Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: china (12 articles)Clear

China-linked SprySOCKS backdoor jumps to Windows with kernel-level stealth

ESET has found two previously unknown Windows versions of SprySOCKS, a backdoor until now seen only on Linux, attributed to the China-aligned espionage group FishMonger (also called Earth Lusca and linked to the i-Soon contractor). One variant loads two encrypted kernel drivers that hide the malware's processes, files, registry keys, and network connections, and divert command traffic through a random TCP port so the real listening port never shows. It keeps the Linux version's 30-plus commands and hardcoded command-and-control setup. ESET tied the activity to attacks in 2023 and 2024, mostly against government bodies in Honduras, Taiwan, Thailand, and Pakistan, with the group historically gaining entry through unpatched public-facing servers.

Check
On Windows servers, watch for unexpected kernel drivers and scheduled tasks tied to DLL side-loading, and patch internet-facing Fortinet, Exchange, GitLab, Telerik, and Zimbra systems this group abuses.
Affected
Windows environments at espionage-relevant targets, particularly government organizations; the group gains initial access through unpatched public-facing servers, then uses kernel drivers to stay hidden from defenders' tools.
Fix
Patch and harden internet-facing services, enable driver-signing enforcement and kernel-level monitoring, hunt for the known driver and loader components, and isolate and rebuild any host showing signs of kernel-level tampering.

China-linked group hid in research networks, stealing email via Workspace rules

Google's Threat Intelligence Group has detailed a China-linked espionage cluster, tracked as UNC6508, that lurked inside North American medical, academic, and military research networks for more than a year. The attackers got in by planting a backdoor on victims' REDCap research-data servers to steal login credentials. The clever part was exfiltration: instead of using malware to ship data out, they quietly rewrote victims' own Google Workspace mail rules to auto-forward any message matching their target keywords to an attacker-controlled inbox, blending in with normal email behavior. The campaign focused on stealing sensitive research and defense-related communications, and went undetected for an unusually long time.

Check
Audit Google Workspace mail forwarding and filter rules for unauthorized auto-forwarding to external addresses, and review REDCap and other research servers for unexpected accounts, credential theft, or backdoor activity.
Affected
Medical, academic, and defense research organizations running REDCap servers and Google Workspace; long-dwell, low-noise espionage groups target their sensitive research and defense communications.
Fix
Remove malicious mail rules, reset exposed credentials, and enforce phishing-resistant MFA. Patch and monitor REDCap servers, restrict who can create auto-forwarding rules, and alert on new external forwarding.

China-linked Velvet Ant hid in Linux login software for nearly a decade

Sygnia has detailed Operation Highland, a campaign in which the China-linked group Velvet Ant hid inside the Linux authentication stack itself for close to a decade, with traces back to 2016. Instead of dropping detectable malware, the attackers replaced the trusted PAM login module (pam_unix.so) and OpenSSH binaries with backdoored versions, found in nine distinct variants. Some accepted a hardcoded secret password; others silently logged real usernames, passwords, and every command typed, with a hidden switch to turn logging off. Because login programs are trusted and rarely inspected, the activity looked like normal administration and evaded scanners on a network with no direct internet access.

Check
Integrity-check PAM modules (pam_unix.so) and OpenSSH binaries on Linux hosts against known-good hashes from your distribution, and watch for logins succeeding with unexpected or hardcoded credentials.
Affected
Linux environments, especially internal servers and appliances without endpoint detection, where attackers with prior access can replace authentication binaries; high-value, long-dwell espionage targets are most at risk.
Fix
Reinstall PAM and OpenSSH from trusted distribution packages, rotate all credentials that may have been harvested, deploy file-integrity monitoring on authentication binaries, and extend detection to appliances lacking EDR.

Google sues Chinese network for weaponizing Gemini AI in smishing scams

Google has filed suit against a Chinese cybercrime network it says abused its Gemini AI to mass-produce phishing text messages and fake websites targeting Americans. The group runs a phishing-as-a-service kit called Outsider and used Gemini to generate fraudulent pages and large smishing campaigns. The texts impersonate trusted brands, warning of "brokerage account issues" or dangling carrier "rewards," and link to lookalike sites that harvest personal and financial details. Google says the lawsuit aims to dismantle the network's infrastructure. The case underscores how criminals are folding mainstream AI tools into industrialized phishing operations.

Check
Remind staff and yourself to treat unexpected texts about account problems or rewards as suspect, and review mobile-threat and link-protection telemetry for spikes in smishing referencing banks or carriers.
Affected
Mobile users, especially in the US, targeted by SMS phishing impersonating banks, brokerages, and phone carriers via the Outsider phishing-as-a-service kit; financial and personal data are the goal.
Fix
Never click links in unsolicited texts; navigate to institutions directly. Enable carrier and device spam filtering, report smishing, and use phishing-resistant MFA so stolen passwords alone cannot unlock accounts.

China-linked JDY botnet scans US military networks for fresh flaws

Lumen's Black Lotus Labs warns that JDY, a covert botnet tied to Chinese state-linked groups including Volt Typhoon, has more than doubled to over 1,500 hacked home and small-office routers, firewalls, and IoT devices. Unlike a DDoS botnet, JDY is a distributed scanning network: it fingerprints exposed services across the internet and flags systems vulnerable to newly disclosed bugs, often within hours of disclosure. It keeps a heavy focus on the US, especially military and associated networks, and survived the 2024 FBI takedown of its parent KV-botnet. Because traffic comes from thousands of ordinary residential IPs, simple IP blocking does not stop it.

Check
Inventory internet-facing routers, firewalls, and IoT devices, especially Ubiquiti, DrayTek, Hikvision, and Linksys gear, for end-of-life models and missing patches that JDY scans for after disclosure.
Affected
Internet-exposed SOHO routers, firewalls, and IoT devices, particularly end-of-life hardware; US military and associated networks are a stated focus of the reconnaissance.
Fix
Patch edge devices promptly after vendor disclosures, replace end-of-life hardware, disable remote management where unneeded, and rely on behavioral rather than IP-based detection for scanning activity.

Five Eyes warns China is recruiting officials via fake job offers

The Five Eyes intelligence agencies (US, UK, Canada, Australia, and New Zealand) issued a joint bulletin, "Safeguarding Our Secrets," warning that Chinese military intelligence officers are posing as recruiters on sites like LinkedIn, Indeed, and Upwork. Fronting as think tanks, consultancies, or HR firms, they post fake jobs such as foreign-policy or defense-analyst roles, then use the interview process to pressure targets into handing over classified or non-public information. The agencies say current and former government, military, defense-contractor, research, and journalist personnel are all in scope, with extra focus on those tied to the Indo-Pacific. The goal is harvesting privileged military, political, and economic intelligence.

Check
Brief staff in sensitive government, defense, and research roles to scrutinize unsolicited recruiter and consulting approaches, and check whether anyone has shared non-public information during one.
Affected
Current and former Five Eyes government, military, defense-contractor, policy, research, and journalist personnel with access to classified or privileged information, especially those linked to the Indo-Pacific.
Fix
Verify recruiters and employers through official channels before engaging, never discuss sensitive work in interviews, and report suspected approaches to your security team or national agency.

Chinese cybercrime actor TA4922 expands to Europe with Atlas RAT and localized payroll/tax lures - likely LLM-accelerated malware

Proofpoint has detailed TA4922, a Chinese-speaking financially-motivated cybercrime group that has expanded from East Asia into Europe, deploying the previously undocumented Atlas backdoor against organizations in Germany, Italy, the UK, and South Africa. Since March its tempo has surged - Proofpoint says TA4922 now runs more unique campaigns than any other cybercrime actor in its data. Lures impersonate payroll notices, tax audits, VAT filings, compliance notices, invoices, and HR communications, with follow-up contact via WhatsApp, LINE, and Microsoft Teams. The group overlaps with activity reported as Silver Fox and Void Arachne. Proofpoint believes the rapidly expanding malware arsenal is being accelerated with LLMs, citing AI-generated code patterns and placeholder values.

Check
Hunt European endpoints for the Atlas backdoor and TA4922 custom loaders. Inspect email for payroll/tax/VAT/invoice lures and unsolicited WhatsApp, LINE, or Teams contact. Apply Proofpoint IoCs.
Affected
Organizations in Germany, Italy, the UK, and South Africa - TA4922's expanded European targets. Finance, HR, and tax-themed lures plus messaging-app outreach are the delivery vectors.
Fix
Apply Proofpoint IoCs and block Atlas RAT C2. Train finance and HR staff against tax/payroll/invoice lures and unsolicited messaging-app contact. Restrict execution of email-delivered loaders and scripts.

North Korean hackers built a fake Korean game platform to spread Android spyware targeting ethnic Koreans living in China

ScarCruft (also called APT37 or Reaper) built a fake online gaming platform in Korean to spread BirdCall, a previously undocumented Android malware aimed at ethnic Koreans living in China. The Record reports the platform impersonated legitimate Korean-language game communities. BirdCall harvests device information, contacts, SMS, call logs, photos, and microphone audio - capabilities consistent with surveillance of diaspora communities rather than financial gain. ScarCruft has historically targeted North Korean defectors and journalists with similar Android malware lures.

Check
If your organization works with Korean-language communities or journalists covering North Korea, check Android devices for unfamiliar Korean game apps installed since early 2026. Review app permissions for SMS, contacts, and microphone access.
Affected
Android users in ethnic Korean communities in China, North Korean defectors, journalists covering North Korea, human-rights organizations, and South Korean policy researchers. Diaspora communities are the primary target. Organizations supporting diaspora communities or refugee networks face downstream risk through their constituents.
Fix
On managed Android devices: enforce Google Play Protect, block sideloading of APKs from unknown sources, and require MDM approval for any Korean-language gaming app. For at-risk individuals: reset Android devices that may have installed the fake platform, and use only verified Google Play apps. Follow Citizen Lab guidance for journalists working on North Korea topics.

Italy extradites Chinese national accused of running spear-phishing operation against US Covid researchers - first such extradition from Europe to US

Italy extradited Chinese national Xu Zewei to the US on Friday, where he is accused of running a years-long Chinese government-linked spear-phishing campaign that targeted US Covid-19 researchers, universities, and law firms. The case is notable because it's the first time a European country has extradited a Chinese state-linked hacker to the US, and signals tighter coordination between European and US prosecutors on China-attributed cyber operations. Xu was arrested in Milan in July 2024 on a US warrant; Italy's highest court approved the extradition this month after his appeals were exhausted. He could spend decades in US federal prison.

Check
If your research, healthcare, or legal organization worked on Covid-related materials, expect renewed targeting from China-linked groups now that one of their operators faces US prosecution.
Affected
Universities, research labs, hospitals, and law firms that worked on Covid-19 vaccine development, treatment research, public health policy, or related litigation between 2020 and 2024. Organizations named in the Xu Zewei indictment are at high risk for retaliation. More broadly: any organization holding biomedical research IP, particularly with Chinese researchers in their network.
Fix
Brief researchers and legal staff on the spear-phishing pattern: emails from people they actually know asking for documents or login help, with subtle indicators like off-pattern grammar or unusual sender domains. Add MFA to research-data and legal-discovery systems. Monitor outbound transfers of research datasets to unfamiliar destinations. Treat the extradition as a likely catalyst for retaliatory campaigns.

NASA OIG details how Chinese national Song Wu spear-phished aerospace software from NASA, Air Force, Navy, FAA, universities, and private firms over four years by impersonating colleagues

NASA's Office of Inspector General published a retrospective on April 24 detailing how Chinese national Song Wu, an engineer at a state-owned Chinese aerospace and defense conglomerate, ran a multi-year spear-phishing campaign from January 2017 to December 2021. Song impersonated real US engineers known to his targets and asked over email for copies of specific aerospace modeling software and source code that could design or modify weapons platforms. Targets included staff at NASA, US Air Force, Navy, Army, FAA, major universities, and private aerospace firms. Several victims, believing they were helping a friend, sent the requested software - inadvertently violating US export control laws.

Check
Use the NASA OIG release as a case study in awareness training for engineering and research staff who handle export-controlled or proprietary technical artifacts.
Affected
Aerospace, defense, advanced manufacturing, and dual-use research organizations are the named target set, but the technique generalizes. Any organization whose staff regularly share technical artifacts with external collaborators based on personal trust is at risk. Universities and contractors holding ITAR or EAR-controlled materials face both security risk and legal liability for export-control violations.
Fix
Brief engineering staff on the Song Wu pattern: the lure is an email from someone you actually know asking for software you actually have. Require a non-email verification step (voice or video call) for any inbound request for source code or controlled software. Tighten outbound DLP around CAD, source code, and simulation file transfers, with managerial approval above a defined threshold.