Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label cyber espionage. Show all posts
Transparent Tribe
Advanced Persistent Threat APT36 Command And Control cyber espionage Indian Government Cyber Attacks malware Remote Access Trojan Spear Phishing Transparent Tribe

Transparent Tribe Targets Indian Public Sector and Academic Networks


Several recent cyber espionage campaigns have drawn attention to Transparent Tribe, a long-standing advanced persistent threat group associated with a new wave of intrusions targeting Indian government bodies, academic institutions, and strategically sensitive organizations, which have re-opened the issue of Transparent Tribe. 


According to security researchers, the activity has been attributed to the deployment of a sophisticated remote access trojan that is designed to establish a persistent, covert control over the compromised system, allowing the monitoring and access of data over a period of time. 

In the process of carrying out this operation, it is evident that the execution was carried out with a high degree of social engineering finesse, as it used carefully crafted delivery mechanisms, including a weaponized Windows shortcut file disguised as a legitimate PDF document, filled with authentic-looking content, which reduced suspicion and increased execution rates, according to the technical analysis carried out by CYFIRMA.

APT36 is a name that has been associated with Transparent Tribe in the security community for more than a decade. Transparent Tribe has maintained a consistent focus on Indian targets since the beginning of the 20th century, refining tradecraft and tooling to support the group's goals. In the past few years, the group has steadily added malware to its malware portfolio. 

To adapt to changing defenses while maintaining access to high-value networks, the group has deployed a suite of custom remote access trojans like CapraRAT, Crimson RAT, ElizaRAT, and DeskRAT. As the investigation has found, the intrusion chain was initiated by a targeted spear-phishing email that delivered a compressed ZIP archive that contained a Windows shortcut file, crafted to look like a benign PDF document. 

Upon execution, the file silently invokes a remote HTML Application using the native Windows component called mshta.exe, which has been abused numerous times over the years to circumvent security checks. 

To maintain the illusion of legitimacy, a PDF decoy file is also downloaded and opened while the HTA script is decrypted and loaded entirely in memory, minimizing its footprint on the disk. This decoy PDF can be downloaded and opened without triggering the HTA script. 

It has been reported by CYFIRMA that when the malware is able to decode the data, it will make extensive use of ActiveX objects, particularly WScript.Shell, to profile the host environment and manipulate runtime behavior. As a result of this technique, execution reliability and compatibility with the victim system will be improved. 

Furthermore, this campaign's adaptive persistence strategy differs from the rest in that it dynamically adjusts itself in accordance with the endpoint security software detecting the compromised machine on the runtime. 

Depending on the software people are running, Kaspersky, Quick Heal, Avast, AVG, or Avira have a tailor-made persistence mechanism that includes obfuscated HTA payloads, batch scripts, registry modifications, and malicious shortcut files placed in the Windows Startup directory to encrypt data. 

As for systems lacking recognizable antivirus protection, a broader combination of these strategies can be used. This operation is anchored on a secondary HTA component which delivers a malicious DLL — known as iinneldc.dll — that performs the function of a fully featured RAT capable of allowing attackers to remotely administer a host, execute file operations, exfiltrate data, capture screenshots, monitor clipboards and control processes, allowing them to take complete control of infected systems. 

In terms of operations, this campaign underscores Transparent Tribe's reliance on deceiving its adversaries as a central pillar of its intrusion strategy, emphasizing the importance of adaptability and deception. 

The researchers found that attackers intentionally embedded complete, legitimate-looking PDF documents as shortcut files, presenting them as regular correspondence while hiding executable logic under the surface so that they would appear to be routine correspondence. 

When this is done, it greatly increases the chances that the user will interact with the malware before it becomes apparent that any warning signs have been raised. Once access is gained, the malware doesn't need to rely on a single, static method to maintain its position. 

Instead, it actively evaluates the compromised system's security posture and dynamically selects persistence mechanisms based on the installed endpoint protection, with a degree of conditional logic that is a reflection of careful planning and familiarity with common defensive environments in an attempt to meet their needs. 

Using encrypted command-and-control channels, the remote access trojan can communicate with attacker-controlled infrastructure, enabling it to receive instructions and exfiltrate sensitive data all while blending into the normal traffic stream on the network, reducing the chances it will be detected. 

According to security analysts, this operation has far broader implications than just a routine malware incident and has a lot to do with the overall threat landscape. It is clear from the campaign that it is an operation of cyber-espionage carried out by a cyber-espionage group with a long history of targeting the Indian government, defense and research institutions as a target for their attacks. 

There is an intentional effort to avoid traditional signature-based defenses with this attack by focusing on in-memory execution and fileless techniques, while the use of socially engineered, document-based lures indicates that an understanding is in place of how trust and familiarity can be exploited within targeted organizations in order to achieve a successful attack. 

The combination of these elements suggests that a persistent and mature adversary has been refining its tradecraft for years, reinforcing concerns about the sustained cyber threat facing critical sectors in India. Additionally, the malware deployed in this campaign functions as a remote access trojan that allows attackers to control infected systems in a persistent and covert manner. Based on this analysis, it can be concluded that this malware is a highly sophisticated remote access trojan. 

In addition to the use of trusted Windows binaries such as mshta.exe, PowerShell, and cmd.exe, researchers discovered the toolset focuses heavily on stealth, utilizing in-memory execution as well, which minimizes the on-disk footprint, as well as evading traditional detection methods. 

In addition to setting up an encrypted command-and-control channel, the RAT also provides operators with the ability to issue commands, collect detailed system information, and exfiltrate sensitive information without being noticed. 

By exploiting the exploits of the malware, operators are able to create a profile of compromised hosts by gathering information such as the operating system’s details, usernames, installed software, and active antivirus software, enabling them to implement follow-up actions tailored to their needs. 

This software enables remote command execution, comprehensive file management, targeted document theft, screenshot capture, clipboard monitoring and manipulation, granular process control, as well as the ability to execute commands remotely. This software is supported by persistence mechanisms that are adjusted according to the victim's security environment. 

Collectively, these capabilities strengthen the perception that the malware has been designed to support long-term surveillance and data collection rather than short-term disruption, thus confirming that it was built specifically for espionage. Typically, the infection lifecycle begins with a carefully constructed social engineering lure that appears to be legitimate and routine. 

As the payload in this case was framed as an examination-related document, it was used to target victims and spread the word that they would be able to receive a ZIP archive titled "Online JLPT Exam Dec 2025.zip." The archive reveals a shortcut file whose extension is .pdf.lnk when extracted, which is a tactic that exploits Windows’ way of handling shortcut files, where it conceals the executable nature of the payload even though the file extensions can be seen on the file.

This shortcut, which is unusually large—measuring over 2 megabytes instead of the usual 10 to 12 megabytes—prompted closer examination to reveal that the file was deliberately inflated in order to closely resemble a legitimate PDF file. 

It was discovered that the shortcut contained multiple markers associated with embedded image objects, indicating that it contained a complete PDF structure as opposed to serving simply as a pointer. This design choice was made so the shortcut would appear in line with user expectations, as well as fit the file size within the archive. 

In addition to this, a multi-stage design can be observed in the archive as well. An investigation revealed that there is a hidden directory labelled “usb” containing a file titled usbsyn.pim in it, which was unable to be decoded conclusively during analysis, but which researchers believe to contain encrypted data or code that will be used later on in the execution process. 

As a result of activating the shortcut, a legitimate Windows application called MSSHTA.exe is invoked, passing a remote URL to a malicious HTML application hosted on attacker-controlled infrastructure in order to retrieve and execute this malicious HTML application. 

It is evident from file metadata that the shortcut was created in late March 2025, a timeframe which provides some insight into the campaign's timeline. It is the intent of the HTA loader, to create the illusion of legitimacy, to retrieve and open a legitimate PDF document simultaneously, so the victim perceives the activity as harmless and expected. 

Moreover, the HTA loader itself is the basis of the execution chain, which has been designed to operate with the least amount of user visibility possible. 

A script launching at zero dimensions hides the activity of its execution by resizing its window to zero dimensions. The script then initializes a series of custom functions that perform Base64 decoding and XOR-based decryption routines, in order to gradually reconstruct the malicious payload in memory. This is all accomplished by the loader exploiting ActiveX components, such as WScript.Shell, in order to interact with the underlying Windows environment during this process.

Through the querying of registry keys to determine which .NET runtimes are available and the dynamic adjustment of environment variables such as COMPLUS_Version, the malware ensures that the malware is compatible with different systems. 

It is clear that Transparent Tribe's campaign has been highly calculated and methodical in its approach to environment profiling, runtime manipulation, and abuse of legitimate system components, demonstrating a mature tradecraft that is reflected in the campaign's methodical approach. 

Researchers report that, beyond the activities linked to Transparent Tribe, there are growing threats that are being targeted at Indian institutions, and tools and infrastructure that overlap are increasingly blurring the lines between various regional espionage groups who are using overlapping tools and infrastructure. 

A former hacker named Patchwork has also been identified as the perpetrator of an assault program dubbed StreamSpy, which introduces a dual-channel command-and-control model that utilizes WebSocket and HTTP protocols to deliver distinct operational benefits, as of December 2025. 

Using WebSocket connections for executing commands and returning execution results, as opposed to the traditional HTTP connections for transferring files, displays the analysis by QiAnXin, indicating a design choice intended to reduce visibility and evade routine network inspection by the company. 

By using ZIP archive delivery services hosted on attacker-controlled domains, the malware has delivered a payload capable of harvesting information about a system, establishing persistence through multiple mechanisms, including registry modifications, scheduled tasks, and startup shortcuts, and providing an array of commands for remote file manipulation, execution, and file retrieval. 

Furthermore, investigators have identified code-level similarities between StreamSpy and Spyder, a backdoor variant previously attributed to SideWinder and historically used by Patchwork, as well as digital signatures reminiscent of ShadowAgent, a Windows RAT associated with the DoNot Team, that are similar to ShadowAgent. 

According to the convergence of these technical indicators, coupled with independent detections by several security firms in late 2025, it appears that regional threat actors continue to integrate tooling and cross-pollinate among themselves. 

Analysts are stating that the emergence of StreamSpy and its variants reflects a sustained effort among these groups to refine the arsenals they possess, experiment with alternative communication channels, and maintain operational relevance while the defensive capabilities of these groups improve. Taking all of the findings presented in this investigation together, people are able to identify a cyber-espionage ecosystem that is more widespread and more entrenched against Indian institutions. 

It is characterized by patience, technical depth, and convergence between multiple threat actors in terms of tools and techniques. This campaign provides an example of how mature adversaries continue to improve their social engineering skills, take advantage of trusted components of systems and customize persistence mechanisms in order to maintain long-term access to high-value networks through social engineering and system abuse.

StreamSpy, for instance, illustrates a parallel trend in which regional espionage groups iterate on one another's malware frameworks, while experimenting with alternative command-and-control systems to evade detection, a trend that has been accelerating since the advent of related toolsets. 

Defendants should be aware that the significance of these campaigns lies not in any particular exploit or payload, but rather in the cumulative messages that they send, demonstrating that state-aligned threat actors are still deeply involved in collecting persistent intelligence and that the threat to government institutions, educational institutions, and strategic sectors is evolving rather than receding in sophistication.
Read more »
PDF
APT36 Avast avira cyber espionage HTTP Kaspersky malware PDF

Advanced Malware Campaigns Target Government and Academic Organizations


Cybersecurity researchers have identified ongoing cyber-espionage campaigns targeting government departments, academic institutions, and strategically important organizations across South Asia. The activity has been attributed to two established threat actors, Transparent Tribe and Patchwork, both known for maintaining long-term access to compromised systems.

Transparent Tribe, also tracked as APT36, has been active since at least 2013 and is associated with repeated intelligence-gathering operations against Indian organizations. In its latest campaign, the group used spear-phishing emails carrying ZIP archives that contained Windows shortcut files disguised as legitimate PDF documents. These shortcut files included real PDF content to appear harmless.

When opened, the shortcut launches a hidden process using the Windows utility mshta.exe, which runs an HTML Application script. This script decrypts and loads the final remote access trojan directly into system memory while simultaneously opening a decoy PDF to avoid alerting the victim. The script also interacts with Windows through ActiveX components, such as WScript.Shell, allowing it to analyze the environment and adjust execution behavior.

The malware adapts its persistence strategy based on the antivirus software installed. On systems with Kaspersky, it creates a working directory under C:\Users\Public\core and uses startup shortcuts to relaunch the malicious script. If Quick Heal is detected, it relies on batch files and startup entries. On machines running Avast, AVG, or Avira, the payload is copied directly into the Startup folder. If no recognized antivirus is found, the malware combines batch execution, registry-based persistence, and delayed payload deployment.

A second-stage component includes a malicious DLL named iinneldc.dll, which functions as a fully featured RAT. It allows attackers to remotely control the system, manage files, steal data, capture screenshots, monitor clipboard activity, and manipulate running processes.

Researchers also identified a separate APT36 campaign using a shortcut file disguised as a government advisory PDF. This file retrieves an installer from a remote server, extracts multiple malicious files, displays a legitimate advisory issued by Pakistan’s national CERT, and establishes persistence through registry modifications. One DLL communicates with a hard-coded command-and-control server using reversed strings to hide command endpoints and supports system registration, heartbeat signals, command execution, and anti-virtual-machine checks.

In a related disclosure, researchers linked Patchwork, also known as Maha Grass or Dropping Elephant, to espionage campaigns targeting Pakistan’s defense sector. These attacks used phishing emails with ZIP attachments containing MSBuild project files that abuse msbuild.exe to install a Python-based backdoor. The malware can communicate with command servers, execute Python modules, run commands, and transfer files.

Patchwork has also been associated with a previously undocumented trojan named StreamSpy. Delivered through ZIP archives hosting an executable named Annexure.exe, StreamSpy collects system information, establishes persistence through registry entries, scheduled tasks, or startup shortcuts, and communicates using both WebSocket and HTTP. WebSocket channels are used for command delivery and result transmission, while HTTP handles file transfers. Researchers observed technical similarities between StreamSpy, Spyder, and other malware families, indicating shared infrastructure and continued collaboration among related threat groups.



Read more »
ToneShell
cyber espionage Kapersky Kernel malware ToneShell

Advanced Rootkit Used to Conceal ToneShell Malware in Targeted Cyberespionage Attacks

 



Cybersecurity researchers have brought to light a new wave of cyberespionage activity in which government networks across parts of Asia were quietly compromised using an upgraded version of the ToneShell backdoor. What sets this campaign apart is the method used to hide the malware. Instead of relying solely on user-level tools, the attackers deployed a kernel-mode component that operates deep within the Windows operating system, allowing the intrusion to remain largely invisible.

The activity has been linked with high confidence to a China-aligned cyberespionage group that has a long history of targeting government agencies, policy institutions, non-governmental organizations, and research bodies. Investigators say the campaign reflects a continued focus on long-term intelligence collection rather than short-lived attacks.

The findings come from an investigation by Kaspersky, which identified malicious system drivers on compromised machines in countries including Myanmar and Thailand. Evidence suggests the campaign has been active since at least February 2025. In several cases, the affected systems had previously been infected with older espionage tools tied to the same threat ecosystem, indicating that access was maintained and expanded over time.

At the centre of the operation is a malicious kernel-mode driver disguised as a legitimate system component. The driver is digitally signed using an older certificate that appears to have been improperly reused, helping it avoid immediate suspicion during installation. Once active, it acts as a rootkit, injecting hidden code into normal processes and blocking attempts by security software to detect or remove it.

The driver protects itself aggressively. It prevents its files and registry entries from being altered, assigns itself a high execution priority, and interferes with Microsoft Defender by stopping key components from fully loading. While malicious code is running, it temporarily blocks access to infected processes, removing those restrictions afterwards to leave fewer traces behind.

The ToneShell backdoor delivered by this loader has also been updated. Earlier versions used a longer and more distinctive system identifier. The new variant switches to a shorter four-byte host marker, making individual infections harder to track. Its network traffic has been altered as well, with communications disguised to resemble legitimate encrypted web connections through the use of fake security headers.

Once installed, the backdoor gives attackers broad control over compromised systems. It can stage data in temporary files, upload and download information, cancel transfers when needed, open interactive remote command sessions, execute instructions in real time, and close connections cleanly to reduce forensic evidence. These features point to a tool designed for sustained, low-noise espionage rather than disruptive attacks.

Kaspersky warns that detecting this activity requires more than standard file scanning. Because much of the malicious behaviour occurs in memory and at the kernel level, advanced memory forensics are critical for uncovering infections. The researchers note that the campaign demonstrates a clear shift toward greater stealth and resilience, underscoring the growing sophistication of modern cyberespionage operations.

Read more »
Malwares
cyber espionage Cyber Espionage Campaign Cyberattacks cybersecurity risks Iran Iranian malware Malware Attack Malwares

Iranian Infy Prince of Persia Cyber Espionage Campaign Resurfaces

 

Security researchers have identified renewed cyber activity linked to an Iranian threat actor known as Infy, also referred to as Prince of Persia, marking the group’s re-emergence nearly five years after its last widely reported operations in Europe and the Middle East. According to SafeBreach, the scale and persistence of the group’s recent campaigns suggest it remains an active and capable advanced persistent threat. 

Infy is considered one of the longest-operating APT groups, with its origins traced back to at least 2004. Despite this longevity, it has largely avoided the spotlight compared with other Iranian-linked groups such as Charming Kitten or MuddyWater. Earlier research attributed Infy’s attacks to a relatively focused toolkit built around two primary malware families: Foudre, a downloader and reconnaissance tool, and Tonnerre, a secondary implant used for deeper system compromise and data exfiltration. These tools are believed to be distributed primarily through phishing campaigns. 

Recent analysis from SafeBreach reveals a previously undocumented campaign targeting organizations and individuals across multiple regions, including Iran, Iraq, Turkey, India, Canada, and parts of Europe. The operation relies on updated versions of both Foudre and Tonnerre, with the most recent Tonnerre variant observed in September 2025. Researchers noted changes in initial infection methods, with attackers shifting away from traditional malicious macros toward embedding executables directly within Microsoft Excel documents to initiate malware deployment. 

One of the most distinctive aspects of Infy’s current operations is its resilient command-and-control infrastructure. The malware employs a domain generation algorithm to rotate C2 domains regularly, reducing the likelihood of takedowns. Each domain is authenticated using an RSA-based verification process, ensuring that compromised systems only communicate with attacker-approved servers. SafeBreach researchers observed that the malware retrieves encrypted signature files daily to validate the legitimacy of its C2 endpoints.

Further inspection of the group’s infrastructure uncovered structured directories used for domain verification, logging communications, and storing exfiltrated data. Evidence also suggests the presence of mechanisms designed to support malware updates, indicating ongoing development and maintenance of the toolset. 

The latest version of Tonnerre introduces another notable feature by integrating Telegram as part of its control framework. The malware is capable of interacting with a specific Telegram group through its C2 servers, allowing operators to issue commands and collect stolen data. Access to this functionality appears to be selectively enabled for certain victims, reinforcing the targeted nature of the campaign. 

SafeBreach researchers also identified multiple legacy malware variants associated with Infy’s earlier operations between 2017 and 2020, highlighting a pattern of continuous experimentation and adaptation. Contrary to assumptions that the group had gone dormant after 2022, the new findings indicate sustained activity and operational maturity over the past several years. 

The disclosure coincides with broader research into Iranian cyber operations, including analysis suggesting that some threat groups operate with structured workflows resembling formal government departments. Together, these findings reinforce concerns that Infy remains a persistent espionage threat with evolving technical capabilities and a long-term strategic focus.
Read more »
North Korea Cyber Operations
APT Cyber Crime cyber espionage Cyber Security Financial crime Financial Cybersecurity North Korea North Korea Cyber Operations

North Korean APT Collaboration Signals Escalating Cyber Espionage and Financial Cybercrime

 

Security analysts have identified a new escalation in cyber operations linked to North Korea, as two of the country’s most well-known threat actors—Kimsuky and Lazarus—have begun coordinating attacks with unprecedented precision. A recent report from Trend Micro reveals that the collaboration merges Kimsuky’s extensive espionage methods with Lazarus’s advanced financial intrusion capabilities, creating a two-part operation designed to steal intelligence, exploit vulnerabilities, and extract funds at scale. 

Rather than operating independently, the two groups are now functioning as a complementary system. Kimsuky reportedly initiates most campaigns by collecting intelligence and identifying high-value victims through sophisticated phishing schemes. One notable 2024 campaign involved fraudulent invitations to a fake “Blockchain Security Symposium.” Attached to the email was a malicious Hangul Word Processor document embedded with FPSpy malware, which stealthily installed a keylogger called KLogEXE. This allowed operators to record keystrokes, steal credentials, and map internal systems for later exploitation. 

Once reconnaissance was complete, data collected by Kimsuky was funneled to Lazarus, which then executed the second phase of attacks. Investigators found Lazarus leveraged an unpatched Windows zero-day vulnerability, identified as CVE-2024-38193, to obtain full system privileges. The group distributed infected Node.js repositories posing as legitimate open-source tools to compromise server environments. With this access, the InvisibleFerret backdoor was deployed to extract cryptocurrency wallet contents and transactional logs. Advanced anti-analysis techniques, including Fudmodule, helped the malware avoid detection by enterprise security tools. Researchers estimate that within a 48-hour window, more than $30 million in digital assets were quietly stolen. 

Further digital forensic evidence reveals that both groups operated using shared command-and-control servers and identical infrastructure patterns previously observed in earlier North Korean cyberattacks, including the 2014 breach of a South Korean nuclear operator. This shared ecosystem suggests a formalized, state-aligned operational structure rather than ad-hoc collaboration.  

Threat activity has also expanded beyond finance and government entities. In early 2025, European energy providers received a series of targeted phishing attempts aimed at collecting operational power grid intelligence, signaling a concerning pivot toward critical infrastructure sectors. Experts believe this shift aligns with broader strategic motivations: bypassing sanctions, funding state programs, and positioning the regime to disrupt sensitive systems if geopolitical tensions escalate. 

Cybersecurity specialists advise organizations to strengthen resilience through aggressive patch management, multi-layered email security, secure cryptocurrency storage practices, and active monitoring for indicators of compromise such as unexpected execution of winlogon.exe or unauthorized access to blockchain-related directories. 

Researchers warn that the coordinated activity between Lazarus and Kimsuky marks a new phase in North Korea’s cyber posture—one blending intelligence gathering with highly organized financial theft, creating a sustained and evolving global threat.
Read more »
protecting sensitive data
China Critical Infrastructure cyber espionage Cyber Security Czech data security Data Transfer protecting sensitive data

Czechia Warns of Chinese Data Transfers and Espionage Risks to Critical Infrastructure

 

Czechia’s National Cyber and Information Security Agency (NÚKIB) has issued a stark warning about rising cyber espionage campaigns linked to China and Russia, urging both government institutions and private companies to strengthen their security measures. The agency classified the threat as highly likely, citing particular concerns over data transfers to China and remote administration of assets from Chinese territories, including Hong Kong and Macau. According to the watchdog, these operations are part of long-term efforts by foreign states to compromise critical infrastructure, steal sensitive data, and undermine public trust. 

The agency’s concerns are rooted in China’s legal and regulatory framework, which it argues makes private data inherently insecure. Laws such as the National Intelligence Law of 2017 require all citizens and organizations to assist intelligence services, while the 2015 National Security Law and the 2013 Company Law provide broad avenues for state interference in corporate operations. Additionally, regulations introduced in 2021 obligate technology firms to report software vulnerabilities to government authorities within two days while prohibiting disclosure to foreign organizations. NÚKIB noted that these measures give Chinese state actors sweeping access to sensitive information, making foreign businesses and governments vulnerable if their data passes through Chinese systems. 

Hong Kong and Macau also fall under scrutiny in the agency’s assessment. In Hong Kong, the 2024 Safeguarding National Security Ordinance integrates Chinese security laws into its own legal system, broadening the definition of state secrets. Macau’s 2019 Cybersecurity Law grants authorities powers to monitor data transmissions from critical infrastructure in real time, with little oversight to prevent misuse. NÚKIB argues that these developments extend the Chinese government’s reach well beyond its mainland jurisdiction. 

The Czech warning gains credibility from recent attribution efforts. Earlier this year, Prague linked cyberattacks on its Ministry of Foreign Affairs to APT31, a group tied to China’s Ministry of State Security, in a campaign active since 2022. The government condemned the attacks as deliberate attempts to disrupt its institutions and confirmed a high degree of certainty about Chinese involvement, based on cooperation among domestic and international intelligence agencies. 

These warnings align with broader global moves to limit reliance on Chinese technologies. Countries such as Germany, Italy, and the Netherlands have already imposed restrictions, while the Five Eyes alliance has issued similar advisories. For Czechia, the implications are serious: NÚKIB highlighted risks across devices and systems such as smartphones, cloud services, photovoltaic inverters, and health technology, stressing that disruptions could have wide-reaching consequences. The agency’s message reflects an ongoing effort to secure its digital ecosystem against foreign influence, particularly as geopolitical tensions deepen in Europe.
Read more »
protecting sensitive data
Chinese Hackers Cyber Attacks cyber espionage cybercriminal group Cyberthreatm Salt Typhoon Hacks data security Data Theft DHS Hacker attack Hacker group protecting sensitive data

Chinese Hacker Group Salt Typhoon Breaches U.S. National Guard Network for Nine Months

 

An elite Chinese cyber-espionage group known as Salt Typhoon infiltrated a U.S. state’s Army National Guard network for nearly nine months, according to a classified Pentagon report revealed in a June Department of Homeland Security (DHS) memo. The memo, obtained by the nonprofit Property of the People through a freedom of information request, indicates the hackers had deep access between March and December 2024, raising alarms about compromised military or law enforcement data. 

Salt Typhoon has previously been linked to some of the most expansive cyber-intrusions into American infrastructure. This latest revelation suggests their reach was even broader than earlier believed. Authorities are still investigating the full extent of data accessed, including sensitive internal documents, personal information of service members, and network architecture diagrams. The affected state’s identity remains undisclosed. 

The Department of Defense declined to comment on the matter, while a spokesperson from the National Guard Bureau confirmed the breach but assured that the incident did not hinder any ongoing state or federal missions. Investigations are ongoing to determine the scope and potential long-term impact of the breach. 

China’s embassy in Washington did not directly deny the allegations but claimed the U.S. had not provided concrete evidence linking Salt Typhoon to the Chinese government. They reiterated that cyberattacks are a global threat and that China also faces similar risks. 

Salt Typhoon is particularly notorious for its ability to infiltrate and pivot across different networks. In a prior campaign, the group was linked to breaches at major telecom companies, including AT&T and Verizon, where hackers allegedly monitored text messages and calls tied to U.S. political figures, including both Trump and Harris campaigns and Senate Majority Leader Chuck Schumer’s office.

The hybrid structure of the National Guard — functioning under both federal and state authority — may have provided a wider attack surface. According to the DHS memo, the group may have obtained intelligence that could be used to compromise other states’ National Guard units and their local cybersecurity partners. Fourteen state National Guard units reportedly share intelligence with local fusion centers, potentially magnifying the risk. 

In January 2025, the U.S. Treasury Department sanctioned a company in Sichuan believed to be facilitating Salt Typhoon operations for China’s Ministry of State Security. Past incidents have shown that Salt Typhoon can maintain access for years, making complete removal and defense particularly challenging.
Read more »
Russian Hackers
COLDRIVER Coldriver hacker group Cyber Attacks cyber espionage data security espionage Hacker attack Malware Attack Malwares Russian Hackers

Lostkeys Malware: Russian Group Coldriver Targets Western Officials in Espionage Campaign

 

A new wave of cyber espionage has emerged, with Russian hackers deploying a sophisticated malware strain known as “Lostkeys” to infiltrate the systems of Western officials, journalists, and NGOs. According to researchers from Google’s Threat Intelligence Group, the malware is linked to Coldriver, also known as UNC4057, Star Blizzard, or Callisto—a threat actor believed to be part of Russia’s Federal Security Service (FSB), the successor to the KGB. 

Coldriver has traditionally been involved in phishing operations to steal credentials, but the emergence of Lostkeys demonstrates a significant leap in their cyber capabilities. Lostkeys appears to mark a shift in strategy for the group, moving beyond phishing and into deeper system infiltration. The malware is deployed in a targeted manner, reserved for high-value individuals such as political advisors, think tank members, journalists, and people with known connections to Ukraine.

Activity related to Lostkeys was observed by Google in the early months of 2024—specifically January, March, and April—with evidence suggesting its use might have started as far back as December 2023. The attack begins with a deceptive Captcha page, tricking victims into copying a malicious PowerShell script into the Windows Run dialog. This method, known as “ClickFix,” bypasses typical security filters and exploits user behavior rather than software vulnerabilities. 

Once executed, the script connects to a command-and-control server, downloading a series of payloads uniquely tailored to each victim. In an effort to avoid detection, the malware includes anti-sandbox measures. During the second stage of infection, the script checks the screen resolution of the host machine and halts if it matches known virtual machine environments used by analysts and cybersecurity researchers. If the device passes this check, the malware proceeds to the final stage—a Visual Basic Script that steals data, including specific file types, system details, and active processes. These are exfiltrated back to the attackers using an encoded system that applies a unique two-key substitution cipher for each infected machine. 

Lostkeys appears to be a more refined successor to a previous malware strain known as Spica, which Coldriver also deployed in 2024. While both strains focus on data exfiltration, Lostkeys features a more intricate delivery system and improved obfuscation techniques. Some earlier samples of Lostkeys mimicked legitimate software like Maltego and used executable files instead of PowerShell, though Google has not confirmed if these instances were part of the same campaign or the work of a different threat actor reusing Coldriver’s tactics. 

This development highlights an alarming evolution in state-backed cyber operations, where advanced social engineering and stealth techniques are being increasingly used to infiltrate high-profile targets. As geopolitical tensions persist, the risks posed by such targeted cyber espionage campaigns are expected to grow.
Read more »
Subscribe to: Comments (Atom)