Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: china-apt (13 articles)Clear

Chinese APT UNC5221 keeps 18-month Microsoft 365 access with Brickstorm backdoor

Volexity has detailed Chinese espionage group UNC5221 (also VerdantBamboo) maintaining access to a victim's Microsoft 365 environment using the Brickstorm backdoor plus previously undocumented malware named Plenet and AgentPSD. The actor sat on the network at least 18 months before detection and had also compromised the victim's MSP. UNC5221 has exploited edge-device zero-days since at least 2023; Brickstorm began as Golang, later Rust. In this case the group pivoted from a compromised Egnyte Storage Sync system through the victim's SSL VPN, then used Brickstorm proxying and stolen credentials to reach Microsoft 365 - deliberately blending with legitimate traffic to evade Conditional Access. It re-breached the org after remediation.

Check
Hunt for Brickstorm, Plenet, and AgentPSD indicators across edge devices and M365. Review Conditional Access logs for VPN-proxied logins blending with legitimate traffic. Audit MSP access paths into your environment.
Affected
Organizations (and their MSPs) running internet-facing edge devices and Egnyte/SSL-VPN infrastructure. UNC5221 maintains multi-year persistence via Brickstorm proxying and stolen credentials to reach Microsoft 365 undetected.
Fix
Apply Volexity IoCs. Harden Conditional Access against proxied logins, rotate credentials, and scrutinize MSP connections. Assume long dwell time - hunt historically and re-verify after remediation, since the group re-breached.

China-linked OP-512 hits Microsoft IIS servers with stealthy custom web shells

ReliaQuest has documented OP-512, a China-linked espionage cluster targeting Microsoft IIS web servers with a bespoke web-shell framework - the fourth such group after CL-STA-0048, DragonRank, and GhostRedirector to single out IIS in the past year. The framework uses three web shells that grant remote access while evading signature detection and complicating forensics: each deployment is uniquely generated, access is cryptographically restricted to the attacker, and compromised servers auto-report to centralized management. To hide, the web shells timestomp - scanning surrounding files, computing the median last-modified time, and overwriting their own timestamps to match. ReliaQuest notes close tactical proximity to CL-STA-0048, suggesting a revamped toolset or shared development.

Check
Hunt IIS servers for unfamiliar web shells, cryptographically-gated access, and timestomped files whose timestamps match the median of surrounding files. Apply ReliaQuest IoCs. Review IIS request logs for anomalous POSTs.
Affected
Internet-facing Microsoft IIS web servers, particularly at organizations aligned with China-linked intelligence priorities. OP-512's uniquely-generated, crypto-gated web shells evade signature detection and timestomp to hide.
Fix
Patch and harden IIS, restrict write access to web roots, and deploy file-integrity monitoring that flags timestomping. Hunt for the three-shell framework and centralized callback traffic per ReliaQuest.

Operation Dragon Weave: China-aligned spear-phishing hits Czech and Taiwan officials with Rust RUSTCLOAK loader and Azure-hosted AdaptixC2

Seqrite Labs has documented Operation Dragon Weave, a China-aligned cyber-espionage campaign targeting government, research, academic, technology, and financial-services organizations in the Czech Republic and Taiwan. Spear-phishing emails carry ZIP attachments that trigger one of two infection chains: a malicious LNK file masquerading as a PDF that runs PowerShell, or a self-contained Rust dropper launched directly. Both extract RuntimeBroker_update.exe, which DLL-sideloads a malicious UnityPlayer.dll to deploy a Rust loader called RUSTCLOAK. RUSTCLOAK decrypts and runs the final payload, an AdaptixC2 agent codenamed AZUREVEIL that uses Microsoft Azure Blob Storage for command-and-control. The use of legitimate cloud services for C2 and Rust tooling complicates detection.

Check
Hunt for LNK files masquerading as PDFs, RuntimeBroker_update.exe, and DLL side-loading of UnityPlayer.dll. Search egress for AdaptixC2 traffic to Azure Blob Storage endpoints. Apply Seqrite IoCs.
Affected
Government, research, academic, technology, and financial-services organizations in the Czech Republic and Taiwan - Dragon Weave's named targets. Spear-phishing with ZIP attachments is the delivery vector.
Fix
Block ZIP-with-LNK email attachments at the gateway. Restrict PowerShell for standard users. Hunt for RUSTCLOAK and AZUREVEIL indicators. Monitor anomalous outbound Azure Blob Storage connections.

Calypso (Red Lamassu) Chinese APT hits APAC and Middle East telcos with Showboat Linux SOCKS5 backdoor and JMFBackdoor Windows RAT

Lumen Black Lotus Labs and PwC Threat Intelligence have detailed a Chinese cyber-espionage campaign tied to the Calypso group (also tracked as Red Lamassu) that has been hitting telecommunications providers across Asia Pacific and parts of the Middle East since mid-2022. The operators run a Linux post-exploitation framework called Showboat (or kworker) that doubles as a SOCKS5 proxy and port-forwarder, plus a Windows RAT called JMFBackdoor delivered via DLL-sideloading of fltMC.exe + FLTLIB.dll. Showboat retrieves a 'hide' command from public dead-drops like Pastebin to mask its process. The tooling appears to be shared across multiple China-aligned clusters targeting distinct victim sets.

Check
Hunt telco environments for processes named kworker or fltMC.exe with anomalous DLL loads (FLTLIB.dll). Inspect outbound traffic for SOCKS5 traffic to unexpected destinations. Check Pastebin requests.
Affected
Telecommunications providers across Asia Pacific and the Middle East. Multiple China-aligned clusters share the Showboat and JMFBackdoor tooling and certificate-generation patterns across distinct victim sets.
Fix
Block dead-drop dependencies by restricting Pastebin and similar code-paste domains at egress. Hunt for fltMC.exe sideloaded with non-Microsoft FLTLIB.dll. Apply Lumen Black Lotus Labs and PwC IoCs.

Webworm Chinese APT adds EchoCreep (Discord C2) and GraphWorm (MS Graph API C2) backdoors, targets European governments

ESET has documented Chinese-aligned threat actor Webworm adding two new custom backdoors to its toolset: EchoCreep, which uses a Discord channel for command-and-control, and GraphWorm, which routes C2 through the Microsoft Graph API and uploads exfiltrated files to OneDrive. Webworm is staging tools out of a GitHub repository disguised as a WordPress fork and has been observed targeting government organizations in Belgium, Italy, Serbia, Poland, Spain, and a university in South Africa. The earliest EchoCreep Discord commands date to March 21, 2024; about 433 messages have been sent through the channel. Initial access is still unclear, but dirsearch and nuclei are involved.

Check
Search outbound traffic and EDR logs for connections to Discord webhook and CDN domains and Microsoft Graph API endpoints from unexpected hosts. Look for SoftEther VPN binaries on European-government endpoints.
Affected
Government organizations in Belgium, Italy, Serbia, Poland, Spain, and a South African university - Webworm's known European targets. The Graph and Discord C2 patterns also apply to other Chinese APTs.
Fix
Block Webworm GitHub staging repos and ESET-published IoCs. Restrict outbound Discord and Graph API usage where not a legitimate business need. Hunt for dirsearch and nuclei scan signatures.

China-linked FamousSparrow spent three months breaking back into an Azerbaijani oil and gas company through the same Microsoft Exchange flaw - first known China APT hit on South Caucasus energy

Bitdefender researchers documented a China-linked espionage group called FamousSparrow repeatedly compromising an Azerbaijani oil and gas company between late December 2025 and late February 2026. Each time the victim cleaned up, the attackers came back through the same unpatched Microsoft Exchange Server and dropped a new backdoor - first Deed RAT (a ShadowPad relative used by several Chinese groups), then TernDoor. The group overlaps with the Earth Estries cluster, which itself overlaps with Salt Typhoon. This is the first time FamousSparrow has been seen targeting South Caucasus energy infrastructure, a region whose role in supplying gas to Europe grew sharply after Russia's Ukraine transit deal expired.

Check
Audit Microsoft Exchange Server patch status across the estate, hunt for DLL sideloading patterns where signed executables load suspicious libraries, and search proxy and DNS logs for connections to sentinelonepro[.]com.
Affected
Internet-exposed Microsoft Exchange Server instances. Energy sector organizations operating in or partnering with Azerbaijan, Armenia, and Georgia, plus their European downstream gas customers.
Fix
Patch Exchange to the current security update and confirm ProxyNotShell-class fixes are applied. Rotate credentials exposed during prior intrusions, hunt for Deed RAT and TernDoor IoCs from Bitdefender's report, and block sentinelonepro[.]com.

China-linked group is sending 1,600 fake tax-audit emails to Indian and Russian companies, then dropping a brand-new backdoor called ABCDoor

Kaspersky tracked a China-based group called Silver Fox running a tax-themed phishing campaign against organizations in India, Russia, Indonesia, Japan, and South Africa. Phishing emails impersonate the Indian Income Tax Department or Russian tax service with subjects about audits or 'lists of tax violations.' Inside the attached archive sits a modified Rust loader that pulls down a known backdoor called ValleyRAT, plus a brand-new Python-based backdoor called ABCDoor. ABCDoor handles screen recording, keystroke control, clipboard theft, and file operations. Kaspersky logged 1,600+ phishing emails between January and February 2026 across industrial, consulting, retail, and transportation sectors.

Check
Search proxy and DNS logs for connections to abc.haijing88.com since December 2025. Hunt endpoints for pythonw.exe processes initiating outbound HTTPS to unfamiliar destinations.
Affected
Organizations in India, Russia, Indonesia, Japan, and South Africa, particularly in industrial, consulting, retail, and transportation sectors. Finance and accounting staff who routinely receive tax correspondence are the highest-risk role. Multinationals with operations in any of these regions face the same risk through local subsidiaries.
Fix
Block abc.haijing88.com and related Silver Fox infrastructure at the DNS resolver. Train finance staff that real tax correspondence never arrives as a ZIP or RAR archive of 'violations' to download. Quarantine any host running pythonw.exe with unexpected outbound HTTPS, and remove FFmpeg installations not authorized by IT. Rotate credentials on suspected compromised hosts and reimage.

China-linked spies breached the IBM subsidiary that runs IT for Italian government agencies and critical industries

La Repubblica reported a significant breach at Sistemi Informativi, a wholly-owned IBM Italy subsidiary that manages IT infrastructure for Italian public agencies and key industries. Multiple intelligence sources attribute the attack to Salt Typhoon, the China-linked espionage group that has hit US telecoms (AT&T, Verizon, Viasat), Canadian telecom firms, the US Army National Guard, Dutch government networks, and now Italian critical infrastructure. Salt Typhoon's hallmark is patience - prolonged data exfiltration, silent network observation, and infrastructure compromise rather than fast theft. The group has been active since at least 2019 and has reportedly hit 200+ companies across 80 countries.

Check
If your organization uses managed IT services for critical infrastructure (utilities, transport, healthcare, government), audit your provider's separation between corporate IT and customer environments this week.
Affected
Italian government agencies and key industries using Sistemi Informativi for IT infrastructure. More broadly: any organization where a single integrator holds access to multiple government databases - the breach pattern lets Salt Typhoon map critical infrastructure across many victims through one compromise. European telecoms and managed service providers are at acute risk.
Fix
Demand from any managed IT provider written attestation that customer environments are network-segregated from their corporate IT. Hunt for Salt Typhoon indicators: unauthorized configuration changes on edge devices, traffic to known Demodex C2 infrastructure, and anomalous data flows to Asian hosting providers. Treat the Italian breach as a reason to escalate vendor security reviews this quarter.

China-linked spy group has been quietly breaking into government Exchange servers across Asia and one NATO country since 2024

Trend Micro disclosed a China-aligned espionage cluster called SHADOW-EARTH-053 that has been targeting government and defense organizations across South, East, and Southeast Asia plus one NATO European country since at least December 2024. The group breaks in by exploiting unpatched Microsoft Exchange and IIS servers (using known flaws like ProxyLogon), drops a Godzilla web shell for persistent access, then uses DLL sideloading to load ShadowPad - a long-running Chinese implant. The targeting overlaps with Earth Alux and REF7707, suggesting either a shared operator or shared infrastructure across China-aligned groups. Targets include journalists and activists alongside government agencies.

Check
If you run Microsoft Exchange or IIS, confirm every server is patched against ProxyLogon and recent Exchange CVEs - the entry point is unpatched 2-3 year old flaws, not zero-days.
Affected
Government and defense organizations in South, East, and Southeast Asia and the NATO European country are the named targets. Any organization running internet-facing Microsoft Exchange or IIS that has fallen behind on patching is at risk. Diaspora communities and journalists working on China-related stories are at acute risk - the campaign extends transnational repression alongside conventional espionage.
Fix
Patch Microsoft Exchange and IIS to current versions and confirm with active scanning. Hunt for Godzilla web shell artifacts: unusual .aspx files in Exchange's web directories, suspicious POSTs with encrypted payloads, and outbound HTTPS to unfamiliar domains from Exchange/IIS processes. For journalists and activists working on China topics, follow Citizen Lab guidance: hardware MFA, encrypted communications, skepticism of unsolicited story tips.

Tropic Trooper ditches Cobalt Strike for AdaptixC2 - new campaign against Taiwan, South Korea, and Japan uses trojanized SumatraPDF, GitHub C2, and VS Code tunnels for remote access

Zscaler ThreatLabz attributed a March 12 campaign to Tropic Trooper (APT23, Earth Centaur, KeyBoy, Pirate Panda), the China-linked group active since 2011. The new wave targets Chinese-speaking users in Taiwan plus targets in South Korea and Japan with AUKUS-themed lures. Two notable changes: a custom AdaptixC2 Beacon listener instead of Cobalt Strike, and GitHub Issues as the C2 channel. The dropper is a trojanized SumatraPDF reader that runs a TOSHIS-variant shellcode loader and drops AdaptixC2 in memory. For high-value victims, operators push VS Code and configure a tunnel ('code tunnel user login --provider github') for full remote access.

Check
Hunt your fleet for unexpected VS Code tunnel sessions from non-developer endpoints and block 'code tunnel user login' outside approved developer accounts.
Affected
Organizations with operations or staff in Taiwan, South Korea, or Japan working on Indo-Pacific security, defense policy, or AUKUS-adjacent topics. Any environment where VS Code is broadly installed (including non-developer roles) is exposed to the tunnel pivot. The trojanized SumatraPDF binary keeps the original signature structure intact in some samples.
Fix
Block .exe masquerading as documents at email and web gateways. Alert on encrypted POSTs to GitHub Issues from non-developer endpoints. Detect the VS Code tunnel pivot by alerting on 'code tunnel user login' from any account without a documented dev workflow. Audit corporate GitHub OAuth grants. Consider removing VS Code from non-developer endpoints entirely.