TLS termination, DNS and update hijacking, credential harvesting, and malware delivery via intercepted APKs and binary replacement. Operators used DKnife to push ShadowPad and DarkNimbus variants and to target Chinese-language services and app updates through compromised routers and edge devices.

🔍 Cisco Talos disclosed DKnife, a modular Linux-based gateway monitoring and adversary-in-the-middle (AitM) framework that inspects, manipulates, and redirects network traffic on edge devices and routers. It comprises seven ELF components that hijack DNS, Android app updates, and Windows binary downloads to deliver ShadowPad, DarkNimbus, and other backdoors while harvesting credentials and disrupting security-product traffic. Artifacts and Simplified Chinese strings strongly indicate China-nexus operators; Talos observed active C2 infrastructure as of January 2026.

🔍 Check Point Research identified a China-linked cluster named Amaranth-Dragon that conducted narrowly focused cyber espionage across Southeast Asia throughout 2025, primarily targeting government and law enforcement entities. Attacks exploited CVE-2025-8088 in WinRAR and used DLL side-loading to deploy an Amaranth Loader and the Havoc C2, while variants like TGAmaranth RAT leveraged a hard-coded Telegram bot. The operators limited exposure by geo-restricting Cloudflare-protected C2s and exhibited tooling and operational overlaps with the APT41 ecosystem.

🔍 Check Point Research disclosed highly targeted cyber espionage campaigns across ASEAN in 2025 attributed to Amaranth-Dragon, a newly identified actor tied to the APT 41 ecosystem. The group rapidly weaponized newly disclosed vulnerabilities, notably a critical WinRAR flaw, and used realistic lures linked to political and security events. Operators favored country-restricted infrastructure, reputable cloud services, and stealthy tooling to quietly collect intelligence from government and law enforcement targets.

🔒 The open-source editor Notepad++ was the target of a sophisticated supply‑chain attack after threat actors compromised its shared hosting provider and redirected selective update traffic to malicious servers between June and December 2025. Researchers say the campaign is likely Chinese state‑sponsored; Rapid7 identified a custom backdoor called Chrysalis and observed Cobalt Strike and Metasploit activity. Notepad++ has migrated hosting and improved its WinGup updater to verify certificates and signatures, with enforcement planned in forthcoming releases.

🔒 Rapid7 attributes a late-2025 compromise of the infrastructure hosting Notepad++ to the China-linked actor known as Lotus Blossom. Attackers delivered a previously undocumented backdoor, Chrysalis, via a malicious NSIS installer after hijacking update requests beginning in June 2025; access was terminated on December 2, 2025. Notepad++ patched updater verification in version 8.8.9, migrated hosting, rotated credentials, and responders have published indicators and mitigations.

🔒 Notepad++ developers say Chinese state-sponsored actors hijacked the project's update delivery last year, intercepting and selectively redirecting update requests to malicious servers by exploiting insufficient verification in older WinGUp updaters. The compromise began in June 2025 after a hosting provider breach and persisted until Dec 2, 2025, when the provider terminated access. The project migrated hosting, rotated credentials, patched the updater to verify certificates and signatures, and urges users to change SSH/FTP/MySQL credentials, review WordPress accounts, and update software.

🔒 A former Google engineer, Linwei Ding, was convicted by a US federal jury on 14 counts, including economic espionage and theft of trade secrets, after allegedly exfiltrating over 2,000 pages of sensitive AI technical documents. Prosecutors say he copied data into Apple Notes, converted it to PDFs, and uploaded the materials to a personal Google Cloud account to evade DLP controls. The stolen IP involved custom TPU and GPU orchestration software and SmartNIC designs intended for AI supercomputers, and the DoJ alleges Ding planned to support Chinese state-affiliated entities.

🔒 A U.S. jury has convicted Linwei Ding, a former software engineer at Google, for stealing confidential AI supercomputer information and covertly sharing it with China-based technology firms. Prosecutors say Ding exfiltrated more than 2,000 pages of proprietary material — including details about TPU and GPU systems, orchestration software, and SmartNIC networking — by uploading files to his personal cloud account between May 2022 and April 2023. He later founded Shanghai Zhisuan Technology Co., sought government talent programs, and was convicted on multiple counts of economic espionage and trade secret theft after an 11-day San Francisco trial.

🔍 Cisco Talos has uncovered a late-2025 to early-2026 campaign by a China-linked actor tracked as UAT-8099 targeting vulnerable IIS servers across Asia, notably Thailand and Vietnam. The actor uses web shells, PowerShell, and red-team utilities to deploy GotoHTTP and maintain persistence via hidden accounts. Infections deliver the BadIIS SEO-fraud malware family, hijacking crawlers and injecting malicious redirects to manipulate search rankings.

🚨 Kaspersky reports that China-linked Mustang Panda used an updated COOLCLIENT backdoor in 2025 to exfiltrate data from government targets across Myanmar, Mongolia, Malaysia, and Russia. The implant was deployed as a secondary backdoor alongside PlugX and LuminousMoth, delivered via encrypted loaders and abusing DLL side-loading of legitimately signed binaries. COOLCLIENT harvests keystrokes, clipboard data, files, and HTTP proxy credentials, can establish reverse tunnels, and loads in-memory plugins; recent waves also incorporated browser credential stealers and a previously unseen rootkit.

🛡️ Zscaler ThreatLabz identified two Pakistan-linked campaigns, codenamed Gopher Strike and Sheet Attack, that targeted Indian government entities in September 2025. Gopher Strike relied on tailored phishing PDFs that display a fake update prompt and selectively deliver an ISO payload only to requests originating from India and Windows User-Agents. Sheet Attack abused legitimate services such as Google Sheets, Firebase, and email for command-and-control. The intrusions deploy Golang tools — GOGITTER, GITSHELLPAD, and GOSHELL — to maintain persistence, execute commands, and stage a Cobalt Strike Beacon.

🔎 Zscaler ThreatLabz in September 2025 uncovered two Pakistan-linked campaigns, codenamed Gopher Strike and Sheet Attack, aimed at Indian government entities. Gopher Strike used phishing PDFs with a fake Adobe update that conditionally delivers an ISO to Indian Windows hosts, deploying a Golang downloader, GOGITTER, which establishes VBScript-based persistence and scheduled-task execution. Sheet Attack abused legitimate services such as Google Sheets, Firebase and email for command-and-control, while a lightweight backdoor, GITSHELLPAD, and a padded loader, GOSHELL, were used to ultimately deliver Cobalt Strike.

🔍 PeckBirdy is a previously undocumented, JScript-based command-and-control framework active since 2023 that researchers have linked to China-aligned APT activity across Asia. Trend Micro observed the framework used in multiple roles — watering-hole controller, reverse shell and C2 server — deployed via living-off-the-land binaries and browser-based social engineering. Modular implants such as HOLODONUT and MKDOOR extend capabilities with in-memory execution and attempts to evade Microsoft Defender, complicating detection and response.

🛡️ Trend Micro researchers uncovered PeckBirdy, a JScript-based command-and-control framework used by China-aligned APTs since 2023 to target gambling sites, government portals, and private organizations across Asia. The flexible framework executes via living-off-the-land binaries (LOLBins) and supports browsers, MSHTA, WScript, Classic ASP, Node.js, and .NET execution paths. Operators relied on watering‑hole injections and fake Google Chrome update pages to deliver staged scripts and deploy modular backdoors such as HOLODONUT and MKDOOR. Detection is complicated by dynamically generated, runtime-injected JavaScript and scarce persistent artifacts.

🔍 New analysis links the operators of the Badbox 2.0 Android TV botnet to named individuals and companies in China, following a screenshot allegedly obtained by the Kimwolf botmasters that shows authorized accounts. Open-source pivots on qq.com email addresses connect several accounts to developers and domains previously tied to Badbox activity. Google and the FBI are pursuing the operators while researchers warn that Kimwolf’s unauthorized access could let it push malware directly onto millions of infected streaming devices.

⚠️ Researchers from Koi found two malicious AI-style extensions on the VSCode Marketplace — ChatGPT – 中文版 and ChatMoss — that together have 1.5 million installs and silently transmit developer files to China-based servers. The extensions implement three distinct data-collection methods: real-time file reads and Base64 exfiltration via hidden webviews, a server-controlled file-harvest command that can steal up to 50 files, and a zero-pixel iframe that loads commercial analytics SDKs for fingerprinting and behavioral tracking. At publication both extensions were still available and Microsoft had not responded to inquiries.

🔒 The EU Commission has proposed a legal mechanism to ban network-equipment vendors it considers high-risk, a move widely seen as targeting Chinese firms such as Huawei and ZTE though the draft does not name specific companies. The plan would let Brussels require member states to replace prohibited technology in critical infrastructure within three years. It would also strengthen ENISA with additional staff and funding to coordinate EU-wide cybersecurity and ransomware defenses.

🔒 Cisco Talos describes an actor tracked as UAT-8837, active since at least 2025, that targeted North American critical infrastructure to gain initial access. The group exploited both compromised credentials and a Sitecore ViewState deserialization zero-day (CVE-2025-53690), with Mandiant linking the flaw to deployment of the WeepSteel reconnaissance backdoor. Post-compromise activity focused on credential theft, Active Directory enumeration, and use of living-off-the-land utilities and open-source tools to evade detection.