Tag: CHINA

AI-Driven Ransomware FunkSec Targets 85 Victims Using Double Extortion Tactics
Summary: Cybersecurity researchers have identified a new AI-assisted ransomware group called FunkSec, which has targeted over 85 victims since its emergence in late 2024. The group employs double extortion tactics and operates under a ransomware-as-a-service model, with connections to hacktivist activities.

Threat Actor: FunkSec | FunkSec Victim: Various organizations | various organizations

Key Point :

FunkSec uses double extortion tactics, combining data theft with encryption to pressure victims.…
Read More
RedDelta Deploys PlugX Malware to Target Mongolia and Taiwan in Espionage Campaigns
Summary: The China-nexus RedDelta threat actor has targeted multiple Southeast Asian countries to deploy a customized version of the PlugX backdoor, utilizing various social engineering tactics. Their activities, which include sophisticated infection chains and the use of legitimate services for command-and-control, reflect a strategic focus on government entities in the region.…
Read More

Victim: www.fairhallzhang.com Country : Actor: ransomhub Source: http://ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion/a19c5a1b-838f-4f7b-976f-26401ab4959c/ Discovered: 2025-01-10 00:30:17.343934 Published: 2025-01-10 00:28:46.911201 Description : [AI generated] Fairhall Zhang is a Shanghai-based company that specializes in providing asset management services. They focus primarily on Chinese capital markets, aiming to generate absolute returns through their deep knowledge of the local market economy.…
Read More
Chinese spies targeting new Ivanti vulnerability, Mandiant says
Summary: A newly discovered vulnerability in Ivanti’s Connect Secure VPN is being exploited by China-based espionage threat actors, prompting urgent action from U.S. cybersecurity agencies. Mandiant’s analysis highlights the ongoing risks and the potential for widespread exploitation of this vulnerability.

Threat Actor: UNC5221 | UNC5221 Victim: Ivanti | Ivanti

Key Point :

Mandiant identified exploitation of CVE-2025-0282 by Chinese hackers, linked to previous attacks on Ivanti products.…
Read More
RedDelta: Chinese State-Sponsored Group Targets Mongolia, Taiwan, and Southeast Asia with Evolving Cyber Threats
Insikt Group has reported that the Chinese state-sponsored group RedDelta has been actively targeting various Southeast Asian countries, including Mongolia, Taiwan, Myanmar, Vietnam, and Cambodia, from July 2023 to December 2024. The group utilized spearphishing tactics with customized documents to distribute its PlugX backdoor. Notable targets included government entities and NGOs, with a focus on geopolitical interests in the region.…
Read More
US Treasury hack linked to Silk Typhoon Chinese state hackers
Summary: Chinese state-backed hackers, known as Silk Typhoon, have been linked to a significant cybersecurity breach involving the U.S. Office of Foreign Assets Control (OFAC). The attackers compromised a BeyondTrust instance, potentially aiming to gather intelligence on U.S. sanctions against Chinese entities.

Threat Actor: Silk Typhoon | Silk Typhoon Victim: U.S.…

Read More
Google: Chinese hackers likely behind Ivanti VPN zero-day attacks
Summary: Hackers are exploiting a critical zero-day vulnerability in Ivanti Connect Secure, identified as CVE-2025-0282, to deploy new malware called ‘Dryhook’ and ‘Phasejam’ on compromised VPN appliances. This vulnerability allows attackers to gain unauthorized access and potentially steal sensitive information from affected systems.

Threat Actor: UNC5337 | UNC5337 Victim: Ivanti Connect Secure | Ivanti Connect Secure

Key Point :

Attackers exploit CVE-2025-0282 to gain initial access to the system.…
Read More
Japan says Chinese hackers targeted its government and tech companies for years | TechCrunch
Summary: The Japanese government has accused the Chinese hacking group MirrorFace of targeting various government organizations, companies, and individuals in Japan since 2019, with the intent of stealing sensitive information related to national security and advanced technology.

Threat Actor: MirrorFace | MirrorFace Victim: Japan | Japan

Key Point :

MirrorFace’s campaign has evolved from targeting media and political organizations to focusing on manufacturers and research institutions since 2023.…
Read More
MirrorFace Leverages ANEL and NOOPDOOR in Multi-Year Cyberattacks on Japan
Summary: Japan’s National Police Agency and NCSC have linked the threat actor MirrorFace to a persistent cyber attack campaign targeting Japanese organizations since 2019, aimed at stealing sensitive national security and technology information.

Threat Actor: MirrorFace | MirrorFace Victim: Various Japanese organizations | Japanese organizations

Key Point :

MirrorFace, also known as Earth Kasha, is a sub-group of APT10 with a history of targeting Japanese entities.…
Read More
Exploitation of New Ivanti VPN Zero-Day Linked to Chinese Cyberspies
Summary: Google Cloud’s Mandiant has linked the exploitation of a newly patched Ivanti VPN zero-day vulnerability to Chinese cyberspies, revealing that the attacks involved multiple malware families. Ivanti has patched the vulnerabilities, but concerns remain about further exploitation by other threat actors.

Threat Actor: Chinese cyberspies | UNC5337 Victim: Ivanti customers | Ivanti

Key Point :

Mandiant identified exploitation of CVE-2025-0282, a critical zero-day vulnerability in Ivanti’s VPN appliances.…
Read More
Ivanti Flaw CVE-2025-0282 Actively Exploited, Impacts Connect Secure and Policy Secure
Summary: Ivanti has reported a critical security vulnerability (CVE-2025-0282) affecting its products, which is currently being actively exploited, allowing unauthenticated remote code execution. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog, urging immediate patching.

Threat Actor: UNC5337 | UNC5337 Victim: Ivanti | Ivanti

Key Point :

CVE-2025-0282 is a stack-based buffer overflow with a CVSS score of 9.0, affecting multiple Ivanti products.…
Read More
Summary: Advanced threat actors are exploiting a newly disclosed zero-day vulnerability in Ivanti Connect Secure (ICS) VPN appliances, allowing for unauthenticated remote code execution. The vulnerabilities, CVE-2025-0282 and CVE-2025-0283, pose significant risks to network security, with active exploitation reported since mid-December 2024.

Threat Actor: UNC5337 | UNC5337 Victim: Ivanti Connect Secure Users | Ivanti Connect Secure Users

Key Point :

Exploitation of CVE-2025-0282 allows unauthenticated remote code execution, compromising entire networks.…
Read More
Casio warns employees, customers about data leak from October ransomware attack
Summary: In October, Japanese electronics manufacturer Casio suffered a ransomware attack that compromised data of thousands of employees, business partners, and customers. The incident was linked to phishing emails and claimed by the Underground ransomware gang, leading to significant data theft and operational disruptions.

Threat Actor: Underground ransomware gang | Underground ransomware gang Victim: Casio | Casio

Key Point :

6,456 employees, 1,931 business partners, and 91 customers had their data compromised.…
Read More
Over 4,000 backdoors hijacked by registering expired domains
Summary: Researchers hijacked over 4,000 abandoned web backdoors by registering expired domains, preventing malicious actors from taking control of compromised systems. This effort revealed numerous high-profile victims, including government and educational institutions across various countries.

Threat Actor: Various | various Victim: Government and educational institutions | government and educational institutions

Key Point :

Researchers registered expired domains to take control of active backdoors.…
Read More
Chengdu: Teahouses, Hotpots, Universities and Hackers
Chengdu, a city in Sichuan Province, has emerged as a significant hub for hacking activities, largely due to its laid-back atmosphere, rich educational resources, and unique culture. The Natto Team’s research highlights connections between local companies and advanced persistent threat (APT) groups, particularly APT41, while also exploring the social dynamics of Chengdu’s teahouses and hotpot restaurants that foster networking among hackers.…
Read More
Japan Links Chinese Hacker MirrorFace to Dozens of Cyberattacks Targeting Security and Tech Data
Summary: Japan has linked over 200 cyberattacks targeting its national security and technology sectors to the Chinese hacking group MirrorFace, urging enhanced cybersecurity measures. The National Police Agency detailed the systematic nature of these attacks, which have been ongoing since 2019.

Threat Actor: MirrorFace | MirrorFace Victim: Japan | Japan

Key Point :

Cyberattacks targeted key government ministries, private companies, and think tanks related to advanced technology.…
Read More
Crims Backdoored Their Backdoors. Then the Domains Lapsed
Summary: Researchers from watchTowr Labs have uncovered over 4,000 unique backdoors utilizing expired domains, exposing government and academic hosts to potential hijacking by malicious actors. This study highlights the risks associated with abandoned infrastructure and the ease with which attackers can exploit these vulnerabilities.

Threat Actor: Criminals exploiting backdoors | criminals exploiting backdoors Victim: Government and academic institutions | government and academic institutions

Key Point :

WatchTowr Labs identified over 4,000 compromised systems, including government and educational institutions.…
Read More