ESET has found two previously unknown Windows versions of SprySOCKS, a backdoor until now seen only on Linux, attributed to the China-aligned espionage group FishMonger (also called Earth Lusca and linked to the i-Soon contractor). One variant loads two encrypted kernel drivers that hide the malware's processes, files, registry keys, and network connections, and divert command traffic through a random TCP port so the real listening port never shows. It keeps the Linux version's 30-plus commands and hardcoded command-and-control setup. ESET tied the activity to attacks in 2023 and 2024, mostly against government bodies in Honduras, Taiwan, Thailand, and Pakistan, with the group historically gaining entry through unpatched public-facing servers.
Google's Threat Intelligence Group has detailed a China-linked espionage cluster, tracked as UNC6508, that lurked inside North American medical, academic, and military research networks for more than a year. The attackers got in by planting a backdoor on victims' REDCap research-data servers to steal login credentials. The clever part was exfiltration: instead of using malware to ship data out, they quietly rewrote victims' own Google Workspace mail rules to auto-forward any message matching their target keywords to an attacker-controlled inbox, blending in with normal email behavior. The campaign focused on stealing sensitive research and defense-related communications, and went undetected for an unusually long time.
Sygnia has detailed Operation Highland, a campaign in which the China-linked group Velvet Ant hid inside the Linux authentication stack itself for close to a decade, with traces back to 2016. Instead of dropping detectable malware, the attackers replaced the trusted PAM login module (pam_unix.so) and OpenSSH binaries with backdoored versions, found in nine distinct variants. Some accepted a hardcoded secret password; others silently logged real usernames, passwords, and every command typed, with a hidden switch to turn logging off. Because login programs are trusted and rarely inspected, the activity looked like normal administration and evaded scanners on a network with no direct internet access.
Google has filed suit against a Chinese cybercrime network it says abused its Gemini AI to mass-produce phishing text messages and fake websites targeting Americans. The group runs a phishing-as-a-service kit called Outsider and used Gemini to generate fraudulent pages and large smishing campaigns. The texts impersonate trusted brands, warning of "brokerage account issues" or dangling carrier "rewards," and link to lookalike sites that harvest personal and financial details. Google says the lawsuit aims to dismantle the network's infrastructure. The case underscores how criminals are folding mainstream AI tools into industrialized phishing operations.
Lumen's Black Lotus Labs warns that JDY, a covert botnet tied to Chinese state-linked groups including Volt Typhoon, has more than doubled to over 1,500 hacked home and small-office routers, firewalls, and IoT devices. Unlike a DDoS botnet, JDY is a distributed scanning network: it fingerprints exposed services across the internet and flags systems vulnerable to newly disclosed bugs, often within hours of disclosure. It keeps a heavy focus on the US, especially military and associated networks, and survived the 2024 FBI takedown of its parent KV-botnet. Because traffic comes from thousands of ordinary residential IPs, simple IP blocking does not stop it.
The Five Eyes intelligence agencies (US, UK, Canada, Australia, and New Zealand) issued a joint bulletin, "Safeguarding Our Secrets," warning that Chinese military intelligence officers are posing as recruiters on sites like LinkedIn, Indeed, and Upwork. Fronting as think tanks, consultancies, or HR firms, they post fake jobs such as foreign-policy or defense-analyst roles, then use the interview process to pressure targets into handing over classified or non-public information. The agencies say current and former government, military, defense-contractor, research, and journalist personnel are all in scope, with extra focus on those tied to the Indo-Pacific. The goal is harvesting privileged military, political, and economic intelligence.
Proofpoint has detailed TA4922, a Chinese-speaking financially-motivated cybercrime group that has expanded from East Asia into Europe, deploying the previously undocumented Atlas backdoor against organizations in Germany, Italy, the UK, and South Africa. Since March its tempo has surged - Proofpoint says TA4922 now runs more unique campaigns than any other cybercrime actor in its data. Lures impersonate payroll notices, tax audits, VAT filings, compliance notices, invoices, and HR communications, with follow-up contact via WhatsApp, LINE, and Microsoft Teams. The group overlaps with activity reported as Silver Fox and Void Arachne. Proofpoint believes the rapidly expanding malware arsenal is being accelerated with LLMs, citing AI-generated code patterns and placeholder values.
ScarCruft (also called APT37 or Reaper) built a fake online gaming platform in Korean to spread BirdCall, a previously undocumented Android malware aimed at ethnic Koreans living in China. The Record reports the platform impersonated legitimate Korean-language game communities. BirdCall harvests device information, contacts, SMS, call logs, photos, and microphone audio - capabilities consistent with surveillance of diaspora communities rather than financial gain. ScarCruft has historically targeted North Korean defectors and journalists with similar Android malware lures.
Italy extradited Chinese national Xu Zewei to the US on Friday, where he is accused of running a years-long Chinese government-linked spear-phishing campaign that targeted US Covid-19 researchers, universities, and law firms. The case is notable because it's the first time a European country has extradited a Chinese state-linked hacker to the US, and signals tighter coordination between European and US prosecutors on China-attributed cyber operations. Xu was arrested in Milan in July 2024 on a US warrant; Italy's highest court approved the extradition this month after his appeals were exhausted. He could spend decades in US federal prison.
NASA's Office of Inspector General published a retrospective on April 24 detailing how Chinese national Song Wu, an engineer at a state-owned Chinese aerospace and defense conglomerate, ran a multi-year spear-phishing campaign from January 2017 to December 2021. Song impersonated real US engineers known to his targets and asked over email for copies of specific aerospace modeling software and source code that could design or modify weapons platforms. Targets included staff at NASA, US Air Force, Navy, Army, FAA, major universities, and private aerospace firms. Several victims, believing they were helping a friend, sent the requested software - inadvertently violating US export control laws.