China-Linked Hackers Exploit Legacy Vulnerabilities for Global Espionage Campaigns
These articles are AI-generated summaries. Please check the original sources for full details.
China-Linked Hackers Exploit Legacy Vulnerabilities for Global Espionage Campaigns
Key Attack on U.S. Non-Profit Organization
-
Timeline and Methods:
- On April 5, 2025, attackers conducted mass scanning using known exploits, including CVE-2022-26134 (Atlassian), CVE-2021-44228 (Log4j), CVE-2017-9805 (Apache Struts), and CVE-2017-17562 (GoAhead Web Server).
- Initial access was likely achieved via brute-force or credential stuffing attacks, as no exploitation of the CVEs was confirmed.
- On April 16, 2025, attackers executed
curlcommands to test connectivity, usednetstatto gather network info, and set up scheduled tasks to runmsbuild.exeand inject payloads intocsc.exe. - A C2 server at
38.180.83[.]166was contacted, and a RAT (likely) was deployed in memory.
-
Persistence and Stealth:
- A scheduled task ran every 60 minutes as a SYSTEM user to maintain access.
- Attackers used DLL side-loading via
vetysafe.exe(Vipre AV component) to executesbamres.dll, previously linked to Salt Typhoon and Space Pirates. - Tools like Dcsync and Imjpuexc were observed, though the full success of the attack remains unclear.
Broader Campaigns by Chinese Threat Actors
-
Speccom (IndigoZebra/SMAC):
- Targeted Central Asian energy sectors in July 2025 via phishing emails, delivering BLOODALCHEMY, kidsRAT, and RustVoralix.
-
DigitalRecyclers:
- Attacked European organizations in July 2025 using the Magnifier tool to gain SYSTEM privileges.
-
FamousSparrow:
- Targeted Latin American governments (Argentina, Ecuador, etc.) between June–September 2025 by exploiting ProxyLogon in Microsoft Exchange to deploy SparrowDoor.
-
SinisterEye (LuoYu/Cascade Panda):
- Attacked Taiwanese defense firms, U.S. trade groups, and Ecuadorian government bodies between May–September 2025 using AitM attacks to deliver WinDealer and SpyDealer.
-
PlushDaemon:
- Compromised Cambodian companies in June 2025 via AitM poisoning, using EdgeStepper to redirect DNS traffic to attacker-controlled servers, deploying SlowStepper backdoors.
Targeting Misconfigured IIS Servers
- TOLLBOOTH (HijackServer):
- A Chinese-speaking group (REF3927) exploited publicly exposed ASP.NET machine keys to install TOLLBOOTH, a backdoor with SEO cloaking and web shell capabilities.
- Infection spread: Over hundreds of servers globally, with concentrations in India and the U.S..
- Attack workflow:
- Use exposed machine keys to compromise IIS servers.
- Deploy Godzilla web shells, GotoHTTP, Mimikatz (for credential harvesting), and HIDDENDRIVER (rootkit for stealth).
Attribution Challenges and Trends
- Tool Sharing: Chinese groups like Salt Typhoon, Kelp, and Space Pirates share malware components (e.g.,
sbamres.dll), complicating attribution. - Geopolitical Motives: Attacks align with Beijing’s priorities, targeting sectors like energy, government, and defense.
- Persistence Focus: Attackers prioritize long-term network access and domain controller infiltration to expand lateral movement.
Reference
Continue reading
Next article
Google Introduces Review Extortion Reporting Tool Amid Rising Cyber Threats
Related Content
Qilin Ransomware Combines Linux Payload With BYOVD Exploit in Hybrid Attack
Qilin ransomware, a Russian-speaking threat group, has targeted 84 victims monthly since 2025, using RMM tools, BYOVD exploits, and backup system breaches to deploy hybrid attacks across multiple sectors.
Samsung Zero-Day Flaw Exploited to Deploy LANDFALL Android Spyware in Middle East
A critical Samsung Galaxy vulnerability (CVE-2025-21042) was exploited as a zero-day to deploy the LANDFALL spyware via WhatsApp images, targeting users in the Middle East before a patch in April 2025.
Russian Ransomware Gangs Weaponize Open-Source AdaptixC2 for Advanced Attacks
Open-source AdaptixC2, originally designed for ethical hacking, is now being exploited by Russian ransomware groups for malicious activities, raising cybersecurity concerns.