Espionage News

Two headhunters named Amanda Qiu and Shirly Shen appeared on LinkedIn offering lucrative freelance work authoring geopolitical consultancy reports, but MI5 now confirms they served as fronts for China’s Ministry of State Security conducting recruitment operations targeting British parliamentarians, staffers, and officials with access to sensitive government information. On Tuesday, Britain’s domestic intelligence service issued an espionage alert to MPs, Peers, and Parliamentary staff warning that Chinese intelligence officers are attempting to recruit individuals through professional networking sites in what Security Minister Dan Jarvis characterized as a “covert and calculated attempt by China to interfere with our sovereign affairs”. House of Commons Speaker Lindsay Hoyle circulated the MI5 alert warning that Chinese state actors were “relentless” in their efforts to interfere with parliamentary processes and influence activity at Westminster. The alert named two specific LinkedIn profiles believed to be conducting outreach at scale on behalf of Beijing’s intelligence apparatus. Social Engineering Route MI5 assessed that the Ministry of State Security was using websites like LinkedIn to build relationships with parliamentarians to collect sensitive information on the UK for strategic advantage. The fake headhunter profiles offered consulting opportunities while actually intending to lay groundwork for long-term relationships that could be exploited for intelligence collection. Security Minister Jarvis told Parliament that targets extended beyond parliamentary staff to include economists, think tank consultants, and government officials. “This government’s first duty is to keep the country safe, which is why I’ve announced new action to give security officials the powers and tools they need to help disrupt and deter foreign espionage activity wherever they find it,” Jarvis stated. The minister said the espionage alerts represent one of the main tools used to undermine spies’ ability to operate, with the public exposure intended to disrupt ongoing recruitment operations and warn potential targets. Pattern of Hostile Activity Jarvis noted the LinkedIn recruitment attempts build on a pattern of hostile activity from China, citing Beijing-linked actors targeting parliamentary emails in 2021 and attempted foreign interference activity by Christine Lee in 2022. Lee, a London-based lawyer, was accused by MI5 of facilitating covert donations to British parties and legislators on behalf of foreign nationals coordinating with the Chinese Communist Party’s United Front Work Department. The alert arrives weeks after prosecutors abruptly abandoned a case against two British men charged with spying on MPs for Beijing. Christopher Cash, a former parliamentary researcher, and Christopher Berry, an academic, faced charges under the Official Secrets Act 1911 but prosecutors claimed the government’s evidence was missing a critical element. That critical element was the government’s refusal to call China an “enemy” or “national security threat,” which prosecutors said meant they had no option but to collapse the case since the 1911 Act requires information passed on to be useful to an enemy. New Counter-Espionage Action Plan The government announced a comprehensive Counter Political Interference and Espionage Action Plan to disrupt and deter state-sponsored spying. Intelligence services will deliver security briefings for political parties and issue new guidance to election candidates helping them recognize, resist, and report suspicious activity. Authorities will work with professional networking sites to make them more hostile operating environments for spies, while new Elections Bill provisions will tighten rules on political donations. Jarvis added the government will continue taking further action against China-based actors involved in malicious cyber activity against the UK and allies. The government committed £170 million to renew sovereign and encrypted technology that civil servants use to safeguard sensitive work. An additional £130 million will fund projects including building Counter Terrorism Policing’s ability to enforce the National Security Act and supporting the National Cyber Security Centre’s work with critical businesses to protect intellectual property. Jarvis also informed Parliament that the government completed removal of surveillance equipment manufactured by companies subject to China’s National Intelligence Law from all sensitive sites operated worldwide by the British government. “As a country with a long and proud history of trading around the world, it’s in our interests to continue to seek an economic relationship with China, but this government will always challenge countries whenever they undermine our democratic way of life,” Jarvis declared. The National Security Act provides government power to prosecute those engaging in espionage activity, with offenses including obtaining protected information, assisting a foreign intelligence service, and obtaining material benefit from a foreign intelligence service. The government recently introduced the Cyber Security and Resilience Bill to help protect organizations from cyber threats posed by states like China. Also read: ENISA and European Commission Launch €36 Million EU Cybersecurity Reserve to Strengthen Digital Resilience

Cybersecurity researchers at Cyble have uncovered an extensive phishing campaign that represents a significant evolution in credential theft tactics. The operation, which targets organizations across multiple industries in Central and Eastern Europe, bypasses conventional email security measures by using HTML attachments that require no external hosting infrastructure. Unlike traditional phishing attacks that rely on suspicious URLs or compromised servers, this campaign embeds malicious JavaScript directly within seemingly legitimate business documents. When victims open these HTML attachments—disguised as requests for quotation (RFQ) or invoices—they’re presented with convincing login interfaces impersonating trusted brands like Adobe, Microsoft, FedEx, and DHL. How the Attack Works The attack chain begins with targeted emails posing as routine business correspondence. The HTML attachments use RFC-compliant filenames such as “RFQ_4460-INQUIRY.HTML” to appear legitimate and avoid triggering basic security filters. Attack Flow (Source: Cyble) Once opened, the file displays a blurred background image of an invoice or document with a centered login modal, typically branded with Adobe styling. The victim, believing they need to authenticate to view the document, enters their email and password credentials. Behind the scenes, embedded JavaScript captures this data and immediately transmits it to attacker-controlled Telegram bots via the Telegram Bot API. This approach eliminates the need for traditional command-and-control infrastructure, making the operation harder to detect and disrupt. “The sophistication lies not just in the technical execution but in how it circumvents multiple layers of security,” explains the Cyble Research and Intelligence Labs (CRIL) team. The self-contained nature of the HTML files means they don’t trigger alerts for suspicious external connections during initial email scanning. Technical Sophistication Analysis of multiple samples reveals ongoing development and refinement of the attack methodology. Earlier versions used basic JavaScript, while more recent samples implement CryptoJS AES encryption for obfuscation and sophisticated anti-forensics measures. Advanced samples block common investigation techniques by disabling F12 developer tools, preventing right-click context menus, blocking text selection, and intercepting keyboard shortcuts like Ctrl+U (view source) and Ctrl+Shift+I (inspect element). These measures significantly complicate analysis efforts by security researchers and forensic investigators. The malware also employs dual-capture mechanisms, forcing victims to enter their credentials multiple times while displaying fake “invalid login” error messages. This ensures accuracy of the stolen data while maintaining the illusion of a legitimate authentication failure. Beyond credentials, the samples collect additional intelligence including victim IP addresses (using services like api.ipify.org), user agent strings, and other environmental data that could be valuable for subsequent attacks. Scale and Targeting CRIL’s investigation identified multiple active Telegram bots with naming conventions like “garclogtools_bot,” “v8one_bot,” and “dollsman_bot,” each operated by distinct threat actors or groups. The decentralized infrastructure suggests either collaboration among multiple cybercriminal groups or widespread availability of phishing toolkit generators. The campaign primarily targets organizations in the Czech Republic, Slovakia, Hungary, and Germany, with affected industries including manufacturing, automotive, government agencies, energy utilities, telecommunications, and professional services. The geographic concentration and industry selection indicate careful reconnaissance and targeting based on regional business practices. Threat actors customize their approach for different markets, using German-language variants for Telekom Deutschland impersonation and Spanish-language templates for other targets. The modular template system enables rapid deployment of new brand variants as the campaign evolves. Detection and Defense Security teams face challenges in detecting this threat due to its innovative use of legitimate platforms. Traditional indicators like suspicious URLs or known malicious domains don’t apply when the attack infrastructure consists of HTML attachments and Telegram’s legitimate API. Cyble recommends organizations implement several defensive measures. Security operations centers should monitor for unusual connections to api.telegram.org from end-user devices, particularly POST requests that wouldn’t occur in normal business operations. Network traffic to third-party services like api.ipify.org and ip-api.com from endpoints should also trigger investigation. Email security policies should treat HTML attachments as high-risk file types requiring additional scrutiny. Organizations should implement content inspection that flags HTML attachments containing references to the Telegram Bot API or similar public messaging platforms. For end users, the guidance remains straightforward: exercise extreme caution with unsolicited HTML attachments, especially those prompting credential entry to view documents. Any unexpected authentication request should be verified through independent channels before entering credentials. Cyble has published complete indicators of compromise, including specific bot tokens, attachment patterns, and YARA detection rules to its GitHub repository, enabling security teams to hunt for signs of compromise within their environments and implement preventive controls. Also read: Over 20 Malicious Crypto Wallet Apps Found on Google Play, CRIL Warns

Chinese hackers, allegedly linked to the state, attempted to infiltrate the U.S. networks during sensitive trade discussions earlier this year by impersonating a sitting congressman, according to a report in The Wall Street Journal. In July, as Washington and Beijing prepared for high-level trade negotiations in Sweden, targeted emails were sent to American trade groups, law firms, and federal agencies. The messages, appearing to come from Representative John Moolenaar — chairman of the House committee on U.S.–China strategic competition — urged recipients to review draft sanctions legislation. The attachment, however, contained spyware, the Journal reported. Investigators later attributed the activity to APT41, a hacking group long suspected of ties to China’s Ministry of State Security. Cyber analysts told the Journal that if opened, the attachment could have given attackers deep access to victim systems, enabling them to extract sensitive documents and monitor ongoing negotiations. The FBI confirmed it was investigating. “We are working with our partners to identify and pursue those responsible,” an FBI spokesperson told the newspaper. Capitol Police declined to comment. Moolenaar condemned the operation, calling it “another example of China’s offensive cyber operations designed to steal American strategy and leverage it.” He added, “We will not be intimidated.” Beijing rejected the allegations, with a Chinese Embassy statement insisting that the country “firmly opposes and combats all forms of cyber attacks and cyber crime” and warning against “smearing others without solid evidence.” APT41’s Technical Playbook APT41, also tracked under aliases such as Double Dragon and Barium, is one of China’s most versatile state-sponsored groups. Analysts told the Journal that the group’s hallmark is its dual-use capability — conducting espionage on behalf of the state while also engaging in financially motivated cybercrime. The group has a long history of using spear-phishing and watering-hole attacks, often impersonating trusted figures or exploiting zero-day vulnerabilities. Its malware arsenal includes ShadowPad, a modular backdoor frequently used in Chinese espionage campaigns, and other custom loaders designed to maintain persistence. Also read: Chinese Hackers Targeted Taiwanese Research Institute with ShadowPad and Cobalt Strike APT41 also makes heavy use of publicly available exploits. Past alerts from U.S. agencies note the group’s exploitation of vulnerabilities in Citrix, Atlassian Confluence, and Microsoft Exchange. Analysts believe the spyware used in the Moolenaar impersonation likely followed a familiar playbook: reconnaissance, credential harvesting, lateral movement, and long-term surveillance. A Track Record of Global Intrusions The campaign described by the Journal is not an isolated incident. In 2020, the U.S. Department of Justice indicted five Chinese nationals linked to APT41 on charges of hacking more than 100 companies worldwide. Victims included software firms, universities, telecom providers, and even non-profit organizations. Prosecutors alleged the group stole source code, proprietary business information, and intellectual property on a massive scale. Beyond espionage, APT41 has been tied to cybercrime for profit. Researchers have documented its role in stealing digital gaming currency and selling access to compromised servers. The group’s ability to switch seamlessly between state-directed intelligence operations and financially motivated crime sets it apart from many other advanced persistent threat (APT) groups. More recently, APT41 has been implicated in targeting the healthcare sector, with reports of attempted intrusions into hospitals and pharmaceutical firms during the COVID-19 pandemic. Security analysts say such activity aligns with Beijing’s interest in gaining access to sensitive medical research and health data. Espionage Pattern The phishing campaign took place just days before negotiators agreed to extend a tariff truce and resume discussions on a possible summit between President Trump and Chinese President Xi Jinping. Experts noted that compromising advisory groups or law firms tied to the talks would allow Beijing to anticipate U.S. positions and adjust its strategy. Mandiant told the Journal that the spyware in this case could have burrowed deep into networks, enabling long-term monitoring. For adversaries like APT41, analysts said, such access is more valuable than short-term disruption — it provides leverage in negotiations and insights into political decision-making. Earlier this year, hackers impersonated Secretary of State Marco Rubio using AI-generated content, while phishing attempts targeted White House staff, including Chief of Staff Susie Wiles, the Journal reported. Together, these incidents point to an intensifying focus on U.S. political leadership and policy processes. The attempt to compromise U.S. trade stakeholders shows how cyber operations increasingly run parallel to geopolitical negotiations. Experts said that while military maneuvers often capture headlines, cyber espionage has become a quieter but equally potent front. As tensions over technology, tariffs, and national security continue to define U.S.–China relations, espionage campaigns exploiting trust, urgency, and political credibility are likely to remain central to Beijing’s toolkit.

Czechia’s national cybersecurity watchdog has issued a warning about foreign cyber operations, focussed on Chinese data transfers and remote administration, urging both government bodies and private businesses to bolster defenses amid rising espionage campaigns tied to China and Russia. The alert, published this week by the National Cyber and Information Security Agency (NÚKIB), cites ongoing risks to government systems, energy providers, telecoms, and other critical infrastructure operators. While NÚKIB did not name specific incidents in its bulletin, the agency said that “selected foreign states” were increasingly engaged in long-term campaigns designed to compromise strategic sectors, exfiltrate sensitive information, and undermine public trust. The Core Threat Assessment NÚKIB has classified the threat as “High – likely to very likely,” encompassing two primary concerns; data transfers to the People’s Republic of China (PRC) and its Special Administrative Regions (Hong Kong and Macau), and remote administration of technical assets from these territories. This assessment applies to all entities regulated under Czech cybersecurity legislation, including critical infrastructure operators. The agency’s decision to issue this warning stems from what it describes as “facts established during the exercise of its powers, supplemented by unclassified and classified information obtained from domestic and foreign partners.” At the heart of NÚKIB’s warning lies a detailed analysis of China’s legal environment, which the agency argues fundamentally compromises data security. The assessment identifies several problematic regulations: National Security Framework: The 2015 National Security Law imposes broad obligations on Chinese citizens and organizations to assist state authorities in matters of national security. More significantly, the 2017 National Intelligence Law requires “every citizen and organisation” to support intelligence activities and maintain confidentiality. Corporate Control Mechanisms: The 2013 Company Law mandates Communist Party of China (CPC) organizations within companies, effectively allowing party influence over corporate operations. This creates a direct channel for state interference in nominally private enterprises. Vulnerability Reporting Requirements: 2021 regulations require technology manufacturers to report security vulnerabilities to the Ministry of Industry and IT within two days, with subsequent reporting to the Ministry of State Security. Crucially, manufacturers are prohibited from disclosing these vulnerabilities to foreign organizations. The Counter-Espionage Law, particularly following its 2023 amendment, expands espionage definitions to encompass virtually any documents or data deemed related to national security by Chinese authorities. This creates an environment where state access to private data is not only legal but mandated. Special Administrative Regions, Means Extended Reach NÚKIB’s analysis extends to Hong Kong and Macau, territories that maintain economic autonomy while remaining under Chinese sovereignty. The agency identifies concerning legislation in both regions The 2024 Safeguarding National Security Ordinance integrates China’s national security framework into Hong Kong’s legal system, creating vague definitions of “state secrets” that could encompass economic, social, technological, or scientific activities. In Macau, the 2019 Cybersecurity Law grants the Cybersecurity Incident Alert and Response Center (CARIC) authority to conduct real-time monitoring of critical infrastructure data transmissions, with no supervisory mechanism to prevent abuse. Attribution and Active Threats The warning gains particular weight from recent attribution activities. In May, the Czech government publicly attributed cyberattacks against its Ministry of Foreign Affairs to APT31, a group associated with China’s Ministry of State Security. This campaign, active since 2022, targeted critical infrastructure and demonstrated sophisticated, persistent capabilities. The Czech government “strongly condemns this malicious cyber campaign against its critical infrastructure” and noted that “such behavior undermines the credibility of the People´s Republic of China and contradicts its public declarations. This attribution wasn’t conducted in isolation. NÚKIB worked alongside the Security Information Service, Military Intelligence, and the Office for Foreign Relations and Information to achieve what they describe as “a high degree of certainty about the responsible actor.” The Czech warning aligns with broader international concerns about Chinese technology risks. NÚKIB notes that Italy, Germany, the Netherlands, and Australia have taken measures regarding specific Chinese products and services, while the Five Eyes intelligence alliance has issued advisories about Chinese cyber espionage groups. Also read: Six Australian MPs Confirm They were Targeted by China’s APT31 Hackers The agency specifically references a 2021 European Data Protection Board study concluding that Chinese laws allow “broad access by PRC state authorities to data without sufficient independent oversight,” fundamentally contradicting GDPR principles of transparency, proportionality, and legal protection. Critical Infrastructure Implications The warning carries particular significance for critical infrastructure operators. NÚKIB emphasizes that disruption of availability, confidentiality, or integrity of backbone systems “could potentially have a significant impact on many people in the territory of the Czech Republic.” The agency identifies specific technology categories of concern: Personal devices (smartphones, watches, electric vehicles) Cloud services Photovoltaic inverters IP cameras Health technology Smart meters A Pattern of Firm Stances The warning follows a series of steps by the Czech government to push back against foreign digital influence. Earlier this year, Prague moved to restrict the use of Chinese-developed AI platforms such as DeepSeek, citing risks of data exfiltration and systemic manipulation. The Ministry of Foreign Affairs said at the time that trust in the country’s digital infrastructure was “not compatible with applications subject to extraterritorial control by foreign powers.” This builds on years of concern over technology supply chains. Czechia was one of the first EU members to limit Huawei and ZTE equipment in its 5G rollout, a decision backed by NÚKIB in 2018 that placed it firmly in the transatlantic camp on telecom security. The latest warning suggests the government is prepared to extend that logic into AI systems and cloud-based platforms as well. The warning reflects evolving geopolitical realities. NÚKIB notes that China’s support for Russia in the Ukraine conflict has intensified its interest in European affairs, manifesting in increased cyber espionage activities. The agency cites intelligence assessments showing Chinese actors targeting Czech state institutions with increasingly sophisticated spear-phishing attacks. The Security Information Service has repeatedly emphasized technological dependence on China as a strategic vulnerability, particularly given China’s “autocratic regime with global ambitions to create an effective counterbalance to the G7 countries.

China-linked espionage actor Salt Typhoon is again in news but this time not for targeting larger telecommunication giants, instead its the smaller internet and hosting service providers in the Netherlands. The Dutch intelligence service on Thursday said that the country “didn’t receive the same level of attention from the Salt Typhoon hackers as those in the U.S.,” but it “can now corroborate some of the findings of the U.S. investigation with independent intelligence.” The Dutch MIVD and AIVD (General Intelligence and Security Service) said, “The Chinese hacker group had access to routers belonging to the Dutch targets. As far as we know, the hackers did not penetrate any further into their internal networks.” No information on the number of routers accessed or which sectors were targeted was provided but the authorities said, “(It)did observe targets in the Netherlands. These were not large telecommunications providers, but smaller internet service and hosting providers.” The MIVD and the AIVD have been warning for some time about the growing Chinese cyber threat,” the authorities said. “These activities have become so sophisticated that continuous effort and attention are required to promptly detect and mitigate cyber operations against Dutch interests. This can reduce risks, but not eliminate them entirely. This poses a major challenge to Dutch resilience.” The MIVD, AIVD, and the National Cyber ​​Security Centre (NCSC) have previously shared threat intelligence with targets and other relevant audiences, whenever possible. Salt Typhoon Campaign’s Roots This announcement cam on the heels of a multi-nation joint advisory released a day before that warned of China-linked threat groups Salt Typhoon and GhostEmperor’s targeting of critical infrastructure networks around the world in a persistent campaign of cyber espionage. Read: Chinese State Hackers Target Global Critical Infrastructure, NSA Warns These operations have been traced to three China-based companies: Sichuan Juxinhe Network Technology Co. Ltd., Beijing Huanyu Tianqiong Information Technology Co., Ltd., and Sichuan Zhixin Ruijie Network Technology Co., Ltd., which allegedly act as a front for the Chinese Ministry of State Security and the People’s Liberation Army. Salt Typhoon’s wider operation net first came to light late last year when several U.S. Telecom companies reported hack and wiretap of key members of the Presidential elections. In an official hearing, earlier this year, the chairman of the Senate Intelligence Committee said, evicting these intruders will require replacing “thousands and thousands and thousands” of network devices. Read: China Attack on U.S. Telecom Networks: ‘Thousands and Thousands’ of Devices Need to Be Replaced The Salt Typhoon tied breach of U.S. telecom networks lasted for more than a year in some cases, and while only 150 victims were notified at the time, the total could eventually number in the “millions,” experts had warned Warner, a former telecom venture capitalist, called the breaches the “worst telecom hack” in the nation’s history – by far.

Google’s Threat Intelligence Group has uncovered a cyber espionage campaign of a PRC-linked threat actor, which it tracks as UNC6384, using captive portals and adversary-in-the-middle tactics to target diplomats across Southeast Asia. Captive portals are the type of sign-in pages familiar to anyone who has logged into hotel Wi-Fi. Instead of leading to a legitimate login, these portals mimicked VPN services or software update pages to deceive victims. Once a victim visited, they were served a digitally signed downloader tracked as STATICPLUGIN, which in turn deployed SOGU.SEC, a variant of the notorious PlugX backdoor. PlugX has long been associated with Chinese state-backed intrusion playbook. But this latest variant was delivered through an updated tradecraft designed to avoid detection. Technical Details Delivery Mechanism: The malware was signed with a legitimate digital certificate, allowing it to bypass endpoint defenses. Execution Techniques: UNC6384 used indirect execution and adversary-in-the-middle (AitM) techniques to blend with normal traffic and avoid signature-based detection. Data Collection: Once inside, SOGU.SEC enabled lateral movement, file exfiltration, and ongoing surveillance of sensitive diplomatic systems. Infrastructure: The group operated attacker-controlled redirectors, which intercepted traffic and funneled it through malicious portals. Attack Chain (Image Credit: Google Threat Intelligence Group) Google said it notified the compromised organizations via government-backed alerts and sharing malicious domains and file hashes that were also added to its Safe Browsing feature. Why Diplomats? UNC6384’s targeting of diplomats has the geopolitical underpinnings of the campaign. The group zeroed in on government agencies, embassies and foreign service workers operating in Southeast Asia—an area where China has pressing economic and strategic interests. Unlike ransomware or financially motivated operations, this activity reflects the calculated objectives of a nation-state adversary. Diplomats are high-value strategic targets. By embedding themselves in their systems, attackers can gain insight into negotiations, policy positions, and alliances. According to recent analysis, Chinese APT groups are increasingly focusing on strategic pre-positioning in critical infrastructure and supply chains, often leveraging edge devices, software frameworks with minimal endpoint defenses, and “living-off-the-land” techniques to ensure persistence and stealth. Also read: ‘UNC3886 is Attacking Our Critical Infrastructure Right Now’: Singapore’s National Security Lawmaker

How often do you hear people talking about issues of legacy systems—especially in critical infrastructure environments? Here’s another example of how deeply rooted this issue is—legacy Cisco router infrastructure remains a Russian intelligence vault. A new alert from the FBI and a detailed analysis from Cisco Talos reveal how a decade-old vulnerability, tracked as CVE-2018-0171, in Cisco’s Smart Install feature continues to fuel state-level espionage campaigns against critical infrastructure. A Legacy Weakness with Persistent Danger CISA flagged this vulnerability back in 2018, warning that Russian state-sponsored actors had exploited Cisco’s Smart Install and unencrypted management protocols like SNMP and Telnet to harvest network configurations, inject firmware, and control routers for intelligence collection and lateral exploitation. That advisory revealed how unsecured GRE tunnels, SNMP, and TFTP were easy pathways for attackers to extract configuration files and password hashes from enterprise and SOHO devices. This compromised network infrastructure could be weaponized for traffic interception or even destructive operations, CISA had warned, at the time. Fast forward to the latest advisory and these are no longer just theoretical risks. The tools and techniques of SNMP abuse, misconfigured routers, use of TFTP over UDP, still enable attackers to extract device configurations, carve network maps and enact persistent access with minimal visibility. Also read: Urgent: CISA Flags Cisco Device Risks, Weak Passwords a Major Threat Static Tundra’s Stealthy Campaign, Decade in the Making Cisco Talos has now dubbed the threat actor exploiting this weakness as Static Tundra, a Russian-linked espionage group likely tied to FSB’s Center 16, also known as Energetic Bear. Talos assesses with high confidence that Static Tundra has spent years infiltrating unpatched or end-of-life Cisco network devices, particularly those with Smart Install enabled, and has done so across telecoms, higher education institutes and manufacturing in multiple continents. Their techniques include: Exploiting CVE-2018-0171 to inject a TFTP-based fallback, retrieving startup configurations. Abusing SNMP, occasionally via spoofed source addresses, to retrieve credentials and enable remote access. Deploying the notorious SYNful Knock firmware implant to maintain stealth and resilience through reboots. Leveraging GRE tunnels and NetFlow collection to quietly exfiltrate traffic and intelligible metadata. Talos notes the group operates with precision, picking targets aligned with shifting geopolitical priorities—particularly during the Ukraine conflict escalation. What’s more worrying is that the researchers observed many compromised devices remain infected as organizations still fail to patch or disable Smart Install feature, despite patches being available since 2018. Real-World Risk Across Sectors and Borders The combined findings show that the threat persists because of structural neglect. Unpatched firmware, enabled legacy features, and unmanaged network gear are the primary reasons. While CISA’s 2018 warning outlined the risk, Talos confirms that attackers continue to harvest sensitive configuration data, creating long-term espionage footholds. Sophisticated threat actors controlling key network infrastructure can manipulate traffic flows, enable command-and-control for hidden implants, and pivot laterally—transforming compromised routers into control hubs for broader attacks, cyber experts warned. A Non-Negotiable Security Imperative The risk as we said earlier isn’t hypothetical anymore. It’s ongoing and systemic. Here are some foundational steps every enterprise and critical infrastructure network must take, as per Talos researchers: Patch or disable Smart Install immediately—CVE-2018-0171 remains widely exploitable. Encrypt management channels, disable legacy protocols, harden SNMP and AAA policies. Profile router behavior via NetFlow, log monitoring, and IDS signature deployment. Maintain accurate device inventories and restrict remote access to critical appliances. Static Tundra’s campaigns make clear that network devices are not passive infrastructure. They are prime asymmetric targets. The vulnerability in Smart Install isn’t new, but the threat remains potent. Critical infrastructure operators need to harden network gear, build detection-first strategies, and elevate device security to boardroom-level concern.

Russia-linked hackers are back at it again, this time with upgraded tools and a stealthier playbook targeting Ukrainian government systems. Ukraine’s national Computer Emergency Response Team has linked a recent cyberattack campaign against the information and communication system (ICS) of a government entity to UAC-0001—also known as APT28 or Fancy Bear—the infamous hacking group believed to be operated by Russia’s GRU military intelligence service. Also read: Russian GRU Is Hacking IP Cameras and Logistics Firms to Spy on Aid Deliveries from Western Allies to Ukraine In an investigation conducted between March and May 2024, cybersecurity responders uncovered two previously unseen malware strains—BEARDSHELL and SLIMAGENT—lurking inside government systems. The attackers also deployed a component of the widely known COVENANT command-and-control framework, hidden inside a document titled “Act.doc” and sent via the encrypted messaging app Signal. While the initial infection vector wasn’t immediately clear, analysts later discovered the malware reached its target using a macro-laced Word document that installed multiple payloads—each designed to fly under the radar, exploit trusted services, and maintain persistence through registry hijacking and scheduled tasks. How the Intrusion Worked Against Ukrainian Government Systems The attackers disguised their malware inside a seemingly benign Word file delivered over Signal. Sample of communication with an attacker in Signal (Source: CERT-UA) If a user enabled macros, the document executed code that placed two files on the system and set up a COM-hijacking registry entry that hijacked explorer.exe to silently launch a malicious DLL. That DLL then decrypted another file (windows.png) containing shellcode that finally triggered the launch of the COVENANT malware framework—all without dropping anything directly visible to the user. COVENANT, a .NET-based red team tool popular in the post-exploitation phase of cyberattacks, was used here to download and execute PlaySndSrv.dll and a WAV file (sample-03.wav), which contained encoded instructions to ultimately launch BEARDSHELL—a custom-built backdoor. Persistence? Also covered. BEARDSHELL maintained access through a separate registry entry tied to a scheduled task under Microsoft’s SystemSoundsService. Classic APT28. What Do BEARDSHELL and SLIMAGENT Actually Do? Both malware tools were written in C++ and designed for stealth and data collection: BEARDSHELL connects to the attacker using the API of Icedrive, a legitimate cloud storage provider, allowing the malware to receive encrypted PowerShell scripts and exfiltrate data without triggering traditional security tools. Each infected system gets its own directory, named using a unique hash derived from hardware and system identifiers. SLIMAGENT takes periodic screenshots and encrypts them using AES + RSA, saving them locally in a time-stamped format. It’s the visual spy in the room, quietly recording the screen without alerting the user. What’s particularly clever—and dangerous—about both tools is their use of legitimate services (Koofr and Icedrive) as command-and-control (C2) infrastructure. This means they avoid sketchy IP addresses and domains, making traditional threat intel blacklists nearly useless. Why It Matters This latest campaign isn’t just another cyberattack—it’s part of an escalating pattern of hybrid warfare tactics employed by Russia since the start of its war in Ukraine. APT28, which has been tied to the DNC email leaks in 2016, Olympic Destroyer in 2018, and countless attacks on NATO and EU institutions, is one of the Kremlin’s most active cyber units. Also read: ‘I’m not a Robot’ reCAPTCHA Trojanized by Russian Hackers to Target Local Ukrainian Government Their tactics have evolved. Instead of brute-forcing their way into systems, they now leverage phishing documents, encrypted messaging apps like Signal for payload delivery, and trusted APIs for communication. And they’re still targeting the same kind of critical government infrastructure they’ve always sought to undermine. According to CERT-UA, the malware was identified inside a central government executive body’s information systems—a clear sign that the group is targeting the upper echelons of Ukraine’s state apparatus. Defense, Detection, and the Cloud API Problem CERT-UA is urging security teams—particularly within governments and critical infrastructure—to closely monitor traffic to app.koofr.net and api.icedrive.net, as these are being used as C2 endpoints. The advisory also noted that success of the attack hinged on: Users enabling macros in Office documents Host security tools failing to monitor Signal-based delivery The abuse of trusted services like Icedrive and Koofr as “invisible” control channels It’s another wake-up call: endpoint defenses can’t rely on static indicators. Malware is now using your everyday apps, cloud platforms, and registry entries to hide in plain sight. The Bigger Picture APT28 has always stayed ahead of the curve—and this campaign is no exception. By chaining together macro payloads, registry hijacking, cloud C2, and multi-stage execution, the group isn’t just adapting. It’s evolving. And while these attacks may seem targeted at Ukraine, the tactics, techniques, and procedures (TTPs) on display should concern every government and enterprise organization in the West. Because if a Word doc, a PNG, and a WAV file can bypass your defenses, what else is already lurking inside?

In a joint cybersecurity advisory issued today, U.S. and allied intelligence agencies confirmed what many threat analysts have long suspected: the Russian GRU military intelligence agency is systematically targeting the digital backbone of logistics and transportation providers across Europe and North America. The campaign, detailed in a 25-page report from the NSA, FBI, CISA, and partners from 10 countries, including the U.K., Australia, and Germany, spotlights a coordinated cyber espionage effort by GRU’s Unit 26165—more widely recognized in the threat intel world as APT28, Fancy Bear, or Forest Blizzard. Targets at the center of the campaign were freight operators, rail networks, air traffic systems, and cloud tech vendors—anyone with a role in getting military and humanitarian aid to Ukraine. Targets have included organizations in 14 countries, including IP cameras in Hungary, a Russian ally. Russian GRU Campaign Not Just Malware — Surveillance Too What stands out in the report is the scale and creativity of the GRU’s tactics. The hackers aren’t just hijacking email servers or pushing trojans. They’re hacking into IP cameras, too—10,000 of them, to be exact—mostly around Ukrainian borders, using weak credentials and exposed RTSP services to turn physical surveillance into digital eyes on the ground. List of countries where IP cameras were targeted. (Source: defense.gov) In parallel, GRU operators launched targeted intrusions on shipping and logistics companies, exploiting familiar weaknesses like unpatched Exchange servers, WinRAR bugs (CVE-2023-38831), and Outlook NTLM leaks (CVE-2023-23397). The aim was stealing shipment manifests, routing info, and sensitive business data that could tip off troop or equipment movement. The combination of shipping data theft and compromised video feeds likely gives attackers real-time visibility into what’s moving, where, and when. It’s tactical intelligence collection at enterprise scale. The GRU Malware Stack The HEADLACE backdoor, first reported by IBM X-Force during the Israel-Hamas conflict, was found embedded in malicious shortcut files. Once activated, it initiated headless browser sessions to exfiltrate stolen data, clear logs, and maintain access. Also read: Russian Hacker Group APT28 Launches HeadLace Malware via Fake Car Ads to Target Diplomats MASEPIE, a Python-based backdoor, offered remote shell access, file transfers, and command execution capabilities, often disguised as routine background processes. Another tool, STEELHOOK, enabled credential harvesting from browsers like Chrome and Edge by decrypting stored passwords using PowerShell-based techniques. The actors also employed LOLBins—legitimate system tools like ntdsutil, wevtutil, and ADExplorer—to evade detection and live off the land. In one case, GRU hackers gained control of an ICS vendor’s email platform, then pivoted to compromise customers in the railway sector. In another, they used stolen credentials and MFA fatigue techniques to access VPN infrastructure at a shipping company. What the Russian GRU Wants This isn’t a smash-and-grab ransomware operation. It’s long-term surveillance. The kind of campaign that’s designed to persist, quietly gather intelligence, and interfere only when necessary. And while the report doesn’t explicitly name any targets by company, the industries hit hardest—logistics, transportation, and defense-adjacent vendors—are the same ones that move military hardware, humanitarian supplies, and critical infrastructure parts into conflict zones. The big concern? These compromised networks could give Russia a battlefield edge—intercepting aid, sabotaging supply lines, or simply watching to see how the West moves. How Companies Should Respond The advisory includes a laundry list of technical mitigations, including: Blocking known C2 infrastructure Hardening VPN and email access Reconfiguring exposed IP cameras Patching known exploited vulnerabilities (especially in Outlook, Exchange, and WinRAR) Monitoring PowerShell use and system tool abuse But there’s also a broader message: if you’re in the logistics or defense supply chain, and especially if you support Ukraine—even indirectly—you’re already a target. Organizations in these sectors should assume compromise and act accordingly, the advisory suggests. The Big Picture Russia’s digital playbook in Ukraine is evolving. While early campaigns relied on headline-grabbing wipers and power grid attacks, the new frontier is far more strategic—and far more subtle. What we’re seeing now is cyberwar as surveillance: fewer fireworks, more cameras. The GRU isn’t just breaking things—it’s watching, learning, and waiting. And for companies moving cargo or manufacturing gear with ties to conflict zones, that means cybersecurity is no longer just a compliance issue. It’s operational security. It’s national security.

When a zero-day flaw surfaces in an enterprise tool that no one talks about publicly, it’s tempting to write it off as niche. But Marbled Dust’s recent campaign exploiting CVE-2025-27920 in Output Messenger is anything but. Microsoft Threat Intelligence has linked a string of targeted cyberattacks to Marbled Dust, a Türkiye-affiliated threat actor, using a previously unknown vulnerability in Output Messenger—a self-hosted enterprise chat app. The campaign, ongoing since April 2024, targeted Kurdish military-linked users in Iraq and reflects a growing shift in how regionally motivated cyber-espionage unfolds. Output Messenger: The Tool You Didn’t Expect to Matter Output Messenger isn’t WhatsApp or Slack. It’s a low-profile, multiplatform chat tool often used by organizations looking for on-prem communication. That makes it a perfect blind spot—not widely scrutinized, but widely trusted within internal networks. Marbled Dust saw the opportunity and pounced. The attackers used CVE-2025-27920—a directory traversal flaw in Output Messenger Server Manager—to plant malicious scripts in the startup folder. From there, they executed a stealthy multi-stage backdoor deployment, with exfiltration domains and C2 infrastructure cleverly masked under seemingly benign domains like api.wordinfos[.]com. Microsoft credits Srimax, Output Messenger’s vendor, for releasing timely patches (v2.0.62+), but many organizations are still unpatched. That’s where Marbled Dust gets its access. Inside the Marbled Dust Attack Chain The campaign starts with Marbled Dust gaining authenticated access to Output Messenger’s Server Manager. Microsoft isn’t entirely sure how those credentials are initially harvested, but suspects DNS hijacking and typo-squatted login portals—tactics the group has used before. Marbled Dust Attack Chain (Source: Microsoft Threat Intelligence) Once in, the threat actor uploads a malicious VBS file to the Windows startup folder, exploiting the directory traversal bug. This script launches OMServerService.exe, a GoLang backdoor disguised as a legitimate service file. GoLang offers a bonus: platform agnosticism and fewer signature-based detections. The backdoor connects to Marbled Dust’s C2 domain, checks connectivity, sends host data, and then executes further commands based on what the attacker sends back. In one case, a victim’s device was seen uploading sensitive files packaged in a RAR archive using PuTTY’s command-line client, plink.exe, as the data exfiltration vehicle. On the client side, users who downloaded infected Output Messenger installers got more than they expected. The installer bundled the legit OutputMessenger.exe with a secondary payload—OMClientService.exe, another GoLang backdoor pinging the same C2 endpoint. Who Is Marbled Dust? Microsoft links Marbled Dust to past DNS hijacking and credential-harvesting campaigns. The group overlaps with activity known as Sea Turtle (APT) and UNC1326, and has been observed targeting organizations with interests adverse to Ankara’s. Their focus areas include the Middle East and Europe, with recent emphasis on telecom and government sectors. This campaign signals a shift. While earlier Marbled Dust activity relied on known vulnerabilities, the use of a true zero-day suggests either growing internal capabilities or increased urgency in their operational objectives. Why The Output Messenger Exploit Matters This is a lesson in how fringe enterprise tools can become high-value targets. While most security teams are busy patching the usual suspects (Office macros, web proxies, VPNs), tools like Output Messenger quietly hum along in the background—until someone like Marbled Dust takes interest. And let’s be clear: this isn’t a commodity threat. It’s regional espionage with carefully picked targets and minimal noise. The entire campaign operated with precision, focused on credential theft, internal surveillance, and quiet access—not ransomware or mass disruption. What You Should Do Now Microsoft urges immediate patching of Output Messenger to versions 2.0.62 (server) and 2.0.63 (client). Organizations using this app should: Audit all current installations for signs of the exploit (look for unusual VBS and EXE files in startup directories) Monitor outbound connections to api.wordinfos[.]com Check for unauthorized use of plink.exe or outbound SSH sessions Isolate any systems communicating with suspicious C2 infrastructure Marbled Dust’s campaign isn’t about splashy headlines. It’s quiet, focused, and a warning shot to organizations using obscure enterprise software without hardening them. Zero-days don’t just live in browsers and VPNs anymore. They live in your internal chat apps, your ticketing systems, your software you forgot to watch. And attackers? They’re watching all of it.