< ciso
brief />
Tag Banner

All news with #china nexus tag

229 articles · page 5 of 12

Singapore Disrupts Chinese APT Targeting Telco Networks

🔒 Singapore’s Cyber Security Agency disclosed that Operation Cyber Guardian disrupted attacks by Chinese-linked APT UNC3886 targeting the nation’s four major telcos between summer 2025 and early 2026. The response involved over 100 cyber defenders across six agencies and identified use of a zero-day and rootkits to maintain persistent access. CSA reported no evidence of service disruption or sensitive personal data exfiltration and implemented remediation and enhanced monitoring. Telcos have been urged to continue strengthening systems and vigilance against re-entry attempts.
read more →

Chinese UNC3886 Cyberspies Breach Singapore Telcos

🔒 Singapore's Cyber Security Agency says China-linked threat actor UNC3886 breached the country's four largest telcos — Singtel, StarHub, M1, and Simba — at least once last year, gaining limited access to critical systems but failing to disrupt services or exfiltrate confirmed customer data. Investigators found a zero-day used to bypass perimeter firewalls and rootkits employed for stealth and persistence. The government launched Operation Cyber Guardian, mobilized multiple agencies, and contained the intrusions while increasing monitoring across critical sectors.
read more →

China-linked UNC3886 Targets Singapore Telecoms Systems

🛡️ Singapore's Cyber Security Agency (CSA) disclosed that the China-linked espionage group UNC3886 executed a deliberate, targeted campaign against the nation's telecommunications sector, naming M1, SIMBA Telecom, Singtel and StarHub as targets. The agency said the actor used sophisticated tools, including a weaponized zero-day and kernel-level rootkits, to gain unauthorized access to portions of telco networks. CSA reported no evidence of customer personal data exfiltration or service disruption and said a defensive operation called CYBER GUARDIAN has closed the group's access points and expanded monitoring across affected operators.
read more →

DKnife toolkit hijacks routers to spy and deliver malware

🛡️ Cisco Talos researchers describe DKnife as an ELF-based Linux toolkit used since 2019 to hijack router traffic and perform adversary-in-the-middle operations. The framework has seven modules — including yitiji.bin to create a bridged TAP interface and mmdown.bin to drop malicious APKs — enabling DPI, credential harvesting, and delivery of backdoors such as ShadowPad and DarkNimbus. Talos attributes the activity to a China-nexus actor and noted C2 servers remained active as of January 2026.
read more →

Hidden DKnife AitM Framework Targets Routers Since 2019

🔍 Cisco Talos researchers uncovered DKnife, a Linux-based gateway-monitoring and adversary-in-the-middle framework used since at least 2019 and active through January 2026. The toolkit targets routers and edge devices running CentOS/Red Hat Enterprise Linux, using seven ELF components to perform DPI, traffic interception, DNS hijacking and in-line substitution of Android and Windows downloads. Talos attributes the framework with high confidence to Chinese-nexus actors and notes overlaps with campaigns delivering WizardNet, DarkNimbus and ShadowPad.
read more →

China-linked DKnife AitM Framework Targets Routers

🔒 Cisco Talos researchers disclosed DKnife, a modular Linux-based adversary-in-the-middle (AitM) framework used by China-linked actors since at least 2019. The toolkit deploys seven router-focused implants to perform deep packet inspection, TLS termination, DNS and update hijacking, credential harvesting, and malware delivery via intercepted APKs and binary replacement. Operators used DKnife to push ShadowPad and DarkNimbus variants and to target Chinese-language services and app updates through compromised routers and edge devices.
read more →

DKnife: China-nexus Gateway AitM Framework Revealed

🔍 Cisco Talos disclosed DKnife, a modular Linux-based gateway monitoring and adversary-in-the-middle (AitM) framework that inspects, manipulates, and redirects network traffic on edge devices and routers. It comprises seven ELF components that hijack DNS, Android app updates, and Windows binary downloads to deliver ShadowPad, DarkNimbus, and other backdoors while harvesting credentials and disrupting security-product traffic. Artifacts and Simplified Chinese strings strongly indicate China-nexus operators; Talos observed active C2 infrastructure as of January 2026.
read more →

China-linked Amaranth-Dragon targets Southeast Asia in 2025

🔍 Check Point Research identified a China-linked cluster named Amaranth-Dragon that conducted narrowly focused cyber espionage across Southeast Asia throughout 2025, primarily targeting government and law enforcement entities. Attacks exploited CVE-2025-8088 in WinRAR and used DLL side-loading to deploy an Amaranth Loader and the Havoc C2, while variants like TGAmaranth RAT leveraged a hard-coded Telegram bot. The operators limited exposure by geo-restricting Cloudflare-protected C2s and exhibited tooling and operational overlaps with the APT41 ecosystem.
read more →

Amaranth-Dragon Espionage Campaigns Target ASEAN 2025

🔍 Check Point Research disclosed highly targeted cyber espionage campaigns across ASEAN in 2025 attributed to Amaranth-Dragon, a newly identified actor tied to the APT 41 ecosystem. The group rapidly weaponized newly disclosed vulnerabilities, notably a critical WinRAR flaw, and used realistic lures linked to political and security events. Operators favored country-restricted infrastructure, reputable cloud services, and stealthy tooling to quietly collect intelligence from government and law enforcement targets.
read more →

Notepad++ Updates Hijacked in Chinese APT Supply-Chain

🔒 The open-source editor Notepad++ was the target of a sophisticated supply‑chain attack after threat actors compromised its shared hosting provider and redirected selective update traffic to malicious servers between June and December 2025. Researchers say the campaign is likely Chinese state‑sponsored; Rapid7 identified a custom backdoor called Chrysalis and observed Cobalt Strike and Metasploit activity. Notepad++ has migrated hosting and improved its WinGup updater to verify certificates and signatures, with enforcement planned in forthcoming releases.
read more →

Notepad++ Hosting Breach Attributed to Lotus Blossom

🔒 Rapid7 attributes a late-2025 compromise of the infrastructure hosting Notepad++ to the China-linked actor known as Lotus Blossom. Attackers delivered a previously undocumented backdoor, Chrysalis, via a malicious NSIS installer after hijacking update requests beginning in June 2025; access was terminated on December 2, 2025. Notepad++ patched updater verification in version 8.8.9, migrated hosting, rotated credentials, and responders have published indicators and mitigations.
read more →

Notepad++ Update Hijacked by Chinese State Hackers

🔒 Notepad++ developers say Chinese state-sponsored actors hijacked the project's update delivery last year, intercepting and selectively redirecting update requests to malicious servers by exploiting insufficient verification in older WinGUp updaters. The compromise began in June 2025 after a hosting provider breach and persisted until Dec 2, 2025, when the provider terminated access. The project migrated hosting, rotated credentials, patched the updater to verify certificates and signatures, and urges users to change SSH/FTP/MySQL credentials, review WordPress accounts, and update software.
read more →

Former Google Engineer Guilty of Stealing AI Secrets

🔒 A former Google engineer, Linwei Ding, was convicted by a US federal jury on 14 counts, including economic espionage and theft of trade secrets, after allegedly exfiltrating over 2,000 pages of sensitive AI technical documents. Prosecutors say he copied data into Apple Notes, converted it to PDFs, and uploaded the materials to a personal Google Cloud account to evade DLP controls. The stolen IP involved custom TPU and GPU orchestration software and SmartNIC designs intended for AI supercomputers, and the DoJ alleges Ding planned to support Chinese state-affiliated entities.
read more →

Former Google Engineer Convicted for Stealing AI Data

🔒 A U.S. jury has convicted Linwei Ding, a former software engineer at Google, for stealing confidential AI supercomputer information and covertly sharing it with China-based technology firms. Prosecutors say Ding exfiltrated more than 2,000 pages of proprietary material — including details about TPU and GPU systems, orchestration software, and SmartNIC networking — by uploading files to his personal cloud account between May 2022 and April 2023. He later founded Shanghai Zhisuan Technology Co., sought government talent programs, and was convicted on multiple counts of economic espionage and trade secret theft after an 11-day San Francisco trial.
read more →

China-Linked UAT-8099 Targeting IIS Servers in Asia

🔍 Cisco Talos has uncovered a late-2025 to early-2026 campaign by a China-linked actor tracked as UAT-8099 targeting vulnerable IIS servers across Asia, notably Thailand and Vietnam. The actor uses web shells, PowerShell, and red-team utilities to deploy GotoHTTP and maintain persistence via hidden accounts. Infections deliver the BadIIS SEO-fraud malware family, hijacking crawlers and injecting malicious redirects to manipulate search rankings.
read more →

Mustang Panda Deploys Updated COOLCLIENT for Data Theft

🚨 Kaspersky reports that China-linked Mustang Panda used an updated COOLCLIENT backdoor in 2025 to exfiltrate data from government targets across Myanmar, Mongolia, Malaysia, and Russia. The implant was deployed as a secondary backdoor alongside PlugX and LuminousMoth, delivered via encrypted loaders and abusing DLL side-loading of legitimately signed binaries. COOLCLIENT harvests keystrokes, clipboard data, files, and HTTP proxy credentials, can establish reverse tunnels, and loads in-memory plugins; recent waves also incorporated browser credential stealers and a previously unseen rootkit.
read more →

Pakistan-linked Cyber Campaigns Target Indian Government

🛡️ Zscaler ThreatLabz identified two Pakistan-linked campaigns, codenamed Gopher Strike and Sheet Attack, that targeted Indian government entities in September 2025. Gopher Strike relied on tailored phishing PDFs that display a fake update prompt and selectively deliver an ISO payload only to requests originating from India and Windows User-Agents. Sheet Attack abused legitimate services such as Google Sheets, Firebase, and email for command-and-control. The intrusions deploy Golang tools — GOGITTER, GITSHELLPAD, and GOSHELL — to maintain persistence, execute commands, and stage a Cobalt Strike Beacon.
read more →

Pakistan-linked campaigns target Indian government assets

🔎 Zscaler ThreatLabz in September 2025 uncovered two Pakistan-linked campaigns, codenamed Gopher Strike and Sheet Attack, aimed at Indian government entities. Gopher Strike used phishing PDFs with a fake Adobe update that conditionally delivers an ISO to Indian Windows hosts, deploying a Golang downloader, GOGITTER, which establishes VBScript-based persistence and scheduled-task execution. Sheet Attack abused legitimate services such as Google Sheets, Firebase and email for command-and-control, while a lightweight backdoor, GITSHELLPAD, and a padded loader, GOSHELL, were used to ultimately deliver Cobalt Strike.
read more →

PeckBirdy JScript C2 Framework Linked to China APTs

🔍 PeckBirdy is a previously undocumented, JScript-based command-and-control framework active since 2023 that researchers have linked to China-aligned APT activity across Asia. Trend Micro observed the framework used in multiple roles — watering-hole controller, reverse shell and C2 server — deployed via living-off-the-land binaries and browser-based social engineering. Modular implants such as HOLODONUT and MKDOOR extend capabilities with in-memory execution and attempts to evade Microsoft Defender, complicating detection and response.
read more →

PeckBirdy: JScript C2 Framework Used by China-Linked APTs

🛡️ Trend Micro researchers uncovered PeckBirdy, a JScript-based command-and-control framework used by China-aligned APTs since 2023 to target gambling sites, government portals, and private organizations across Asia. The flexible framework executes via living-off-the-land binaries (LOLBins) and supports browsers, MSHTA, WScript, Classic ASP, Node.js, and .NET execution paths. Operators relied on watering‑hole injections and fake Google Chrome update pages to deliver staged scripts and deploy modular backdoors such as HOLODONUT and MKDOOR. Detection is complicated by dynamically generated, runtime-injected JavaScript and scarce persistent artifacts.
read more →