All articles tagged with #cyberespionage
Chinese state hackers, attributed to Mustang Panda, have used a sophisticated kernel-mode rootkit to hide the ToneShell malware activity in attacks against Asian government organizations, employing advanced evasion techniques and malware variants to enhance stealth and resilience.
A suspected China-linked cyber espionage group, UNC5221, is using the sophisticated BRICKSTORM backdoor to infiltrate U.S. legal, tech, and SaaS sectors, maintaining long-term stealthy access to steal sensitive information and potentially exploit zero-day vulnerabilities, with ongoing development and active deployment across multiple systems.
Pakistani APT36 hackers are exploiting Linux .desktop files to deliver malware and conduct espionage against Indian government and defense targets, using phishing emails with disguised malicious files that execute hidden commands, establishing persistent access and exfiltrating data, indicating evolving and sophisticated tactics.
Hackers from the Stealth Falcon group exploited a zero-day vulnerability in Windows WebDav (CVE-2025-33053) to conduct stealthy cyberespionage against Middle Eastern defense and government organizations since March 2025, using remote code execution to drop malware and maintain operational stealth. Microsoft patched the flaw, but the attack techniques involved manipulating WebDAV paths to execute malicious code remotely, leading to the deployment of advanced malware tools like Horus Loader and Horus Agent. Organizations are advised to update Windows promptly and monitor WebDAV traffic for suspicious activity.
Chinese cyberspies, as part of the Salt Typhoon campaign, have recorded calls of high-level US political figures, according to Anne Neuberger, the White House's deputy national security advisor for cyber and emerging technology. The espionage operation targeted senior political individuals and compromised eight US telecom providers, along with organizations in numerous countries. The campaign also accessed wiretapping systems, although this was not its primary focus. The US Senate Commerce subcommittee is set to investigate these cybersecurity threats in an upcoming hearing.
ESET researchers have discovered a new Linux backdoor named WolfsBane, attributed to the Gelsemium APT group, marking the first known use of Linux malware by this China-aligned threat actor. WolfsBane is the Linux counterpart to the Windows-based Gelsevirine backdoor, used for cyberespionage. Another backdoor, FireWood, was also found but is only tentatively linked to Gelsemium. This shift towards Linux malware by APT groups is attributed to enhanced security measures on Windows systems, prompting attackers to target vulnerabilities in Linux-based internet-facing systems.
The U.S. Department of Homeland Security's Cyber Safety Review Board (CSRB) has criticized Microsoft's handling of the 2023 Exchange Online attack, stating that the company needs to improve data security and transparency regarding the theft of an Azure signing key by cyberespionage actor 'Storm-0558.' Microsoft has been unable to provide conclusive evidence on how the threat actor obtained the signing key, despite attributing the hack to Storm-0558 stealing the key from an engineer's compromised laptop. The hackers accessed email accounts using a 2016 Microsoft Services Account (MSA) key that should have been revoked in 2021, leading to the compromise of over 500 individuals at 22 organizations. The CSRB report highlights the need for enhanced logging features and improved key management, while Microsoft continues to investigate the incident.
Earth Freybug, a cyberthreat group, has been found using dynamic-link library (DLL) hijacking and application programming interface (API) unhooking techniques to prevent child processes from being monitored via a new malware called UNAPIMON. This malware employs defense evasion techniques to prevent child processes from being monitored, allowing malicious activities to go undetected. The attack demonstrates the group's evolving methods and the effectiveness of simple yet creative techniques, highlighting the need for vigilance against both advanced and overlooked tactics in cybersecurity.
The United States and Britain have imposed sanctions on China's elite hacking units, accusing Beijing's top spy agency of a yearslong effort to place malware in critical infrastructure and stealing the voting rolls for 40 million British citizens. The actions underscore the escalation of cyberconflict between Western allies and Beijing, with American intelligence agencies warning that the malware found in U.S. infrastructure appeared to be intended for use if the United States were coming to the aid of Taiwan. Separately, the Justice Department indicted individual Chinese hackers for targeting and intimidating Beijing's critics around the world.
The US and UK have accused China of conducting a widespread cyberespionage campaign, targeting millions of individuals including lawmakers, journalists, and government officials. The hacking group "APT31" is alleged to be an arm of China's Ministry of State Security, with the aim of repressing critics, compromising government institutions, and stealing trade secrets. Both countries have filed charges and imposed sanctions, while Chinese diplomats have dismissed the allegations. Tensions between Beijing and Washington over cyberespionage have been rising, with Western intelligence agencies increasingly sounding the alarm on alleged Chinese state-backed hacking activity.
ESET researchers have uncovered a cyberespionage campaign conducted by the Patchwork APT group, involving twelve Android apps bundled with VajraSpy malware. The apps, disguised as messaging tools and a news app, were distributed on Google Play and other platforms, with over 1,400 downloads. The malware can steal contacts, files, call logs, and SMS messages, and some versions can even extract WhatsApp and Signal messages, record phone calls, and take pictures. The campaign primarily targeted users in Pakistan, likely through targeted romance scams, and has been attributed to the Patchwork APT group.
Russian cybersecurity experts have uncovered one of the most sophisticated hacking campaigns, believed to be orchestrated by U.S. intelligence agencies. This campaign utilized a series of 12 steps and four zero-day vulnerabilities to execute a zero-click hack on iPhones, enabling espionage activities against targets in several countries, including Russia, China, Syria, Israel, and NATO members. The revelation was made at a hacker conference and has raised significant concerns about the extent of U.S. cyber surveillance capabilities.
At a hacker conference, Russian cybersecurity experts disclosed an intricate iPhone hack, believed to be orchestrated by U.S. intelligence agencies, to conduct espionage on high-profile targets across Russia, China, Syria, Israel, and NATO countries. This sophisticated cyber operation involved 12 steps and utilized four zero-day vulnerabilities, allowing for a zero-click intrusion into devices. The revelation comes amid heightened scrutiny over cybersecurity practices and international espionage, with India's Prime Minister Narendra Modi criticizing Apple for exposing new targets of the infamous Pegasus spyware.
The US Treasury Department's Office of Foreign Assets Control (OFAC) has imposed sanctions on the North Korean-backed Kimsuky hacking group for engaging in cyberespionage and stealing intelligence to support North Korea's strategic goals. Additionally, eight North Korean agents have been sanctioned for facilitating sanctions evasion and supporting the country's weapons of mass destruction programs. The sanctions are a response to North Korea's alleged launch of a military reconnaissance satellite, aimed at impeding the country's income generation, resource acquisition, and intelligence gathering for its WMD program. Kimsuky, also known as APT43, has targeted various entities and individuals across South Korea, the United States, Russia, Europe, and the United Nations, with a focus on foreign policy and national security concerns related to the Korean peninsula and nuclear policy.
The Winter Vivern Russian hacking group has been exploiting a zero-day vulnerability in Roundcube Webmail to target European government entities and think tanks since October 11. The vulnerability allowed the group to remotely inject arbitrary JavaScript code into Roundcube email servers, enabling them to harvest and steal emails. The Roundcube development team released security updates to fix the vulnerability after it was reported by ESET researchers. Winter Vivern has previously targeted government organizations using known vulnerabilities in Roundcube and Zimbra email servers. The group's persistence and regular phishing campaigns pose a significant threat to European governments.