All news with #china nexus tag

🔐 ReliaQuest linked the campaign to the Flax Typhoon APT, which converted a legitimate public-facing ArcGIS Java server object extension (SOE) into a stealthy web shell. The group activated the SOE through a standard ArcGIS REST extension, embedding a base64-encoded payload and a hardcoded key to trigger command execution while hiding activity behind normal portal operations. Attackers uploaded a renamed SoftEther VPN binary to preserve access and targeted IT workstations, and the SOE was later found in backups, enabling persistence after remediation. ReliaQuest warns organisations to go beyond IOC detection, proactively hunt for anomalous behaviour in trusted tools, and treat every public-facing application as a high-risk asset.

🔒 Researchers report that the open-source DFIR tool Velociraptor was abused by threat actors to maintain stealthy persistent access while deploying multiple ransomware families, including Warlock, LockBit and Babuk. Cisco Talos observed the activity in August 2025 and attributed the multi-vector operation to a China-linked cluster tracked as Storm-2603. Attackers exploited a vulnerable agent (v0.73.4.0) via CVE-2025-6264 to escalate privileges and persist; defenders are urged to verify deployments and update to v0.73.5 or later.

⚠️Researchers have observed threat actors leveraging the open-source DFIR tool Velociraptor to maintain persistent remote access and deploy ransomware families including LockBit and Babuk. Cisco Talos links the campaigns to a China-based group tracked as Storm-2603 and notes use of an outdated Velociraptor build vulnerable to CVE-2025-6264. Attackers synchronized local admin accounts to Entra ID, accessed vSphere consoles, disabled Defender via AD GPOs, and used fileless PowerShell encryptors with per-run AES keys and staged exfiltration prior to encryption.

🔎 Volexity attributes a series of tailored spear‑phishing campaigns to a China‑aligned actor tracked as UTA0388, which delivers a Go-based implant named GOVERSHELL. The waves used multilingual, persona-driven lures and legitimate cloud hosting (Netlify, Sync, OneDrive) to stage ZIP/RAR archives that deploy DLL side‑loading and a persistent backdoor. As many as five GOVERSHELL variants emerged between April and September 2025, succeeding an earlier C++ family called HealthKick. Volexity also observed the actor abusing LLMs such as ChatGPT to craft phishing content and automate workflows.

🔒 Huntress reported that threat actors with suspected ties to China abused a vulnerable phpMyAdmin panel in August 2025 to perform log poisoning, recording a PHP web shell into a query log and naming the file with a .php extension. The actors used the web shell (accessed via ANTSWORD) to deploy the open-source Nezha agent and inventory over 100 hosts—primarily in Taiwan, Japan, South Korea and Hong Kong. The Nezha agent facilitated execution of an interactive PowerShell script that created Microsoft Defender exclusions and launched Gh0st RAT via a loader and dropper.

⚠️ Attackers linked to China turned a benign open-source network monitoring agent into a remote access beacon using log poisoning and a tiny web shell. Huntress says they installed the legitimate Nezha RMM via a poisoned phpMyAdmin log and then deployed Ghost RAT for deeper persistence. The intrusion affected more than 100 hosts across Taiwan, Japan, South Korea, and Hong Kong and was contained in August 2025.

🔍 Huntress analysts uncovered a sophisticated campaign beginning in August 2025 that used log poisoning to plant a PHP web shell and then manage compromised servers via AntSword. The operators downloaded a file named 'live.exe' — identified as the open-source Nezha agent — which connected to a command server at c.mid[.]al and enabled remote tasking. Nezha was used to execute PowerShell commands to disable Windows Defender and to deploy 'x.exe', a Ghost RAT variant that persisted as 'SQLlite'. More than 100 systems, primarily in Taiwan, Japan, South Korea and Hong Kong, were observed communicating with the attackers' dashboard.

📰 Recorded Future assesses that the Beijing Institute of Electronics Technology and Application (BIETA) is likely directed by China's Ministry of State Security, citing links between at least four BIETA personnel and MSS officers and ties to the University of International Relations. Its subsidiary Beijing Sanxin Times Technology Co., Ltd. (CIII) develops steganography, covert-communications tools, and network-penetration and simulation software. The report warns these capabilities can support intelligence, counterintelligence, military, and other state-aligned cyber operations.

🔍 UAT-8099, a Chinese-speaking cybercrime group, has been linked to a global SEO fraud operation that targets Microsoft IIS servers to manipulate search rankings and harvest high-value data. The actor gains access via vulnerable or misconfigured file upload features, deploys web shells and privilege escalation to enable RDP, then uses Cobalt Strike and a modified BadIIS module to serve malicious content when requests mimic Googlebot. Infections have been observed across India, Thailand, Vietnam, Canada, and Brazil, affecting universities, telecoms and technology firms and focusing on mobile users.

🔐 Cisco Talos recently disclosed activity by a Chinese-speaking cybercrime group tracked as UAT-8099 that compromises legitimate Internet Information Services (IIS) web servers across several countries. The actors use automation, custom malware and persistence techniques to manipulate search results for profit and to exfiltrate sensitive data such as credentials and certificates. Talos notes the group maintains long-term access and actively protects compromised hosts from rival attackers. Organizations should hunt for signs of BadIIS, unauthorized web shells and anomalous RDP/VPN activity and share IOCs promptly.

🔎 Researchers at Palo Alto Networks have attributed two years of coordinated espionage to a previously unreported Chinese-aligned threat actor dubbed Phantom Taurus. The group targets government and telecommunications organizations across Africa, the Middle East, and Asia, focusing on foreign ministries, embassies, geopolitical events and military operations to maintain persistent covert access. Its toolkit includes a new IIS web-server backdoor suite called NET-STAR, DNS- and remote-access tools, in-memory implants and a wide mix of dual-use utilities. Operators have shifted from Exchange mailbox harvesting via ProxyLogon and ProxyShell exploits to targeted SQL database searches and WMI-driven data extraction.

🔍Phantom Taurus, newly designated by Unit 42, is a China-aligned cyber-espionage group that has targeted government and telecommunications organizations across Africa, the Middle East and Asia for at least two and a half years. Researchers traced the activity from earlier cluster tracking through a 2024 campaign codename, noting a 2025 elevation to a distinct group. Phantom Taurus has shifted from email-server exfiltration to directly querying SQL Server databases via a custom mssq.bat executed over WMI, and deploys a previously undocumented .NET IIS malware suite dubbed NET-STAR.

🔍 Palo Alto Networks Unit 42 has attributed a two-and-a-half-year campaign of espionage to a previously undocumented China-aligned actor dubbed Phantom Taurus, which has targeted government and telecommunications organizations across Africa, the Middle East, and Asia. The group uses a bespoke .NET malware suite called NET-STAR to compromise Internet Information Services (IIS) web servers and maintain stealthy access. Observed techniques include exploitation of on-premises IIS and Microsoft Exchange flaws, in-memory payload execution, timestomping and AMSI/ETW bypasses, enabling persistent data collection tied to geopolitical events.

🔒 Broadcom issued patches for a high-severity privilege escalation vulnerability in VMware Aria Operations and VMware Tools that has been actively exploited since October 2024. European firm NVISO linked the in-the-wild abuse to the China-aligned group UNC5174 and published a proof-of-concept for CVE-2025-41244. The flaw allows an unprivileged local attacker to stage a malicious binary (commonly in /tmp/httpd), have it discovered by VMware service discovery, and escalate to root-level execution on vulnerable VMs.

⚠️ NVISO Labs says China-linked UNC5174 has been exploiting a newly patched local privilege escalation bug, CVE-2025-41244, in Broadcom VMware Tools and VMware Aria Operations since mid-October 2024. The vulnerability (CVSS 7.8) stems from a vulnerable get_version() regex that can match non-system binaries in writable directories (for example, /tmp/httpd) and cause metrics collection to execute them with elevated privileges. VMware and Broadcom have released fixes and mitigations; affected organizations should apply vendor patches and follow VMware's guidance, and Linux distributions will receive patched open-vm-tools packages from vendors.

🔍 Unit 42 documents a newly designated Chinese-aligned threat actor, Phantom Taurus, which uses a previously undocumented .NET malware suite called NET-STAR to target IIS web servers. The actor focuses on government and telecommunications organizations across the Middle East, Africa and Asia and has shifted from email theft to direct database exfiltration. The report outlines technical behaviors, in-memory fileless execution, and mitigation guidance for Palo Alto Networks protections.

🔍 Cisco Talos and Palo Alto Networks Unit 42 describe concurrent campaigns distributing a revised PlugX variant and the long‑running Bookworm RAT against telecommunications and manufacturing organizations across Central and South Asia and ASEAN countries. Talos found that the PlugX sample borrows RainyDay and Turian techniques — DLL side‑loading of a Mobile Popup Application, XOR‑RC4‑RtlDecompressBuffer payload processing and reuse of RC4 keys — and includes an embedded keylogger. Researchers note the PlugX configuration now mirrors RainyDay’s structure, suggesting links to Lotus Panda/Naikon or shared tooling, while Unit 42 highlights Bookworm’s modular leader/DLL architecture, UUID-encoded shellcode variants, and use of legitimate-looking C2 domains to blend with normal traffic.

⚠️ Google Threat Intelligence Group says a Chinese-aligned cluster has used the BRICKSTORM backdoor in intrusion campaigns since at least March 2025 against US legal and technology firms, SaaS providers and outsourcing companies. Attackers focused on harvesting emails and files from key individuals and establishing long-term footholds. The group, tracked as UNC5221, exploited zero-days, deployed BRICKSTORM on VMware appliances, and used credential theft and persistence mechanisms to evade detection. Google and partners have published detection guidance and a Mandiant scanner script to help identify infections.

🔐 Chinese state-linked actors deployed a custom Linux/BSD backdoor called BRICKSTORM on network edge appliances to maintain persistent access into U.S. legal, technology, SaaS and outsourcing firms. These implants averaged 393 days of undetected dwell time and were used to pivot to VMware vCenter/ESXi hosts, Windows systems, and Microsoft 365 mailboxes. Mandiant and Google TAG attribute the activity to UNC5221 and have released a scanner and hunting guidance to locate affected appliances.

🔎 This Unit 42 case study applies the Unit 42 Attribution Framework to link the Bookworm remote access Trojan to the Chinese APT group Stately Taurus by combining malware analysis, tooling, OPSEC, infrastructure, victimology, and timelines. Analysts highlighted embedded PDB paths, a UUID-based shellcode encoding technique, and co-occurrence with a custom tool named ToneShell. Overlapping C2 IPs and domains, consistent targeting in Southeast Asia, and closely aligned compile times supported a high-confidence attribution. Palo Alto Networks also lists protections across WildFire, NGFW, URL/DNS filtering, Cortex XDR, and incident response contact options.