Espionage News

Chinese hackers, allegedly linked to the state, attempted to infiltrate the U.S. networks during sensitive trade discussions earlier this year by impersonating a sitting congressman, according to a report in The Wall Street Journal. In July, as Washington and Beijing prepared for high-level trade negotiations in Sweden, targeted emails were sent to American trade groups, law firms, and federal agencies. The messages, appearing to come from Representative John Moolenaar — chairman of the House committee on U.S.–China strategic competition — urged recipients to review draft sanctions legislation. The attachment, however, contained spyware, the Journal reported. Investigators later attributed the activity to APT41, a hacking group long suspected of ties to China’s Ministry of State Security. Cyber analysts told the Journal that if opened, the attachment could have given attackers deep access to victim systems, enabling them to extract sensitive documents and monitor ongoing negotiations. The FBI confirmed it was investigating. “We are working with our partners to identify and pursue those responsible,” an FBI spokesperson told the newspaper. Capitol Police declined to comment. Moolenaar condemned the operation, calling it “another example of China’s offensive cyber operations designed to steal American strategy and leverage it.” He added, “We will not be intimidated.” Beijing rejected the allegations, with a Chinese Embassy statement insisting that the country “firmly opposes and combats all forms of cyber attacks and cyber crime” and warning against “smearing others without solid evidence.” APT41’s Technical Playbook APT41, also tracked under aliases such as Double Dragon and Barium, is one of China’s most versatile state-sponsored groups. Analysts told the Journal that the group’s hallmark is its dual-use capability — conducting espionage on behalf of the state while also engaging in financially motivated cybercrime. The group has a long history of using spear-phishing and watering-hole attacks, often impersonating trusted figures or exploiting zero-day vulnerabilities. Its malware arsenal includes ShadowPad, a modular backdoor frequently used in Chinese espionage campaigns, and other custom loaders designed to maintain persistence. Also read: Chinese Hackers Targeted Taiwanese Research Institute with ShadowPad and Cobalt Strike APT41 also makes heavy use of publicly available exploits. Past alerts from U.S. agencies note the group’s exploitation of vulnerabilities in Citrix, Atlassian Confluence, and Microsoft Exchange. Analysts believe the spyware used in the Moolenaar impersonation likely followed a familiar playbook: reconnaissance, credential harvesting, lateral movement, and long-term surveillance. A Track Record of Global Intrusions The campaign described by the Journal is not an isolated incident. In 2020, the U.S. Department of Justice indicted five Chinese nationals linked to APT41 on charges of hacking more than 100 companies worldwide. Victims included software firms, universities, telecom providers, and even non-profit organizations. Prosecutors alleged the group stole source code, proprietary business information, and intellectual property on a massive scale. Beyond espionage, APT41 has been tied to cybercrime for profit. Researchers have documented its role in stealing digital gaming currency and selling access to compromised servers. The group’s ability to switch seamlessly between state-directed intelligence operations and financially motivated crime sets it apart from many other advanced persistent threat (APT) groups. More recently, APT41 has been implicated in targeting the healthcare sector, with reports of attempted intrusions into hospitals and pharmaceutical firms during the COVID-19 pandemic. Security analysts say such activity aligns with Beijing’s interest in gaining access to sensitive medical research and health data. Espionage Pattern The phishing campaign took place just days before negotiators agreed to extend a tariff truce and resume discussions on a possible summit between President Trump and Chinese President Xi Jinping. Experts noted that compromising advisory groups or law firms tied to the talks would allow Beijing to anticipate U.S. positions and adjust its strategy. Mandiant told the Journal that the spyware in this case could have burrowed deep into networks, enabling long-term monitoring. For adversaries like APT41, analysts said, such access is more valuable than short-term disruption — it provides leverage in negotiations and insights into political decision-making. Earlier this year, hackers impersonated Secretary of State Marco Rubio using AI-generated content, while phishing attempts targeted White House staff, including Chief of Staff Susie Wiles, the Journal reported. Together, these incidents point to an intensifying focus on U.S. political leadership and policy processes. The attempt to compromise U.S. trade stakeholders shows how cyber operations increasingly run parallel to geopolitical negotiations. Experts said that while military maneuvers often capture headlines, cyber espionage has become a quieter but equally potent front. As tensions over technology, tariffs, and national security continue to define U.S.–China relations, espionage campaigns exploiting trust, urgency, and political credibility are likely to remain central to Beijing’s toolkit.

Czechia’s national cybersecurity watchdog has issued a warning about foreign cyber operations, focussed on Chinese data transfers and remote administration, urging both government bodies and private businesses to bolster defenses amid rising espionage campaigns tied to China and Russia. The alert, published this week by the National Cyber and Information Security Agency (NÚKIB), cites ongoing risks to government systems, energy providers, telecoms, and other critical infrastructure operators. While NÚKIB did not name specific incidents in its bulletin, the agency said that “selected foreign states” were increasingly engaged in long-term campaigns designed to compromise strategic sectors, exfiltrate sensitive information, and undermine public trust. The Core Threat Assessment NÚKIB has classified the threat as “High – likely to very likely,” encompassing two primary concerns; data transfers to the People’s Republic of China (PRC) and its Special Administrative Regions (Hong Kong and Macau), and remote administration of technical assets from these territories. This assessment applies to all entities regulated under Czech cybersecurity legislation, including critical infrastructure operators. The agency’s decision to issue this warning stems from what it describes as “facts established during the exercise of its powers, supplemented by unclassified and classified information obtained from domestic and foreign partners.” At the heart of NÚKIB’s warning lies a detailed analysis of China’s legal environment, which the agency argues fundamentally compromises data security. The assessment identifies several problematic regulations: National Security Framework: The 2015 National Security Law imposes broad obligations on Chinese citizens and organizations to assist state authorities in matters of national security. More significantly, the 2017 National Intelligence Law requires “every citizen and organisation” to support intelligence activities and maintain confidentiality. Corporate Control Mechanisms: The 2013 Company Law mandates Communist Party of China (CPC) organizations within companies, effectively allowing party influence over corporate operations. This creates a direct channel for state interference in nominally private enterprises. Vulnerability Reporting Requirements: 2021 regulations require technology manufacturers to report security vulnerabilities to the Ministry of Industry and IT within two days, with subsequent reporting to the Ministry of State Security. Crucially, manufacturers are prohibited from disclosing these vulnerabilities to foreign organizations. The Counter-Espionage Law, particularly following its 2023 amendment, expands espionage definitions to encompass virtually any documents or data deemed related to national security by Chinese authorities. This creates an environment where state access to private data is not only legal but mandated. Special Administrative Regions, Means Extended Reach NÚKIB’s analysis extends to Hong Kong and Macau, territories that maintain economic autonomy while remaining under Chinese sovereignty. The agency identifies concerning legislation in both regions The 2024 Safeguarding National Security Ordinance integrates China’s national security framework into Hong Kong’s legal system, creating vague definitions of “state secrets” that could encompass economic, social, technological, or scientific activities. In Macau, the 2019 Cybersecurity Law grants the Cybersecurity Incident Alert and Response Center (CARIC) authority to conduct real-time monitoring of critical infrastructure data transmissions, with no supervisory mechanism to prevent abuse. Attribution and Active Threats The warning gains particular weight from recent attribution activities. In May, the Czech government publicly attributed cyberattacks against its Ministry of Foreign Affairs to APT31, a group associated with China’s Ministry of State Security. This campaign, active since 2022, targeted critical infrastructure and demonstrated sophisticated, persistent capabilities. The Czech government “strongly condemns this malicious cyber campaign against its critical infrastructure” and noted that “such behavior undermines the credibility of the People´s Republic of China and contradicts its public declarations. This attribution wasn’t conducted in isolation. NÚKIB worked alongside the Security Information Service, Military Intelligence, and the Office for Foreign Relations and Information to achieve what they describe as “a high degree of certainty about the responsible actor.” The Czech warning aligns with broader international concerns about Chinese technology risks. NÚKIB notes that Italy, Germany, the Netherlands, and Australia have taken measures regarding specific Chinese products and services, while the Five Eyes intelligence alliance has issued advisories about Chinese cyber espionage groups. Also read: Six Australian MPs Confirm They were Targeted by China’s APT31 Hackers The agency specifically references a 2021 European Data Protection Board study concluding that Chinese laws allow “broad access by PRC state authorities to data without sufficient independent oversight,” fundamentally contradicting GDPR principles of transparency, proportionality, and legal protection. Critical Infrastructure Implications The warning carries particular significance for critical infrastructure operators. NÚKIB emphasizes that disruption of availability, confidentiality, or integrity of backbone systems “could potentially have a significant impact on many people in the territory of the Czech Republic.” The agency identifies specific technology categories of concern: Personal devices (smartphones, watches, electric vehicles) Cloud services Photovoltaic inverters IP cameras Health technology Smart meters A Pattern of Firm Stances The warning follows a series of steps by the Czech government to push back against foreign digital influence. Earlier this year, Prague moved to restrict the use of Chinese-developed AI platforms such as DeepSeek, citing risks of data exfiltration and systemic manipulation. The Ministry of Foreign Affairs said at the time that trust in the country’s digital infrastructure was “not compatible with applications subject to extraterritorial control by foreign powers.” This builds on years of concern over technology supply chains. Czechia was one of the first EU members to limit Huawei and ZTE equipment in its 5G rollout, a decision backed by NÚKIB in 2018 that placed it firmly in the transatlantic camp on telecom security. The latest warning suggests the government is prepared to extend that logic into AI systems and cloud-based platforms as well. The warning reflects evolving geopolitical realities. NÚKIB notes that China’s support for Russia in the Ukraine conflict has intensified its interest in European affairs, manifesting in increased cyber espionage activities. The agency cites intelligence assessments showing Chinese actors targeting Czech state institutions with increasingly sophisticated spear-phishing attacks. The Security Information Service has repeatedly emphasized technological dependence on China as a strategic vulnerability, particularly given China’s “autocratic regime with global ambitions to create an effective counterbalance to the G7 countries.

China-linked espionage actor Salt Typhoon is again in news but this time not for targeting larger telecommunication giants, instead its the smaller internet and hosting service providers in the Netherlands. The Dutch intelligence service on Thursday said that the country “didn’t receive the same level of attention from the Salt Typhoon hackers as those in the U.S.,” but it “can now corroborate some of the findings of the U.S. investigation with independent intelligence.” The Dutch MIVD and AIVD (General Intelligence and Security Service) said, “The Chinese hacker group had access to routers belonging to the Dutch targets. As far as we know, the hackers did not penetrate any further into their internal networks.” No information on the number of routers accessed or which sectors were targeted was provided but the authorities said, “(It)did observe targets in the Netherlands. These were not large telecommunications providers, but smaller internet service and hosting providers.” The MIVD and the AIVD have been warning for some time about the growing Chinese cyber threat,” the authorities said. “These activities have become so sophisticated that continuous effort and attention are required to promptly detect and mitigate cyber operations against Dutch interests. This can reduce risks, but not eliminate them entirely. This poses a major challenge to Dutch resilience.” The MIVD, AIVD, and the National Cyber ​​Security Centre (NCSC) have previously shared threat intelligence with targets and other relevant audiences, whenever possible. Salt Typhoon Campaign’s Roots This announcement cam on the heels of a multi-nation joint advisory released a day before that warned of China-linked threat groups Salt Typhoon and GhostEmperor’s targeting of critical infrastructure networks around the world in a persistent campaign of cyber espionage. Read: Chinese State Hackers Target Global Critical Infrastructure, NSA Warns These operations have been traced to three China-based companies: Sichuan Juxinhe Network Technology Co. Ltd., Beijing Huanyu Tianqiong Information Technology Co., Ltd., and Sichuan Zhixin Ruijie Network Technology Co., Ltd., which allegedly act as a front for the Chinese Ministry of State Security and the People’s Liberation Army. Salt Typhoon’s wider operation net first came to light late last year when several U.S. Telecom companies reported hack and wiretap of key members of the Presidential elections. In an official hearing, earlier this year, the chairman of the Senate Intelligence Committee said, evicting these intruders will require replacing “thousands and thousands and thousands” of network devices. Read: China Attack on U.S. Telecom Networks: ‘Thousands and Thousands’ of Devices Need to Be Replaced The Salt Typhoon tied breach of U.S. telecom networks lasted for more than a year in some cases, and while only 150 victims were notified at the time, the total could eventually number in the “millions,” experts had warned Warner, a former telecom venture capitalist, called the breaches the “worst telecom hack” in the nation’s history – by far.

Google’s Threat Intelligence Group has uncovered a cyber espionage campaign of a PRC-linked threat actor, which it tracks as UNC6384, using captive portals and adversary-in-the-middle tactics to target diplomats across Southeast Asia. Captive portals are the type of sign-in pages familiar to anyone who has logged into hotel Wi-Fi. Instead of leading to a legitimate login, these portals mimicked VPN services or software update pages to deceive victims. Once a victim visited, they were served a digitally signed downloader tracked as STATICPLUGIN, which in turn deployed SOGU.SEC, a variant of the notorious PlugX backdoor. PlugX has long been associated with Chinese state-backed intrusion playbook. But this latest variant was delivered through an updated tradecraft designed to avoid detection. Technical Details Delivery Mechanism: The malware was signed with a legitimate digital certificate, allowing it to bypass endpoint defenses. Execution Techniques: UNC6384 used indirect execution and adversary-in-the-middle (AitM) techniques to blend with normal traffic and avoid signature-based detection. Data Collection: Once inside, SOGU.SEC enabled lateral movement, file exfiltration, and ongoing surveillance of sensitive diplomatic systems. Infrastructure: The group operated attacker-controlled redirectors, which intercepted traffic and funneled it through malicious portals. Attack Chain (Image Credit: Google Threat Intelligence Group) Google said it notified the compromised organizations via government-backed alerts and sharing malicious domains and file hashes that were also added to its Safe Browsing feature. Why Diplomats? UNC6384’s targeting of diplomats has the geopolitical underpinnings of the campaign. The group zeroed in on government agencies, embassies and foreign service workers operating in Southeast Asia—an area where China has pressing economic and strategic interests. Unlike ransomware or financially motivated operations, this activity reflects the calculated objectives of a nation-state adversary. Diplomats are high-value strategic targets. By embedding themselves in their systems, attackers can gain insight into negotiations, policy positions, and alliances. According to recent analysis, Chinese APT groups are increasingly focusing on strategic pre-positioning in critical infrastructure and supply chains, often leveraging edge devices, software frameworks with minimal endpoint defenses, and “living-off-the-land” techniques to ensure persistence and stealth. Also read: ‘UNC3886 is Attacking Our Critical Infrastructure Right Now’: Singapore’s National Security Lawmaker

How often do you hear people talking about issues of legacy systems—especially in critical infrastructure environments? Here’s another example of how deeply rooted this issue is—legacy Cisco router infrastructure remains a Russian intelligence vault. A new alert from the FBI and a detailed analysis from Cisco Talos reveal how a decade-old vulnerability, tracked as CVE-2018-0171, in Cisco’s Smart Install feature continues to fuel state-level espionage campaigns against critical infrastructure. A Legacy Weakness with Persistent Danger CISA flagged this vulnerability back in 2018, warning that Russian state-sponsored actors had exploited Cisco’s Smart Install and unencrypted management protocols like SNMP and Telnet to harvest network configurations, inject firmware, and control routers for intelligence collection and lateral exploitation. That advisory revealed how unsecured GRE tunnels, SNMP, and TFTP were easy pathways for attackers to extract configuration files and password hashes from enterprise and SOHO devices. This compromised network infrastructure could be weaponized for traffic interception or even destructive operations, CISA had warned, at the time. Fast forward to the latest advisory and these are no longer just theoretical risks. The tools and techniques of SNMP abuse, misconfigured routers, use of TFTP over UDP, still enable attackers to extract device configurations, carve network maps and enact persistent access with minimal visibility. Also read: Urgent: CISA Flags Cisco Device Risks, Weak Passwords a Major Threat Static Tundra’s Stealthy Campaign, Decade in the Making Cisco Talos has now dubbed the threat actor exploiting this weakness as Static Tundra, a Russian-linked espionage group likely tied to FSB’s Center 16, also known as Energetic Bear. Talos assesses with high confidence that Static Tundra has spent years infiltrating unpatched or end-of-life Cisco network devices, particularly those with Smart Install enabled, and has done so across telecoms, higher education institutes and manufacturing in multiple continents. Their techniques include: Exploiting CVE-2018-0171 to inject a TFTP-based fallback, retrieving startup configurations. Abusing SNMP, occasionally via spoofed source addresses, to retrieve credentials and enable remote access. Deploying the notorious SYNful Knock firmware implant to maintain stealth and resilience through reboots. Leveraging GRE tunnels and NetFlow collection to quietly exfiltrate traffic and intelligible metadata. Talos notes the group operates with precision, picking targets aligned with shifting geopolitical priorities—particularly during the Ukraine conflict escalation. What’s more worrying is that the researchers observed many compromised devices remain infected as organizations still fail to patch or disable Smart Install feature, despite patches being available since 2018. Real-World Risk Across Sectors and Borders The combined findings show that the threat persists because of structural neglect. Unpatched firmware, enabled legacy features, and unmanaged network gear are the primary reasons. While CISA’s 2018 warning outlined the risk, Talos confirms that attackers continue to harvest sensitive configuration data, creating long-term espionage footholds. Sophisticated threat actors controlling key network infrastructure can manipulate traffic flows, enable command-and-control for hidden implants, and pivot laterally—transforming compromised routers into control hubs for broader attacks, cyber experts warned. A Non-Negotiable Security Imperative The risk as we said earlier isn’t hypothetical anymore. It’s ongoing and systemic. Here are some foundational steps every enterprise and critical infrastructure network must take, as per Talos researchers: Patch or disable Smart Install immediately—CVE-2018-0171 remains widely exploitable. Encrypt management channels, disable legacy protocols, harden SNMP and AAA policies. Profile router behavior via NetFlow, log monitoring, and IDS signature deployment. Maintain accurate device inventories and restrict remote access to critical appliances. Static Tundra’s campaigns make clear that network devices are not passive infrastructure. They are prime asymmetric targets. The vulnerability in Smart Install isn’t new, but the threat remains potent. Critical infrastructure operators need to harden network gear, build detection-first strategies, and elevate device security to boardroom-level concern.

Russia-linked hackers are back at it again, this time with upgraded tools and a stealthier playbook targeting Ukrainian government systems. Ukraine’s national Computer Emergency Response Team has linked a recent cyberattack campaign against the information and communication system (ICS) of a government entity to UAC-0001—also known as APT28 or Fancy Bear—the infamous hacking group believed to be operated by Russia’s GRU military intelligence service. Also read: Russian GRU Is Hacking IP Cameras and Logistics Firms to Spy on Aid Deliveries from Western Allies to Ukraine In an investigation conducted between March and May 2024, cybersecurity responders uncovered two previously unseen malware strains—BEARDSHELL and SLIMAGENT—lurking inside government systems. The attackers also deployed a component of the widely known COVENANT command-and-control framework, hidden inside a document titled “Act.doc” and sent via the encrypted messaging app Signal. While the initial infection vector wasn’t immediately clear, analysts later discovered the malware reached its target using a macro-laced Word document that installed multiple payloads—each designed to fly under the radar, exploit trusted services, and maintain persistence through registry hijacking and scheduled tasks. How the Intrusion Worked Against Ukrainian Government Systems The attackers disguised their malware inside a seemingly benign Word file delivered over Signal. Sample of communication with an attacker in Signal (Source: CERT-UA) If a user enabled macros, the document executed code that placed two files on the system and set up a COM-hijacking registry entry that hijacked explorer.exe to silently launch a malicious DLL. That DLL then decrypted another file (windows.png) containing shellcode that finally triggered the launch of the COVENANT malware framework—all without dropping anything directly visible to the user. COVENANT, a .NET-based red team tool popular in the post-exploitation phase of cyberattacks, was used here to download and execute PlaySndSrv.dll and a WAV file (sample-03.wav), which contained encoded instructions to ultimately launch BEARDSHELL—a custom-built backdoor. Persistence? Also covered. BEARDSHELL maintained access through a separate registry entry tied to a scheduled task under Microsoft’s SystemSoundsService. Classic APT28. What Do BEARDSHELL and SLIMAGENT Actually Do? Both malware tools were written in C++ and designed for stealth and data collection: BEARDSHELL connects to the attacker using the API of Icedrive, a legitimate cloud storage provider, allowing the malware to receive encrypted PowerShell scripts and exfiltrate data without triggering traditional security tools. Each infected system gets its own directory, named using a unique hash derived from hardware and system identifiers. SLIMAGENT takes periodic screenshots and encrypts them using AES + RSA, saving them locally in a time-stamped format. It’s the visual spy in the room, quietly recording the screen without alerting the user. What’s particularly clever—and dangerous—about both tools is their use of legitimate services (Koofr and Icedrive) as command-and-control (C2) infrastructure. This means they avoid sketchy IP addresses and domains, making traditional threat intel blacklists nearly useless. Why It Matters This latest campaign isn’t just another cyberattack—it’s part of an escalating pattern of hybrid warfare tactics employed by Russia since the start of its war in Ukraine. APT28, which has been tied to the DNC email leaks in 2016, Olympic Destroyer in 2018, and countless attacks on NATO and EU institutions, is one of the Kremlin’s most active cyber units. Also read: ‘I’m not a Robot’ reCAPTCHA Trojanized by Russian Hackers to Target Local Ukrainian Government Their tactics have evolved. Instead of brute-forcing their way into systems, they now leverage phishing documents, encrypted messaging apps like Signal for payload delivery, and trusted APIs for communication. And they’re still targeting the same kind of critical government infrastructure they’ve always sought to undermine. According to CERT-UA, the malware was identified inside a central government executive body’s information systems—a clear sign that the group is targeting the upper echelons of Ukraine’s state apparatus. Defense, Detection, and the Cloud API Problem CERT-UA is urging security teams—particularly within governments and critical infrastructure—to closely monitor traffic to app.koofr.net and api.icedrive.net, as these are being used as C2 endpoints. The advisory also noted that success of the attack hinged on: Users enabling macros in Office documents Host security tools failing to monitor Signal-based delivery The abuse of trusted services like Icedrive and Koofr as “invisible” control channels It’s another wake-up call: endpoint defenses can’t rely on static indicators. Malware is now using your everyday apps, cloud platforms, and registry entries to hide in plain sight. The Bigger Picture APT28 has always stayed ahead of the curve—and this campaign is no exception. By chaining together macro payloads, registry hijacking, cloud C2, and multi-stage execution, the group isn’t just adapting. It’s evolving. And while these attacks may seem targeted at Ukraine, the tactics, techniques, and procedures (TTPs) on display should concern every government and enterprise organization in the West. Because if a Word doc, a PNG, and a WAV file can bypass your defenses, what else is already lurking inside?

In a joint cybersecurity advisory issued today, U.S. and allied intelligence agencies confirmed what many threat analysts have long suspected: the Russian GRU military intelligence agency is systematically targeting the digital backbone of logistics and transportation providers across Europe and North America. The campaign, detailed in a 25-page report from the NSA, FBI, CISA, and partners from 10 countries, including the U.K., Australia, and Germany, spotlights a coordinated cyber espionage effort by GRU’s Unit 26165—more widely recognized in the threat intel world as APT28, Fancy Bear, or Forest Blizzard. Targets at the center of the campaign were freight operators, rail networks, air traffic systems, and cloud tech vendors—anyone with a role in getting military and humanitarian aid to Ukraine. Targets have included organizations in 14 countries, including IP cameras in Hungary, a Russian ally. Russian GRU Campaign Not Just Malware — Surveillance Too What stands out in the report is the scale and creativity of the GRU’s tactics. The hackers aren’t just hijacking email servers or pushing trojans. They’re hacking into IP cameras, too—10,000 of them, to be exact—mostly around Ukrainian borders, using weak credentials and exposed RTSP services to turn physical surveillance into digital eyes on the ground. List of countries where IP cameras were targeted. (Source: defense.gov) In parallel, GRU operators launched targeted intrusions on shipping and logistics companies, exploiting familiar weaknesses like unpatched Exchange servers, WinRAR bugs (CVE-2023-38831), and Outlook NTLM leaks (CVE-2023-23397). The aim was stealing shipment manifests, routing info, and sensitive business data that could tip off troop or equipment movement. The combination of shipping data theft and compromised video feeds likely gives attackers real-time visibility into what’s moving, where, and when. It’s tactical intelligence collection at enterprise scale. The GRU Malware Stack The HEADLACE backdoor, first reported by IBM X-Force during the Israel-Hamas conflict, was found embedded in malicious shortcut files. Once activated, it initiated headless browser sessions to exfiltrate stolen data, clear logs, and maintain access. Also read: Russian Hacker Group APT28 Launches HeadLace Malware via Fake Car Ads to Target Diplomats MASEPIE, a Python-based backdoor, offered remote shell access, file transfers, and command execution capabilities, often disguised as routine background processes. Another tool, STEELHOOK, enabled credential harvesting from browsers like Chrome and Edge by decrypting stored passwords using PowerShell-based techniques. The actors also employed LOLBins—legitimate system tools like ntdsutil, wevtutil, and ADExplorer—to evade detection and live off the land. In one case, GRU hackers gained control of an ICS vendor’s email platform, then pivoted to compromise customers in the railway sector. In another, they used stolen credentials and MFA fatigue techniques to access VPN infrastructure at a shipping company. What the Russian GRU Wants This isn’t a smash-and-grab ransomware operation. It’s long-term surveillance. The kind of campaign that’s designed to persist, quietly gather intelligence, and interfere only when necessary. And while the report doesn’t explicitly name any targets by company, the industries hit hardest—logistics, transportation, and defense-adjacent vendors—are the same ones that move military hardware, humanitarian supplies, and critical infrastructure parts into conflict zones. The big concern? These compromised networks could give Russia a battlefield edge—intercepting aid, sabotaging supply lines, or simply watching to see how the West moves. How Companies Should Respond The advisory includes a laundry list of technical mitigations, including: Blocking known C2 infrastructure Hardening VPN and email access Reconfiguring exposed IP cameras Patching known exploited vulnerabilities (especially in Outlook, Exchange, and WinRAR) Monitoring PowerShell use and system tool abuse But there’s also a broader message: if you’re in the logistics or defense supply chain, and especially if you support Ukraine—even indirectly—you’re already a target. Organizations in these sectors should assume compromise and act accordingly, the advisory suggests. The Big Picture Russia’s digital playbook in Ukraine is evolving. While early campaigns relied on headline-grabbing wipers and power grid attacks, the new frontier is far more strategic—and far more subtle. What we’re seeing now is cyberwar as surveillance: fewer fireworks, more cameras. The GRU isn’t just breaking things—it’s watching, learning, and waiting. And for companies moving cargo or manufacturing gear with ties to conflict zones, that means cybersecurity is no longer just a compliance issue. It’s operational security. It’s national security.

When a zero-day flaw surfaces in an enterprise tool that no one talks about publicly, it’s tempting to write it off as niche. But Marbled Dust’s recent campaign exploiting CVE-2025-27920 in Output Messenger is anything but. Microsoft Threat Intelligence has linked a string of targeted cyberattacks to Marbled Dust, a Türkiye-affiliated threat actor, using a previously unknown vulnerability in Output Messenger—a self-hosted enterprise chat app. The campaign, ongoing since April 2024, targeted Kurdish military-linked users in Iraq and reflects a growing shift in how regionally motivated cyber-espionage unfolds. Output Messenger: The Tool You Didn’t Expect to Matter Output Messenger isn’t WhatsApp or Slack. It’s a low-profile, multiplatform chat tool often used by organizations looking for on-prem communication. That makes it a perfect blind spot—not widely scrutinized, but widely trusted within internal networks. Marbled Dust saw the opportunity and pounced. The attackers used CVE-2025-27920—a directory traversal flaw in Output Messenger Server Manager—to plant malicious scripts in the startup folder. From there, they executed a stealthy multi-stage backdoor deployment, with exfiltration domains and C2 infrastructure cleverly masked under seemingly benign domains like api.wordinfos[.]com. Microsoft credits Srimax, Output Messenger’s vendor, for releasing timely patches (v2.0.62+), but many organizations are still unpatched. That’s where Marbled Dust gets its access. Inside the Marbled Dust Attack Chain The campaign starts with Marbled Dust gaining authenticated access to Output Messenger’s Server Manager. Microsoft isn’t entirely sure how those credentials are initially harvested, but suspects DNS hijacking and typo-squatted login portals—tactics the group has used before. Marbled Dust Attack Chain (Source: Microsoft Threat Intelligence) Once in, the threat actor uploads a malicious VBS file to the Windows startup folder, exploiting the directory traversal bug. This script launches OMServerService.exe, a GoLang backdoor disguised as a legitimate service file. GoLang offers a bonus: platform agnosticism and fewer signature-based detections. The backdoor connects to Marbled Dust’s C2 domain, checks connectivity, sends host data, and then executes further commands based on what the attacker sends back. In one case, a victim’s device was seen uploading sensitive files packaged in a RAR archive using PuTTY’s command-line client, plink.exe, as the data exfiltration vehicle. On the client side, users who downloaded infected Output Messenger installers got more than they expected. The installer bundled the legit OutputMessenger.exe with a secondary payload—OMClientService.exe, another GoLang backdoor pinging the same C2 endpoint. Who Is Marbled Dust? Microsoft links Marbled Dust to past DNS hijacking and credential-harvesting campaigns. The group overlaps with activity known as Sea Turtle (APT) and UNC1326, and has been observed targeting organizations with interests adverse to Ankara’s. Their focus areas include the Middle East and Europe, with recent emphasis on telecom and government sectors. This campaign signals a shift. While earlier Marbled Dust activity relied on known vulnerabilities, the use of a true zero-day suggests either growing internal capabilities or increased urgency in their operational objectives. Why The Output Messenger Exploit Matters This is a lesson in how fringe enterprise tools can become high-value targets. While most security teams are busy patching the usual suspects (Office macros, web proxies, VPNs), tools like Output Messenger quietly hum along in the background—until someone like Marbled Dust takes interest. And let’s be clear: this isn’t a commodity threat. It’s regional espionage with carefully picked targets and minimal noise. The entire campaign operated with precision, focused on credential theft, internal surveillance, and quiet access—not ransomware or mass disruption. What You Should Do Now Microsoft urges immediate patching of Output Messenger to versions 2.0.62 (server) and 2.0.63 (client). Organizations using this app should: Audit all current installations for signs of the exploit (look for unusual VBS and EXE files in startup directories) Monitor outbound connections to api.wordinfos[.]com Check for unauthorized use of plink.exe or outbound SSH sessions Isolate any systems communicating with suspicious C2 infrastructure Marbled Dust’s campaign isn’t about splashy headlines. It’s quiet, focused, and a warning shot to organizations using obscure enterprise software without hardening them. Zero-days don’t just live in browsers and VPNs anymore. They live in your internal chat apps, your ticketing systems, your software you forgot to watch. And attackers? They’re watching all of it.

A trusted tool has turned traitor. A new Citizen Lab investigation reveals that UyghurEditPP, a legitimate open-source Uyghur-language text editor, has been weaponized to spy on members of the World Uyghur Congress (WUC). The attack, uncovered in March 2025, shows how threat actors have now shifted to exploiting trusted cultural tools to launch cyber-espionage campaigns against diaspora communities. The attack started the old-fashioned way – with an email. WUC members received a spearphishing message posing as a partner organization. It offered what seemed like an innocuous task – download and test a Uyghur-language software tool. The email contained a Google Drive link to a password-protected archive. Inside? A booby-trapped version of UyghurEditPP. The trojanized app looked and behaved like the real deal, right down to its interface. But hidden under the hood, it deployed malware designed to quietly burrow into the victims’ systems. Once installed, it could scoop up system information, upload or download files, and even run custom plugins for more complex operations. A Custom Backdoor with a Uyghur Disguise Citizen Lab’s technical teardown showed that the malware communicated with its command-and-control (C2) servers using domains like tengri.ooguy.com and anar.gleeze.com, borrowing heavily from Central Asian cultural references. These servers were hosted inside a cloud provider known for lax controls and frequent abuse by cybercriminals. Adding to the deception were servers that presented fake TLS certificates impersonating Microsoft. It’s a clever ploy – browsers and security software often treat familiar certificates with less suspicion, helping the malicious traffic fly under the radar. Not Just a One-Off: Evidence of Long-Term Planning This wasn’t a quick-and-dirty operation. The attackers set up websites like gheyret.com and gheyret.net, designed to look like they belonged to Uyghur software developers. They even faked download pages for UyghurEditPP to make the malicious file seem legitimate. Citizen Lab researchers believe the campaign reflects a high level of planning and resource investment, likely showing a long-term commitment to infiltrating Uyghur communities through digital means. Also read: Global Cybersecurity Agencies Warn of Spyware Targeting Uyghur, Tibetan, and Taiwanese Communities Bigger Than One Organization While this particular campaign targeted WUC, it’s part of a broader pattern of digital transnational repression. Over the past decade, multiple investigations have documented attempts to harass, monitor, and silence Uyghur activists and dissidents abroad. The methods vary. From phishing attacks and spyware campaigns to social engineering and disinformation, threat actors have consistently adapted their tactics. The latest twist—weaponizing culturally significant software—is a troubling evolution. By hijacking trusted tools, attackers erode the very foundations of community trust. It’s akin to someone weaponizing your own language. It’s psychological warfare, not just technical. “Targets have reported experiencing feelings of insecurity, guilt, fear, uncertainty, mental and emotional distress, and burnout from these attacks,” the Citizen Lab researchers said based on earlier similar investigations. Inside the Malware’s Playbook According to Citizen Lab’s technical findings, the backdoor bundled with UyghurEditPP was no ordinary spyware. It featured modular plugins, allowing attackers to tailor their operations based on the target. Among its core capabilities: System profiling: Collects information about the infected device File operations: Uploads, downloads, and executes files Command execution: Runs arbitrary system commands on demand Custom plugins: Expands functionality without redeploying new malware By blending legitimate software functionality with covert surveillance capabilities, the attackers achieved a potent balance of usability and stealth. Attribution: A Familiar Playbook, An Unknown Actor Citizen Lab stopped short of directly attributing the attack to a known government or hacking group. However, the techniques, targets, and infrastructure bear a strong resemblance to past China-aligned cyber operations aimed at Uyghur individuals and organizations. This campaign’s sophistication suggests access to considerable resources and a deep understanding of Uyghur cultural dynamics—both hallmarks of state-sponsored cyber-espionage. Digital Safety Lessons for At-Risk Communities The WUC attack is a wake-up call not just for Uyghur activists but for every marginalized or targeted community online. Trust, once broken, is hard to rebuild. Software—even familiar, open-source tools—must now be treated with a layer of healthy skepticism. Citizen Lab advises: Verify downloads: Always source software directly from official repositories, not third-party links. Use endpoint protection: Invest in reputable antivirus and behavior-monitoring tools. Employ two-factor authentication: Harder for attackers to hijack accounts, even with malware present. Stay updated: Keep systems patched and subscribe to cybersecurity advisories relevant to your community. The Personal Cost of Cyber-Conflict Cyberattacks like this one aren’t just technical skirmishes. They’re personal. They target trust, language, identity—the invisible threads that hold communities together. Weaponizing UyghurEditPP shows a level of creativity and cruelty. It’s a digital assault on an already persecuted community, designed to monitor, intimidate, and ultimately control. As this campaign shows, defending against cyberthreats isn’t just about firewalls and patches. It’s also about defending culture, community, and the very right to communicate safely.

China has accused four Taiwanese individuals of being hackers associated with Taiwan’s military cyber force, claiming they were responsible for cyberattacks against Beijing. The Ministry of State Security (MSS) identified them as members of Taiwan’s Information, Communications, and Electronic Force Command (ICEFCOM), publishing their names, photographs, birthdates, and job titles. The accusations add another layer of tension between the two nations as tensions between the two nations continue to remain hostile. China’s Allegations Against Taiwan’s ICEFCOM According to China’s MSS, ICEFCOM has been involved in cyberattacks targeting China’s critical infrastructure. The ministry stated that Taiwan’s cyber force, also known as the “Internet Army” has been working with external hackers and cybersecurity firms to launch cyber espionage and infiltration campaigns. “Their activities include espionage, sabotage, and propaganda,” the MSS said. Since its establishment, ICEFCOM has conducted targeted cyberattacks and infiltration operations against critical Chinese infrastructure, the MSS stated in an official release. China claimed that the attacks focused on systems controlling waterworks, power grids, telecommunications networks, and surveillance cameras, aiming to disrupt national stability. The MSS also accused ICEFCOM of attempting to breach databases containing sensitive information on Chinese citizens, government officials, and military operations. Beijing labeled these activities as part of Taiwan’s broader intelligence-gathering efforts, allegedly backed by foreign entities. Taiwan Rejects Claims, Calls China the Real Cyber Aggressor Taiwan’s Ministry of National Defense swiftly rejected China’s accusations, calling them an attempt to shift blame. Taiwan has repeatedly stated that its cyber units focus on defensive measures rather than offensive operations. The military’s cybersecurity forces do not engage in cyberattacks, Taiwan’s defense ministry said in a statement. Taipei accused Beijing of fabricating claims to justify its own cyber activities against Taiwan. Taiwan recently released its own report detailing Beijing’s cyber tactics over the past year. Taiwan’s National Security Bureau (NSB) stated that cyberattacks against Taiwan’s government departments averaged 2.4 million per day in 2024. The report suggested that China’s state-sponsored hackers have been refining their cyber warfare techniques to exert political and economic pressure on Taipei. China’s Cyberattack Techniques in 2024 Taiwan’s NSB report outlined the key methods China used in its cyber operations throughout 2024. The tactics ranged from phishing campaigns to large-scale data breaches designed to compromise government and military networks. One of the primary strategies involved Advanced Persistent Threat (APT) groups linked to the Chinese government. These groups infiltrated Taiwanese organizations using malware-laced emails and trojanized software updates. Some of the most sophisticated attacks targeted supply chain vendors, allowing hackers to bypass traditional security measures and infiltrate government networks undetected. China also leveraged artificial intelligence (AI)-driven cyber tools to automate large-scale attacks. AI-enhanced malware adapted in real time, making it harder for cybersecurity teams to detect and neutralize threats. The NSB report noted that China’s hackers used generative AI models to craft realistic phishing emails that closely mimicked official government communications, deceiving even experienced professionals. Another concerning development was China’s increasing use of zero-day exploits—previously unknown software vulnerabilities that hackers used before they could be patched. Beijing’s cyber units deployed these exploits against Taiwan’s critical infrastructure, targeting national defense systems, financial institutions, and telecom providers. Growing Cyber Conflict Between Beijing and Taipei Taiwan has long been a focal point of Chinese cyber operations, but the scale and sophistication of attacks in 2024 marked a significant escalation following the physical tensions between the two nations. Chinese hackers reportedly infiltrated multiple Taiwanese defense contractors, attempting to extract classified military research and technology blueprints. The growing cyber conflict has also impacted Taiwan’s private sector. The NSB noted that Chinese threat actors carried out ransomware attacks against Taiwanese semiconductor firms, aiming to disrupt one of the world’s most crucial industries. Additionally, Beijing allegedly sought to manipulate Taiwanese social media platforms, spreading disinformation to sway public opinion ahead of key political events. With China publicly accusing Taiwan of cyberattacks and Taiwan providing detailed evidence of Beijing’s own operations, tensions in cyberspace continue to rise. Both nations remain locked in a digital conflict where information warfare plays a crucial role in their broader geopolitical struggle. China’s allegations against Taiwan come amid an increasingly hostile landscape in the Asia-Pacific region. While Beijing has labeled Taiwan’s ICEFCOM as a cyber threat, Taipei maintains that China is the real aggressor, orchestrating millions of daily attacks. Taiwan’s latest findings reveal that China’s cyber capabilities are evolving rapidly, incorporating AI, zero-day exploits, and supply chain attacks to gain strategic advantages. As cyberwarfare becomes a critical battleground, both nations are likely to continue investing in offensive and defensive cyber capabilities, experts suggest.