#ChineseHacker

CySecurity News

@cysecuritynews.bsky.social

1 month ago

HoneyMyte Upgrades CoolClient: New Browser Stealers Target Asia, Europe  The HoneyMyte threat group, also known as Mustang Panda or Bronze President, has escalated its cyber espionage efforts by significantly upgrading its CoolClient backdoor malware. This China-linked advanced persistent threat (APT) actor, active since at least 2012, primarily targets government organizations in Asia and Europe to harvest sensitive geopolitical and economic intelligence. In 2025, security researchers from Kaspersky identified enhanced versions of CoolClient deployed in campaigns hitting countries like Myanmar, Mongolia, Malaysia, Thailand, Russia, and Pakistan.These updates reflect HoneyMyte's ongoing adaptation to evade detection and maximize data theft from high-value targets. CoolClient now employs a multi-stage infection chain, often using DLL side-loading to hijack legitimate applications from vendors like BitDefender, VLC Media Player, and Sangfor.  This technique allows the malware to masquerade as trusted software while executing malicious payloads for persistence and command-and-control communication. The backdoor supports extensible plugins, including new capabilities to extract HTTP proxy credentials from network traffic—a feature not previously observed in HoneyMyte's arsenal. Combined with tools like ToneShell rootkit, PlugX, and USB worms such as Tonedisk, these enhancements enable deeper system compromise and long-term surveillance. A standout addition is HoneyMyte's browser credential stealer, available in at least three variants tailored to popular browsers. Variant A targets Google Chrome, Variant B focuses on Microsoft Edge, and Variant C handles multiple Chromium-based browsers like Brave and Opera. The stealer copies login databases to temporary folders, leverages Windows Data Protection API (DPAPI) to decrypt master keys and passwords, then reconstructs full credential sets for exfiltration. This shift toward active credential harvesting, alongside keylogging and clipboard monitoring, marks HoneyMyte's evolution from passive espionage to comprehensive victim surveillance. Supporting these implants, HoneyMyte deploys scripts for reconnaissance, document exfiltration, and system profiling, often in tandem with CoolClient infections. These campaigns exploit spear-phishing lures mimicking government services in victims' native languages, exploiting regional events for credibility.Earlier variants of CoolClient were analyzed by Sophos in 2022 and Trend Micro in 2023, but 2025 iterations show marked improvements in stealth and modularity. The group's focus on Southeast Asian governments underscores its alignment with Chinese strategic interests. Organizations face heightened risks from HoneyMyte's refined toolkit, demanding robust defenses like behavioral monitoring for DLL side-loading, browser credential anomalies, and anomalous network traffic. Government entities in targeted regions should prioritize endpoint detection, credential hygiene, and threat intelligence sharing to counter these persistent threats. As HoneyMyte continues innovating—potentially expanding to Europe—proactive measures remain essential against this adaptable adversary.

HoneyMyte Upgrades CoolClient: New Browser Stealers Target Asia, Europe #ChineseHacker #CoolClient #CyberAttacks

ReconBee

@reconbee.bsky.social

8 months ago

Chinese Hacker Xu Zewei Arrested for Ties to Silk Typhoon Group and U.S. Cyber Attacks activities by trying to obtain access read more about Chinese Hacker Xu Zewei Arrested for Ties to Silk Typhoon Group and U.S. Cyber Attacks

Chinese Hacker Xu Zewei Arrested for Ties to Silk Typhoon Group and U.S. Cyber Attacks reconbee.com/chinese-hack...

#chinese #chinesehacker #XuZewei #silktyphoongroup #cyberattacks #UnitedStates #USA #cybercrime

CySecurity News

@cysecuritynews.bsky.social

8 months ago

Chinese Attackers Target France Infrastructure in Ivanti Zero-Day Exploit Campaign  The French cybersecurity agency stated in a study released Tuesday that three zero-day flaws impacting Ivanti Cloud Services Appliance devices triggered an attack spree in France last year that affected several critical infrastructure sectors. The French National Agency for the Security of Information Systems reports that from early September to late November 2024, widespread zero-day exploits of CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380 affected government agencies and organisations in the media, finance, transportation, and telecommunications sectors. According to Mandiant, the attacks were carried out by UNC5174, a former member of Chinese hacktivist collectives who was probably working as a contractor for China's Ministry of State Security. The attacker, known as "Uteus," has previously targeted edge device flaws in ConnectWise ScreenConnect, F5 BIG-IP, Atlassian Confluence, the Linux kernel, and the Zyxel firewall.  Authorities in France discovered that UNC5174 employed a unique intrusion set known as "Houken," which included zero-day vulnerabilities, a sophisticated rootkit, numerous open-source tools, commercial VPNs, and dedicated servers. Officials believe Houken and UNC5174 are operated by the same threat actor, an initial access broker who steals credentials and implements methods to gain persistent access to target networks.  “Though already documented for its opportunistic exploitation of vulnerabilities on edge devices, the use of zero-days by a threat actor linked to UNC5174 is new,” France’s cybersecurity agency noted in the report. “The operators behind the UNC5174 and Houken intrusion sets are likely primarily looking for valuable initial accesses to sell to a state-linked actor seeking insightful intelligence.” Earlier this year in January, the Cybersecurity and Infrastructure Security Agency said that threat actors used the three Ivanti zero-days in a chain to get credentials, execute remote code, establish initial access, and install webshells on victim networks. In April, Sysdig researchers said that they had observed the China state-sponsored hacker organisation UNC5174 use open-source offensive security techniques like WebSockets and VShell to blend in with more common cybercriminal activities.  Numerous attackers have frequently taken advantage of long-standing flaws in Ivanti products, including espionage outfits with ties to China. Since 2021, Ivanti has shipped software with a high number of vulnerabilities across at least ten different product lines, more than any other vendor in this market since the start of last year. According to cyber authorities, cybercriminals have exploited seven flaws in Ivanti products so far this year, and 30 Ivanti faults have been discovered over the past four years in CISA's known exploited vulnerabilities catalogue.  “We support information sharing to aid defenders. This report covers threat actor activity from last fall that affected an end-of-life version of Cloud Services Appliance. Customers on fully patched or upgraded versions were not affected,” a spokesperson for Ivanti noted in a statement. “Ivanti released a patch in 2024 and strongly urged all customers to upgrade to CSA version 5.0, which was not affected by this vulnerability. The security and protection of our customers remain our top priority, and we are committed to supporting them.”

Chinese Attackers Target France Infrastructure in Ivanti Zero-Day Exploit Campaign #ChineseHacker #CyberAttacks #FrenchInfrastructure

Amitav Bhattacharjee 🦋

@amitav63.bsky.social

9 months ago

Hackers are using Google Calendar to steal your data and you won’t even notice Chinese state-sponsored hackers exploit Google Calendar in a new cyberattack, stealthily stealing confidential data through malware hidden in seemingly innocent emails and calendar events. Learn how t...

Chinese Hackers Use Google Calendar as a Stealthy Data Theft Tool

content.techgig.com/technology/c...

#chinesehacker #Google #vulnerability #2fa #RCE #ZeroTrust #ZeroDay #cybercrime #hacker #privacy #APT #bot #CISO #DDoS #hacking #phishing #CyberAttack #cybersecurity #Security #infosec #AppSec

CySecurity News

@cysecuritynews.bsky.social

10 months ago

US Tariffs May Lead to Chinese Cyberattacks in Retaliation, Experts Warn  As the trade battle between the United States and China heats up, some cybersecurity and policy experts fear Beijing could retaliate in cyberspace. Shortly after the US raised its tax on imported Chinese goods to 104 percent on Wednesday last week, China raised its duty on American imports to 84 percent. "China urges the US to immediately correct its wrong practices, cancel all unilateral tariff measures against China, and properly resolve differences with China through equal dialogue on the basis of mutual respect," the Office of the Tariff Commission of the State Council noted in a statement.  Citing a "lack of respect" from Beijing, US President Trump raised the China tariff yet again, this time by 125 percent. The government later "paused" punitive tariffs on numerous other countries, but maintained the 125 percent tax on China. White House press secretary Karoline Leavitt told reporters, "President Trump will strike back harder when you strike at the United States of America.”  There is growing concern that President Xi Jinping may use his army of cyber-spies to support the People's Republic, even though this back and forth has the potential to ruin trade between the two countries, drive up consumer costs, or cut off supply completely.  "China will retaliate with systemic cyber attacks as tensions simmer over," cybersecurity advisor Tom Kellermann stated. "The typhoon campaigns have given them a robust foothold within critical infrastructure that will be used to launch destructive attacks. Trade wars were a historical instrument of soft power. Cyber is and will be the modern instrument of choice.”   The "typhoon campaigns" refer to a sequence of digital incursions supported by the Chinese government that were revealed last year. Among them are Volt Typhoon, which has been infiltrating America's vital infrastructure since at least 2023 and plotting destructive cyberattacks against those targets, and Salt Typhoon, an espionage team that gained access to at least nine US government and telecom networks.  "To the extent that China is holding back on conducting certain types of cyberattacks, it may feel less restrained now," noted Annie Fixler, director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies. "The intelligence community has assessed that China has conducted operational preparation of the battlefield to disrupt US critical infrastructure and cause societal panic, impede US government decision making, and degrade our ability to mobilize forces," Fixler added.  In addition to spying, which is always going on, it is unclear what, if anything, Beijing-backed goons intend to do online to protest Trump's tariffs. However, financially motivated cybercriminals have already discovered ways to take advantage of people's misunderstanding of the constantly changing trade regulations.

US Tariffs May Lead to Chinese Cyberattacks in Retaliation, Experts Warn #ChineseHacker #CyberSecurity #ThreatLandscape

CySecurity News

@cysecuritynews.bsky.social

11 months ago

China’s FamousSparrow APT Hits United States Via SparrowDoor Malware  A China-linked cyberespionage gang known as 'FamousSparrow' was caught utilising a new modular version of its signature backdoor 'SparrowDoor' against a US-based trade organisation. Security experts at ESET spotted the activities and new malware version, uncovering evidence that the attacker has been more active than previously anticipated since its last operations were reported in 2022.  Apart from the financial organisation, ESET identified and linked further recent attacks to FamousSparrow, including a Mexican research facility and a Honduran government entity. In all of these incidents, initial access was acquired by exploiting obsolete Microsoft Exchange and Windows Server endpoints and infecting them with webshells.  New modular SparrowDoor ESET's investigation revealed two new variants of the SparrowDoor backdoor. The first is identical to a backdoor credited to 'Earth Estries,' with enhanced code quality, architecture, encrypted configuration, persistence methods, and stealthy command-and-control (C2) switching. A critical new feature that applies to both new versions is parallel command execution, which allows the backdoor to continue listening for and processing incoming commands while executing prior ones.  "Both versions of SparrowDoor used in this campaign constitute considerable advances in code quality and architecture compared to older ones," reads the ESET report. "The most significant change is the parallelization of time-consuming commands, such as file I/O and the interactive shell. This allows the backdoor to continue handling new commands while those tasks are performed.”  The latest version, which is a modular backdoor with a plugin-based architecture, includes the most significant modifications. Its operating capabilities can be expanded while staying covert and undetectable by receiving additional plugins from the C2 at runtime, which are fully loaded in memory.  ShadowPad link  Another notable finding in ESET's analysis is FamousSparrow's use of ShadowPad, a sophisticated modular remote access trojan (RAT) linked to various Chinese APTs. In the attacks seen by the researchers, ShadowPad was loaded via DLL side-loading from a renamed Microsoft Office IME executable, injected into the Windows media player (wmplayer.exe) process, and linked to a known C2 server associated with the RAT. This suggests that FamousSparrow, like other state-sponsored entities, may now have access to advanced Chinese cyber tools. According to ESET, Microsoft classifies Earth Estries, GhostEmperor, and FamousSparrow under a single threat cluster they refer to as Salt Typhoon. ESET tracks them as separate categories because there isn't any technical evidence to support this. It acknowledges, meanwhile, that their tools share code, exploitation strategies, and some infrastructure reuse.  These overlaps, according to ESET, are indicators of a common third-party supplier, sometimes known as a "digital quartermaster," who supports and lurks behind all of these Chinese attack groups.

China’s FamousSparrow APT Hits United States Via SparrowDoor Malware #ChineseHacker #CyberAttacks #FamousSparrow

CySecurity News

@cysecuritynews.bsky.social

11 months ago

Chinese APT Volt Typhoon Target U.S. Power Utility in Prolonged Cyberattack  Chinese hackers involved in the Volt Typhoon attack spent over a year inside the networks of a major utility company in Littleton, Massachusetts.  In a report published last week, Dragos, an operational technology (OT) cybersecurity firm, described their work assisting the Littleton Electric Light & Water Department in dealing with what was determined to be part of a larger effort by China's government to preposition their attackers within U.S. critical infrastructure, with the ultimate goal believed to be destructive action taken in the event of a conflict.  US law enforcement claims the gang has infiltrated a number of vital infrastructure organisations in the United States, as well as Guam. According to Dragos, the Massachusetts utility found its systems had been compromised soon before Thanksgiving in 2023.  David Ketchen, the utility's assistant general manager, received a phone call from the FBI on a Friday afternoon informing him of a possible compromise. On the following Monday, FBI agents and representatives from the Cybersecurity and Infrastructure Security Agency (CISA) arrived at the company's premises.  The utility has provided power and water to the towns of Littleton and Boxborough, roughly 30 miles northwest of Boston, for over a century, but has battled in recent years to keep up with the growing amount of cyber threats. They approached Dragos after learning about the Volt Typhoon compromise. A review revealed that the Volt Typhoon had been in the utility's networks since February 2023.  Dragos discovered evidence of the hackers' lateral movement and data exfiltration, but an investigation indicated that the "compromised information did not include any customer-sensitive data, and the utility was able to change their network architecture to remove any advantages for the adversary.”  CISA and the FBI have repeatedly warned that the hackers are "looking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States," despite China's denials of any involvement in the Volt Typhoon compromises.

Chinese APT Volt Typhoon Target U.S. Power Utility in Prolonged Cyberattack #ChineseHacker #CyberAttacks #Dragos

CySecurity News

@cysecuritynews.bsky.social

1 year ago

FBI And CISA Issues Warning of Ongoing ‘Ghost’ Ransomware Attack  Ghost, a ransomware outfit, has been exploiting software and firmware flaws since January, according to an FBI and Cybersecurity and Infrastructure Security Agency (CISA) advisory issued last week. The outfit, also known as Cring and based in China,…

FBI And CISA Issues Warning of Ongoing ‘Ghost’ Ransomware Attack #ChineseHacker #CISA #FBI

CySecurity News

@cysecuritynews.bsky.social

1 year ago

China-backed APT40 Hacking Outfit Implicated for Samoa Cyberattacks  Samoa's national cybersecurity office issued an urgent advisory after the Chinese state-sponsored cyber outfit APT40 escalated its attacks on government and critical infrastructure networks across the Pacific.  Samoa's Computer Emergency Response Team,…

China-backed APT40 Hacking Outfit Implicated for Samoa Cyberattacks #APT40 #ChineseHacker #CyberAttacks

Amitav Bhattacharjee 🦋

@amitav63.bsky.social

1 year ago

Chinese hacking of US telecom giants may be 'more dangerous' than thought - Times of India TECH NEWS : Recent disclosures reveal that Chinese hackers have breached at least nine major US telecom companies, including AT&T and Verizon. The cyber-espionage

Chinese hacking of US telecom giants may be 'more dangerous' than thought!

timesofindia.indiatimes.com/technology/t...

#chinesehacker #Chinese #China #US #Telecom #vulnerability #2fa #RCE #ZeroTrust #ZeroDay #cybercrime #hacker #APT #bot #CISO #DDoS #CyberAttack #cybersecurity #Security #infosec

andi

@andil.bsky.social

1 year ago

#China #ChineseHacker Reputable countries aid in locating and prosecuting criminal hackers unless 1) they are state sponsored, or 2) the country is just another grifting, lying Russia: doc.afp.com/36PZ8XG