Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Espionage Campaign. Show all posts
MgBot malware
China-linked APT Cyber Attacks Cyber Espionage Campaign DNS poisoning attack Evasive Panda MgBot malware

Evasive Panda Uses DNS Poisoning to Deploy MgBot Backdoor in Long-Running Espionage Campaign

 

Security researchers at Kaspersky have uncovered a sophisticated cyber-espionage operation attributed to the China-linked advanced persistent threat (APT) group known as Evasive Panda, also tracked as Daggerfly, Bronze Highland, and StormBamboo. The campaign leveraged DNS poisoning techniques to distribute the MgBot backdoor, targeting select victims across Türkiye, China, and India.

Active for over a decade, Evasive Panda is widely recognized for developing and deploying the custom MgBot malware framework. In 2023, Symantec previously linked the group to an intrusion at an African telecommunications provider, where new MgBot plugins were observed—demonstrating the group’s continued refinement of its cyber-espionage toolkit.

According to Kaspersky, the latest campaign was highly selective in nature and operated for nearly two years, beginning in November 2022 and continuing through November 2024.

The attackers employed adversary-in-the-middle (AiTM) techniques, delivering encrypted malware components through manipulated DNS responses. Each target received a tailored implant designed to evade detection. The MgBot backdoor was injected directly into legitimate processes in memory, frequently using DLL sideloading, allowing the malware to remain concealed for extended periods.

Initial compromise was achieved through fake software updates masquerading as legitimate applications. In one observed case, threat actors distributed a malicious executable posing as a SohuVA update, likely delivered through DNS poisoning that redirected update requests to infrastructure under attacker control.

“The malicious package, named sohuva_update_10.2.29.1-lup-s-tp.exe, clearly impersonates a real SohuVA update to deliver malware from the following resource”

“There is a possibility that the attackers used a DNS poisoning attack to alter the DNS response of p2p.hd.sohu.com[.]cn to an attacker-controlled server’s IP address, while the genuine update module of the SohuVA application tries to update its binaries located in appdata\roaming\shapp\7.0.18.0\package.”

Beyond SohuVA, similar trojanized updaters were observed targeting widely used applications such as iQIYI Video, IObit Smart Defrag, and Tencent QQ, often launched by legitimate system services to reinforce trust and avoid suspicion.

The initial malware loader, written in C++ and built using the Windows Template Library, was disguised as a harmless sample project. Once executed, it decrypted and decompressed its configuration data, revealing installation directories, command-and-control domains, and encrypted MgBot parameters. The malware dynamically altered its behavior based on the active user context, decrypted strings only at runtime, and used XOR and LZMA obfuscation to hinder analysis. Ultimately, it executed shellcode directly in memory after modifying memory permissions, enabling covert deployment without leaving obvious forensic traces.

The infection chain followed a multi-stage execution model. The first-stage loader launched shellcode that concealed API usage by resolving Windows functions via hashing. This shellcode searched for a specific DAT file within the installation directory. If found, the file was decrypted using Windows CryptUnprotectData, ensuring it could only be accessed on the infected system, before being deleted to erase evidence.

If the DAT file was absent, the shellcode retrieved the next stage from the internet. Through DNS poisoning, victims were redirected to attacker-controlled servers while believing they were accessing legitimate domains such as dictionary.com. System details, including the Windows version, were transmitted via HTTP headers, allowing attackers to tailor payloads accordingly. The downloaded data was decrypted using XOR, memory permissions were altered, and the payload was executed. The malware later re-encrypted the payload and stored it in a newly created DAT file, often unique to each victim.

Researchers also identified a secondary loader named libpython2.4.dll, which masqueraded as a legitimate Windows library. This component was loaded through a signed executable, evteng.exe—an outdated Python binary—to further mask malicious activity. The loader recorded its file path in status.dat, likely to support future updates, and decrypted additional payloads from perf.dat, which were also delivered via DNS poisoning. Throughout this process, the attackers repeatedly renamed and relocated the payloads, decrypting them with XOR and re-encrypting them using a customized combination of DPAPI and RC5, effectively binding the malware to the infected host and complicating analysis.

Kaspersky telemetry indicates confirmed victims in Türkiye, China, and India, with some systems remaining compromised for more than a year. The prolonged duration of the operation highlights the attackers’ persistence, operational maturity, and access to substantial resources.

The observed tactics, techniques, and procedures (TTPs) strongly align with previous Evasive Panda operations. While a new loader was introduced, the attackers continued to rely on the long-established MgBot implant, albeit with updated configuration elements. As seen in earlier campaigns, Evasive Panda favored stealthy propagation methods such as supply-chain compromise, adversary-in-the-middle attacks, and watering-hole techniques to avoid detection.

“The Evasive Panda threat actor has once again showcased its advanced capabilities, evading security measures with new techniques and tools while maintaining long-term persistence in targeted systems.”

“Our investigation suggests that the attackers are continually improving their tactics, and it is likely that other ongoing campaigns exist. The introduction of new loaders may precede further updates to their arsenal.”
Read more »
Malwares
cyber espionage Cyber Espionage Campaign Cyberattacks cybersecurity risks Iran Iranian malware Malware Attack Malwares

Iranian Infy Prince of Persia Cyber Espionage Campaign Resurfaces

 

Security researchers have identified renewed cyber activity linked to an Iranian threat actor known as Infy, also referred to as Prince of Persia, marking the group’s re-emergence nearly five years after its last widely reported operations in Europe and the Middle East. According to SafeBreach, the scale and persistence of the group’s recent campaigns suggest it remains an active and capable advanced persistent threat. 

Infy is considered one of the longest-operating APT groups, with its origins traced back to at least 2004. Despite this longevity, it has largely avoided the spotlight compared with other Iranian-linked groups such as Charming Kitten or MuddyWater. Earlier research attributed Infy’s attacks to a relatively focused toolkit built around two primary malware families: Foudre, a downloader and reconnaissance tool, and Tonnerre, a secondary implant used for deeper system compromise and data exfiltration. These tools are believed to be distributed primarily through phishing campaigns. 

Recent analysis from SafeBreach reveals a previously undocumented campaign targeting organizations and individuals across multiple regions, including Iran, Iraq, Turkey, India, Canada, and parts of Europe. The operation relies on updated versions of both Foudre and Tonnerre, with the most recent Tonnerre variant observed in September 2025. Researchers noted changes in initial infection methods, with attackers shifting away from traditional malicious macros toward embedding executables directly within Microsoft Excel documents to initiate malware deployment. 

One of the most distinctive aspects of Infy’s current operations is its resilient command-and-control infrastructure. The malware employs a domain generation algorithm to rotate C2 domains regularly, reducing the likelihood of takedowns. Each domain is authenticated using an RSA-based verification process, ensuring that compromised systems only communicate with attacker-approved servers. SafeBreach researchers observed that the malware retrieves encrypted signature files daily to validate the legitimacy of its C2 endpoints.

Further inspection of the group’s infrastructure uncovered structured directories used for domain verification, logging communications, and storing exfiltrated data. Evidence also suggests the presence of mechanisms designed to support malware updates, indicating ongoing development and maintenance of the toolset. 

The latest version of Tonnerre introduces another notable feature by integrating Telegram as part of its control framework. The malware is capable of interacting with a specific Telegram group through its C2 servers, allowing operators to issue commands and collect stolen data. Access to this functionality appears to be selectively enabled for certain victims, reinforcing the targeted nature of the campaign. 

SafeBreach researchers also identified multiple legacy malware variants associated with Infy’s earlier operations between 2017 and 2020, highlighting a pattern of continuous experimentation and adaptation. Contrary to assumptions that the group had gone dormant after 2022, the new findings indicate sustained activity and operational maturity over the past several years. 

The disclosure coincides with broader research into Iranian cyber operations, including analysis suggesting that some threat groups operate with structured workflows resembling formal government departments. Together, these findings reinforce concerns that Infy remains a persistent espionage threat with evolving technical capabilities and a long-term strategic focus.
Read more »
Technology
Anthropic Artificial Intelligence Claude AI risk Cyber Espionage Campaign Technology

Chinese-Linked Hackers Exploit Claude AI to Run Automated Attacks

 




Anthropic has revealed a major security incident that marks what the company describes as the first large-scale cyber espionage operation driven primarily by an AI system rather than human operators. During the last half of September, a state-aligned Chinese threat group referred to as GTG-1002 used Anthropic’s Claude Code model to automate almost every stage of its hacking activities against thirty organizations across several sectors.

Anthropic investigators say the attackers reached an attack speed that would be impossible for a human team to sustain. Claude was processing thousands of individual actions every second while supporting several intrusions at the same time. According to Anthropic’s defenders, this was the first time they had seen an AI execute a complete attack cycle with minimal human intervention.


How the Operators Gained Control of the AI

The attackers were able to bypass Claude’s safety training using deceptive prompts. They pretended to be cybersecurity teams performing authorized penetration testing. By framing the interaction as legitimate and defensive, they persuaded the model to generate responses and perform actions it would normally reject.

GTG-1002 built a custom orchestration setup that connected Claude Code with the Model Context Protocol. This structure allowed them to break large, multi-step attacks into smaller tasks such as scanning a server, validating a set of credentials, pulling data from a database, or attempting to move to another machine. Each of these tasks looked harmless on its own. Because Claude only saw limited context at a time, it could not detect the larger malicious pattern.

This approach let the threat actors run the campaign for a sustained period before Anthropic’s internal monitoring systems identified unusual behavior.


Extensive Autonomy During the Intrusions

During reconnaissance, Claude carried out browser-driven infrastructure mapping, reviewed authentication systems, and identified potential weaknesses across multiple targets at once. It kept distinct operational environments for each attack in progress, allowing it to run parallel operations independently.

In one confirmed breach, the AI identified internal services, mapped how different systems connected across several IP ranges, and highlighted sensitive assets such as workflow systems and databases. Similar deep enumeration took place across other victims, with Claude cataloging hundreds of services on its own.

Exploitation was also largely automated. Claude created tailored payloads for discovered vulnerabilities, performed tests using remote access interfaces, and interpreted system responses to confirm whether an exploit succeeded. Human operators only stepped in to authorize major changes, such as shifting from scanning to active exploitation or approving use of stolen credentials.

Once inside networks, Claude collected authentication data systematically, verified which credentials worked with which services, and identified privilege levels. In several incidents, the AI logged into databases, explored table structures, extracted user account information, retrieved password hashes, created unauthorized accounts for persistence, downloaded full datasets, sorted them by sensitivity, and prepared intelligence summaries. Human oversight during these stages reportedly required only five to twenty minutes before final data exfiltration was cleared.


Operational Weaknesses

Despite its capabilities, Claude sometimes misinterpreted results. It occasionally overstated discoveries or produced information that was inaccurate, including reporting credentials that did not function or describing public information as sensitive. These inaccuracies required human review, preventing complete automation.


Anthropic’s Actions After Detection

Once the activity was detected, Anthropic conducted a ten-day investigation, removed related accounts, notified impacted organizations, and worked with authorities. The company strengthened its detection systems, expanded its cyber-focused classifiers, developed new investigative tools, and began testing early warning systems aimed at identifying similar autonomous attack patterns.




Read more »
Wiretaps
Chinese Hackers Cyber Espionage Campaign Data Breach United States Wiretaps

Chinese Hackers Breach US Telco Networks to Access US Court Wiretap Systems

 

A Wall Street Journal report claims that Chinese hackers gained access to systems used for court-authorized wiretaps by breaking into the networks of major US telecommunications companies. 

The breach, which targeted companies such as Verizon Communications, AT&T, and Lumen Technologies, may have allowed the attackers to go unnoticed for months while gathering critical details regarding government requests for communications data. 

The hackers, who are believed to be affiliated with a state-sponsored Chinese group, were able to breach the system that telecom firms use to handle wiretaps authorised by the government. This breach may have given the perpetrators access to sensitive US internet traffic, allowing them to monitor communications under surveillance orders. 

The attack was recently identified, and it is believed that the hackers may have had long-term access to these networks, gathering intelligence. US investigators have dubbed the group responsible for the breach "Salt Typhoon" The incident is part of a larger pattern of cyber espionage actions attributed to Chinese hackers. 

Earlier this year, US law enforcement shut down another significant Chinese hacking campaign known as "Flax Typhoon," a group suspected of widespread cyber-espionage. These operations are believed to be aimed at gathering intelligence for the Chinese government. 

China's denial

The Chinese foreign ministry responded to the charges by rejecting any involvement in the cyber operation. In a statement, they claimed they were unaware of the attack mentioned in the report and accused the US of fabricating a "false narrative" to blame China. 

The ministry also criticised the US for impeding global cybersecurity cooperation and communication, describing the charges as a roadblock to international efforts to confront cybersecurity concerns. Beijing has always refuted all allegations of state-sponsored hacking, including those made by the US government.

In this instance, China's foreign ministry mentioned details provided by their own cybersecurity agency, claiming that "Volt Typhoon," another supposed Beijing-linked gang, was actually the work of a global ransomware organisation.
Read more »
Ransomware
Cyber Attacks Cyber Espionage Campaign Cyberwarfare / Nation-State Attack Ransomware

Chinese-Linked Cyberespionage Groups Now Using Ransomware to Hide Activities

 

Chinese-linked cyberespionage campaigns are increasingly deploying ransomware to either make money, distract their adversaries, or make it harder to attribute their activities, according to researchers from SentinelLabs and Recorded Future. This shift marks a change from the traditional practices of state-backed hackers, who previously avoided using ransomware. 

A report published on Wednesday identified that ransomware attacks in 2022, including those on the Brazilian presidency and the All India Institute of Medical Sciences (AIIMS), were actually the work of a Chinese-linked cyberespionage group known as ChamelGang or CamoFei. 

By employing ransomware, these cyberespionage groups can obscure their true identity and activities, making it appear as if the attacks were carried out by independent cybercriminals instead of state-sponsored actors. 

"Misattributing cyberespionage as purely financially motivated cybercrime can have strategic repercussions," the researchers noted. This is particularly concerning when ransomware attacks target government or critical infrastructure organizations. 

Ransomware attacks typically lock files and data, with attackers demanding a ransom for decryption. However, sometimes the attackers never decrypt the data, turning the attack into a destructive one. This complicates efforts to restore systems and obscures the true nature of the attack, benefiting cyberespionage groups by erasing traces of their operations. 

In November 2022, Delhi police labeled the AIIMS attack an act of “cyber terrorism,” with anonymous officials attributing it to Chinese hackers. Despite these allegations, the Chinese Embassy in Washington, D.C., denied involvement, emphasizing the complexity of tracing cyberattacks and the need for substantial evidence. 

The report comes amid growing concerns from U.S. officials about aggressive Chinese cyber activities, such as Volt Typhoon, which are designed to influence U.S. decision-making in the event of a conflict. While Chinese cyber operations using ransomware is not unprecedented, it reflects a broader trend of state-linked groups, including Russian military intelligence, using disruptive malware to mislead and amplify psychological impacts. 

Ransomware acts as a smoke screen, serving various strategic goals and allowing state-aligned operations to replenish their disruptive tools more quickly. Ben Carr, chief security and trust officer at Halcyon, suggests that this approach allows cyberespionage groups to gather intelligence and simulate more malicious activities, effectively "wargaming" potential future scenarios.
Read more »
Malware Attack
AIVD Chinese Cyber Espionage Campaign Cyber Security Dutch intelligence FortiGate devices Fortnite Malware Attack

Dutch Intelligence Warns of Extensive Chinese Cyber-Espionage Campaign


 

The Dutch Military Intelligence and Security Service (MIVD) has issued a warning about the far-reaching consequences of a Chinese cyber-espionage operation disclosed earlier this year. According to the MIVD, the scale of this campaign is "much larger than previously known," impacting numerous systems across multiple sectors. 

In a joint report with the General Intelligence and Security Service (AIVD) released in February, the MIVD described how Chinese hackers exploited a critical vulnerability in FortiOS/FortiProxy (CVE-2022-42475). This remote code execution flaw was used over several months between 2022 and 2023 to deploy malware on susceptible Fortigate network security devices. During this "zero-day" period, about 14,000 devices were compromised. Targets included various Western governments, international organizations, and many companies within the defense industry. 

The malware, identified as the Coathanger remote access trojan (RAT), was detected on a network used by the Dutch Ministry of Defence for research and development (R&D) of unclassified projects. However, network segmentation prevented the attackers from spreading to other systems. The MIVD highlighted that this previously unknown malware strain could persist through system reboots and firmware upgrades. It was used by a Chinese state-sponsored hacking group in a political espionage campaign targeting the Netherlands and its allies. 

This persistent access allowed the state actor to maintain control over compromised systems even after security updates were applied. "The exact number of victims with malware installed is unknown," stated the MIVD. "However, the Dutch intelligence services and the NCSC believe that the state actor could potentially expand its access to hundreds of victims worldwide and engage in further actions such as data theft." Since February, the Dutch military intelligence service discovered that the Chinese threat group had accessed at least 20,000 FortiGate systems globally over a span of a few months in 2022 and 2023, beginning at least two months before Fortinet disclosed the vulnerability. 

The Coathanger malware's ability to intercept system calls to avoid detection and its resilience against firmware upgrades make it particularly difficult to remove. Fortinet disclosed in January 2023 that the CVE-2022-42475 vulnerability was exploited as a zero-day to target government organizations and related entities. The MIVD's findings mirror the characteristics of another Chinese hacking campaign that targeted unpatched SonicWall Secure Mobile Access (SMA) devices with cyber-espionage malware designed to withstand firmware updates. 

The revelations from Dutch intelligence underscore the increasing sophistication and persistence of state-sponsored cyber-espionage campaigns. As cyber threats continue to evolve, the importance of robust cybersecurity measures and vigilant monitoring becomes ever more critical to protect sensitive information and infrastructure from these advanced persistent threats.
Read more »
Ukraine Organization
Cyber Espionage Campaign malware Turla Ukraine Organization

Russian Turla Leveraged Other Hackers' USB-Delivered Malware

 

Russian state-sponsored cyber threat actor Turla victimized a Ukrainian organization in a recent attack. The hackers leveraged legacy Andromeda malware that was executed by other hackers via an infected USB drive, Mandiant reports. 

Turla is active since at least 2006, however, the group came into light in 2008 as the group was behind the agent.btz, a venomous piece of malware that spread through US Department of Defense systems, gaining widespread access via infected USB drives plugged in by the Pentagon employee who was unaware of the danger. 

Also, the group has been historically associated with the use of the ComRAT malware. After 15 years, the group again came into the spotlight. However, this time the group is trying a new trick that is hijacking the USB infections of other malicious actors to piggyback on their infections to spy on targets.

Legacy Andromeda malware also known as Wauchos or Gamarue which has been active since at least September 2011, is a modular trojan that is capable of checking whether it is being executed or debugged in a virtual environment by using anti-virtual machine techniques. 

In the Turla-suspected operation tracked as UNC4210, at least three expired Andromeda command and control (C&C) domains were used for victim profiling, Mandiant discovered. 

The attack took place in September 2022, however, the Ukrainian organization was infected with a legacy Andromeda sample in December 2021 via an infected USB drive. A malicious LNK file on the drive was used for malware installations. Also, it downloads other malware from its commanding servers in order to steal information from infected computers. The countries that are most affected by the malware are India (24%), Vietnam (12%), and Iran (7%). 

The study on Turla operations has been conducted by Kaspersky, Symantec, and CrySyS Lab in Budapest and they revealed that the threat actors behind the campaign are highly sophisticated in their methods. More than one malicious file is used by the threat actor to accomplish their end goals. 

First, a backdoor mostly known as “Wipbot” and “Tavdig” (also known as “WorldCupSec” or “TadjMakhal”) is designed to collect important data. Then it delivered its main module, which has the ability to execute a variety of commands and exfiltrate data on the targeted system. 

“As older Andromeda malware continues to spread from compromised USB devices, these re-registered domains pose a risk as new threat actors can take control and deliver new malware to victims. This novel technique of claiming expired domains used by widely distributed, financially motivated malware can enable follow-on compromises at a wide array of entities,” Mandiant reported. 

Furthermore, it says that this is the first suspected Turla attack that has targeted Ukrainian organizations after the Russian invasion.
Read more »
Steganography
Cyber Espionage Campaign Malicious Payloads malware PNG Images Steganography

Worok Cyber Espionage Group Employs Malicious PNG Images to Propagate Malware

 

Cybersecurity researchers have unearthed new malware threats manufactured to exploit steganography methodologies. Worok seems to be a complex cyber-espionage operation whose individual stages are still unknown. The campaign's final stage, however, has been identified by two cybersecurity firms.

Worok employs multi-stage malware created to siphon data and target high-profile victims, using steganography ways to conceal parts of the payloads in a plain PNG image file. The new malware was first uncovered by ESET in September. 

The researchers described Worok as a new cyber spying group that employs undocumented tools, including a steganography methodology designed to exfiltrate a malicious payload from a plain PNG image file. 

The cyber espionage group targeted high-profile victims like government agencies, particularly in the Middle East, Southeast Asia, and South Africa. ESET's knowledge of the trouble's attack chain was limited, but the latest report from Avast has provided fresh details regarding this malicious campaign.

According to the Czech security firm, Worok employs a complex multistage design to conceal its activities. The hackers employ sideloading to execute the CLRLoader malware which, in turn, implements the PNGLoader DLL, capable of reading obfuscated code masking in PNG files. 

That code translates to DropBoxControl, a custom .NET C# infostealer that abuses Dropbox file hosting for communication and data theft. The info stealer can support multiple commands, including running cmd /c, launching an executable, downloading and uploading data, deleting and renaming files, capturing file information, spy network communications, and extracting metadata. 

While researchers are still trying to put all the pieces together, the latest report from Avast confirms that Worok is a custom operation manufactured to siphon data, spy, and target high- victims in specific parts of the globe. 

“The key finding of this research is the interception of the PNG files, as predicted by ESET. The stenographically embedded C# payload (DropBoxControl) confirms Worok as the cyberespionage group. They steal data via the DropBox account registered on active Google emails,” Researchers at AVAST explained. “The prevalence of Worok’s tools in the wild is low, so it can indicate that the toolset is an APT project focusing on high-profile entities in private and public sectors in Asia, Africa, and North America.”
Read more »
Subscribe to: Comments (Atom)