All news with #china nexus tag

🛡️ A targeted campaign used political lures and a ZIP archive to deliver a DLL side-loading chain that installs the backdoor LOTUSLITE (kugou.dll), aimed at U.S. government and policy organizations. Acronis researchers attributed the activity with moderate confidence to the Chinese-linked Mustang Panda cluster and observed registry persistence, WinHTTP C2 communications, and remote CMD tasking. It remains unclear whether intended targets were successfully compromised.

🔒 Cisco has released a fix for a maximum‑severity AsyncOS zero‑day (CVE-2025-20393) that has been exploited since November 2025. The flaw impacts Cisco Secure Email Gateway and Secure Email and Web Manager appliances with non-standard configurations when the Spam Quarantine feature is exposed to the internet, permitting arbitrary command execution as root. Cisco Talos links the intrusions to a Chinese-nexus actor tracked as UAT-9686, which deployed persistence and tunneling implants and a log-wiping utility. CISA has added the vulnerability to its known exploited vulnerabilities catalog and ordered federal remediation under BOD 22-01.

⚠️ Cisco Talos says a China-aligned advanced persistent threat tracked as UAT-8837 has been leveraging a critical Sitecore zero-day (CVE-2025-53690, CVSS 9.0) to gain initial access to North American critical infrastructure. The actor uses both exploit-based access and compromised credentials, then deploys open-source tools for credential harvesting, Active Directory reconnaissance, and persistent remote access. Observed artifacts include GoTokenTheft, EarthWorm, DWAgent, SharpHound, Impacket, Rubeus, and Certipy, raising supply chain and OT exposure concerns.

🔒 Cisco has released patches for a maximum-severity remote command execution vulnerability (CVE-2025-20393, CVSS 10.0) in AsyncOS that affects Cisco Secure Email Gateway and Secure Email and Web Manager. The defect stems from insufficient validation of HTTP requests in the Spam Quarantine feature and can allow arbitrary commands to run as root when the feature is enabled and reachable from the internet. Cisco says a China-nexus APT tracked as UAT-9686 exploited the bug in the wild, deploying tunneling tools, a log-cleaner and a Python backdoor, and that fixes remove persistence artifacts. Administrators should apply the provided fixed releases and follow the vendor's hardening guidance to restrict access and monitor for anomalous activity.

🔮 Cisco Talos outlines expectations for cybersecurity in 2026, warning of continued geopolitical-driven campaigns such as infostealers, phishing, and proxy-enabled destructive operations. The briefing highlights the growing risk posed by inadequately governed generative AI agents that could cause breaches or mimic insider threats through flawed design or prompt manipulation. Talos also emphasizes that familiar weaknesses — unpatched systems, leaked credentials, and absent MFA — will remain primary enablers of intrusion. The advisory specifically flags UAT-8837, a medium-confidence China-nexus APT targeting critical infrastructure since 2025, and urges patching, credential hygiene, and proactive hunting.

🔍 Cisco Talos is tracking UAT-8837, an assessed China-nexus APT that since 2025 has focused on obtaining initial access to high-value and critical infrastructure organizations in North America. The actor uses both n-day and zero-day exploits (including CVE-2025-53690 in SiteCore) and often deploys open-source tooling—Earthworm, SharpHound, DWAgent, Certipy, and GoTokenTheft—to harvest credentials, enumerate Active Directory, and create remote tunnels. Operators perform hands-on-keyboard reconnaissance, create backdoored accounts and remote admin access, and cycle tools when endpoint protections block their payloads. Talos provides IOCs, Snort rules, and ClamAV signatures to detect and mitigate this activity.

🔎 Check Point Research has identified a modular Linux malware framework, VoidLink, linked to Chinese-speaking developers and designed to target cloud and container environments. The framework includes custom loaders, implants, rootkits and over 30 plugins supporting reconnaissance, lateral movement, persistence and anti-forensic techniques. It detects AWS, GCP, Azure, Alibaba and Tencent and can enumerate containers, hypervisors and orchestration platforms. No live infections have been confirmed, but documentation suggests commercial intent and active development.

🛡️ Check Point Research disclosed a previously undocumented Linux malware framework named VoidLink, designed for long-term stealthy access to cloud and container environments. The cloud-native toolkit is highly modular, written in Zig, and comprises custom loaders, implants, rootkits, and an in-memory plugin system with more than 30 modules. It supports diverse C2 channels (HTTP/HTTPS, WebSocket, ICMP, DNS), peer-to-peer mesh networking, and automated cloud discovery across AWS, GCP, Azure, Alibaba, and Tencent. Check Point assesses the framework as actively maintained and attributes it to China-affiliated actors, warning of significant credential-theft and supply-chain risks for cloud-native ecosystems.

🔍 Huntress says Chinese-speaking threat actors used a compromised SonicWall VPN appliance in December 2025 to deploy a multi-stage exploit against VMware ESXi, leveraging three zero-day vulnerabilities disclosed by Broadcom in March 2025 (CVE-2025-22224/22225/22226). The toolkit includes an orchestrator dubbed MAESTRO, an unsigned kernel driver loaded via KDU, and a VSOCK-based ELF backdoor called VSOCKpuppet. The attack chain enabled VM-to-hypervisor escapes, remote control of ESXi hosts over VSOCK port 10000, and file transfer capabilities from guest VMs, all of which were halted by Huntress before a suspected ransomware stage could complete.

🛡️ Cisco Talos warns that a China-linked actor tracked as UAT-7290 has expanded its focus to telecommunications providers in Southeastern Europe. The group leverages Linux-based malware and one-day public exploits against edge network devices, plus targeted SSH brute force, to gain initial access and escalate privileges. UAT-7290 also establishes Operational Relay Boxes (ORBs) that are reused by other China-aligned actors. Talos published technical details and IOCs to help affected organizations respond.

🔒 Chinese-speaking threat actors used a compromised SonicWall VPN appliance to deliver a VMware ESXi exploit toolkit that appears to have been developed more than a year before the vulnerabilities were publicly disclosed. Huntress analysts found PDB build paths and simplified Chinese artifacts suggesting components were compiled in late 2023 and early 2024. The toolkit chains multiple ESXi flaws to escape guest VMs into the hypervisor, load an unsigned kernel driver, and deploy a persistent backdoor. Organizations are urged to apply the latest ESXi security updates and use the supplied detection rules to detect compromise.

🔒 Cisco Talos' Threat Source newsletter contrasts personal resolution habits with practical security practices and highlights an important APT disclosure. The post details a new Talos finding on UAT-7290, an espionage-focused actor active since at least 2022 that targets South Asian telecom and network infrastructure using implants named RushDrop, DriveSwitch, and SilentRaid. It urges defenders to apply updated detection signatures, audit and harden internet-facing devices, and ensure incident response plans are ready, while also summarizing notable weekly headlines and telemetry.

📡 Cisco Talos attributes a long-running cyber-espionage campaign to UAT-7290, a China-nexus actor targeting telecommunications providers since at least 2022. The group prioritizes public-facing edge devices in South Asia and has recently expanded activity into Southeastern Europe, using one-day exploits and SSH brute-force to gain persistent footholds. Its Linux-focused toolkit includes RushDrop, DriveSwitch and the modular backdoor SilentRaid, while Bulbature is used to convert compromised systems into relay nodes that can support other China-linked operators.

🔍 Cisco Talos attributes a China-nexus cluster named UAT-7290 to espionage-focused intrusions against South Asian and Southeastern European organizations. The actor conducts detailed reconnaissance and exploits one-day vulnerabilities and SSH brute force to compromise edge devices, primarily targeting telecommunications providers. UAT-7290 deploys Linux-based tooling including RushDrop, DriveSwitch, and SilentRaid, and uses the Bulbature backdoor to establish Operational Relay Box (ORB) nodes for broader access.

🔍 Cisco Talos discloses UAT-7290, a China‑nexus APT active since at least 2022 that targets telecommunications infrastructure in South Asia and has recently expanded into Southeastern Europe. The actor conducts extensive reconnaissance, uses one‑day exploits and target-specific SSH brute force, and primarily deploys a Linux-centric toolset including RushDrop, DriveSwitch, SilentRaid, and Bulbature. Talos notes UAT-7290 also provisions Operational Relay Box (ORB) nodes that may support other China-nexus operators and provides ClamAV and Snort signatures for detection.

🔎 Taiwan’s National Security Bureau (NSB) reports a dramatic rise in Chinese-sourced cyber intrusion attempts against the island’s critical infrastructure in 2025, totaling 960,620,609 recorded attempts. The NSB highlights a tenfold surge against the energy sector and a 54% rise targeting emergency rescue and hospitals, while water resources and finance saw notable declines. Top groups named include BlackTech, Mustang Panda and APT41, which used vulnerability exploitation, DDoS, social engineering and supply-chain methods, often timed to coincide with military or political events.

🛡️ Taiwan's National Security Bureau (NSB) reports a tenfold increase in cyberattacks against the country's energy sector in 2025 compared to 2024. The NSB said incidents tied to China rose 6% overall and affected nine critical sectors, with spikes timed around political events and military activity. Observed attack methods included exploitation of hardware and software vulnerabilities, DDoS, social engineering, and supply-chain compromises targeting industrial control systems and upgrade windows.

⚠️ Taiwan's National Security Agency reported that Chinese cyberattacks targeting the island's critical infrastructure rose 6% in 2025, averaging 2.6 million attacks per day. The assaults mainly focused on the energy sector, hospitals, banks and emergency services, and extended to the semiconductor industry, including TSMC. Attackers employed large-scale denial-of-service and man-in-the-middle techniques to disrupt operations and exfiltrate data. Many incidents reportedly coincided with Chinese military exercises and high-profile political events, while Beijing denies involvement.

🐼 Kaspersky attributes a targeted espionage campaign to the China-linked APT cluster tracked as Evasive Panda, which used DNS cache and response poisoning between November 2022 and November 2024 to deliver the MgBot backdoor to victims in Türkiye, China, and India. The intrusions relied on multi-stage AitM techniques, trojanized updates, and per-victim encrypted payloads fetched via legitimate domains to maintain stealth. Kaspersky highlights the actor's long-term refinement of these methods to evade detection.

🔍 A newly tracked China-aligned cluster, dubbed LongNosedGoblin, has been linked to cyber-espionage campaigns against government organizations in Southeast Asia and Japan, ESET reported. The actor has abused Windows Group Policy to deploy a suite of C#/.NET tools and uses cloud storage services like Microsoft OneDrive and Google Drive as command-and-control channels. Observed tools include NosyHistorian, NosyDoor, NosyStealer, NosyDownloader, and NosyLogger, enabling browser-data theft, keystroke capture, file exfiltration, and remote command execution. Activity dates back to at least September 2023 with targeted deployments and execution guardrails to limit operations to selected victims.