Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: espionage (12 articles)Clear

China-linked SprySOCKS backdoor jumps to Windows with kernel-level stealth

ESET has found two previously unknown Windows versions of SprySOCKS, a backdoor until now seen only on Linux, attributed to the China-aligned espionage group FishMonger (also called Earth Lusca and linked to the i-Soon contractor). One variant loads two encrypted kernel drivers that hide the malware's processes, files, registry keys, and network connections, and divert command traffic through a random TCP port so the real listening port never shows. It keeps the Linux version's 30-plus commands and hardcoded command-and-control setup. ESET tied the activity to attacks in 2023 and 2024, mostly against government bodies in Honduras, Taiwan, Thailand, and Pakistan, with the group historically gaining entry through unpatched public-facing servers.

Check
On Windows servers, watch for unexpected kernel drivers and scheduled tasks tied to DLL side-loading, and patch internet-facing Fortinet, Exchange, GitLab, Telerik, and Zimbra systems this group abuses.
Affected
Windows environments at espionage-relevant targets, particularly government organizations; the group gains initial access through unpatched public-facing servers, then uses kernel drivers to stay hidden from defenders' tools.
Fix
Patch and harden internet-facing services, enable driver-signing enforcement and kernel-level monitoring, hunt for the known driver and loader components, and isolate and rebuild any host showing signs of kernel-level tampering.

China-linked group hid in research networks, stealing email via Workspace rules

Google's Threat Intelligence Group has detailed a China-linked espionage cluster, tracked as UNC6508, that lurked inside North American medical, academic, and military research networks for more than a year. The attackers got in by planting a backdoor on victims' REDCap research-data servers to steal login credentials. The clever part was exfiltration: instead of using malware to ship data out, they quietly rewrote victims' own Google Workspace mail rules to auto-forward any message matching their target keywords to an attacker-controlled inbox, blending in with normal email behavior. The campaign focused on stealing sensitive research and defense-related communications, and went undetected for an unusually long time.

Check
Audit Google Workspace mail forwarding and filter rules for unauthorized auto-forwarding to external addresses, and review REDCap and other research servers for unexpected accounts, credential theft, or backdoor activity.
Affected
Medical, academic, and defense research organizations running REDCap servers and Google Workspace; long-dwell, low-noise espionage groups target their sensitive research and defense communications.
Fix
Remove malicious mail rules, reset exposed credentials, and enforce phishing-resistant MFA. Patch and monitor REDCap servers, restrict who can create auto-forwarding rules, and alert on new external forwarding.

China-linked Velvet Ant hid in Linux login software for nearly a decade

Sygnia has detailed Operation Highland, a campaign in which the China-linked group Velvet Ant hid inside the Linux authentication stack itself for close to a decade, with traces back to 2016. Instead of dropping detectable malware, the attackers replaced the trusted PAM login module (pam_unix.so) and OpenSSH binaries with backdoored versions, found in nine distinct variants. Some accepted a hardcoded secret password; others silently logged real usernames, passwords, and every command typed, with a hidden switch to turn logging off. Because login programs are trusted and rarely inspected, the activity looked like normal administration and evaded scanners on a network with no direct internet access.

Check
Integrity-check PAM modules (pam_unix.so) and OpenSSH binaries on Linux hosts against known-good hashes from your distribution, and watch for logins succeeding with unexpected or hardcoded credentials.
Affected
Linux environments, especially internal servers and appliances without endpoint detection, where attackers with prior access can replace authentication binaries; high-value, long-dwell espionage targets are most at risk.
Fix
Reinstall PAM and OpenSSH from trusted distribution packages, rotate all credentials that may have been harvested, deploy file-integrity monitoring on authentication binaries, and extend detection to appliances lacking EDR.

Russia-aligned groups exploit old WinRAR flaw to hit Ukrainian targets

Trend Micro reports that at least two Russia-aligned groups, including Gamaredon, are exploiting a WinRAR flaw that was patched nearly a year ago to attack Ukrainian military and government organizations. The attacks start with emails carrying a booby-trapped RAR archive that abuses a path-traversal bug (CVE-2025-8088) to silently drop a malicious shortcut into the Windows Startup folder using NTFS Alternate Data Streams. One cluster, tracked by Ukraine's CERT-UA as UAC-0226, then installs an updated GiftedCrook stealer that grabs browser passwords, session cookies, and documents before deleting itself. The campaigns are a reminder that unpatched WinRAR remains a reliable foothold for attackers.

Check
Check the WinRAR version on Windows endpoints, and review email gateways and endpoint logs for inbound RAR archives and new shortcuts written to Startup folders via alternate data streams.
Affected
Windows systems with WinRAR versions before the CVE-2025-8088 fix, particularly organizations receiving RAR email attachments; Ukrainian government and military entities are the current targets.
Fix
Update WinRAR to the latest version that fixes CVE-2025-8088, block or sandbox inbound RAR attachments at the email gateway, and alert staff to unexpected archive lures.

Five Eyes warns China is recruiting officials via fake job offers

The Five Eyes intelligence agencies (US, UK, Canada, Australia, and New Zealand) issued a joint bulletin, "Safeguarding Our Secrets," warning that Chinese military intelligence officers are posing as recruiters on sites like LinkedIn, Indeed, and Upwork. Fronting as think tanks, consultancies, or HR firms, they post fake jobs such as foreign-policy or defense-analyst roles, then use the interview process to pressure targets into handing over classified or non-public information. The agencies say current and former government, military, defense-contractor, research, and journalist personnel are all in scope, with extra focus on those tied to the Indo-Pacific. The goal is harvesting privileged military, political, and economic intelligence.

Check
Brief staff in sensitive government, defense, and research roles to scrutinize unsolicited recruiter and consulting approaches, and check whether anyone has shared non-public information during one.
Affected
Current and former Five Eyes government, military, defense-contractor, policy, research, and journalist personnel with access to classified or privileged information, especially those linked to the Indo-Pacific.
Fix
Verify recruiters and employers through official channels before engaging, never discuss sensitive work in interviews, and report suspected approaches to your security team or national agency.

China-linked OP-512 hits Microsoft IIS servers with stealthy custom web shells

ReliaQuest has documented OP-512, a China-linked espionage cluster targeting Microsoft IIS web servers with a bespoke web-shell framework - the fourth such group after CL-STA-0048, DragonRank, and GhostRedirector to single out IIS in the past year. The framework uses three web shells that grant remote access while evading signature detection and complicating forensics: each deployment is uniquely generated, access is cryptographically restricted to the attacker, and compromised servers auto-report to centralized management. To hide, the web shells timestomp - scanning surrounding files, computing the median last-modified time, and overwriting their own timestamps to match. ReliaQuest notes close tactical proximity to CL-STA-0048, suggesting a revamped toolset or shared development.

Check
Hunt IIS servers for unfamiliar web shells, cryptographically-gated access, and timestomped files whose timestamps match the median of surrounding files. Apply ReliaQuest IoCs. Review IIS request logs for anomalous POSTs.
Affected
Internet-facing Microsoft IIS web servers, particularly at organizations aligned with China-linked intelligence priorities. OP-512's uniquely-generated, crypto-gated web shells evade signature detection and timestomp to hide.
Fix
Patch and harden IIS, restrict write access to web roots, and deploy file-integrity monitoring that flags timestomping. Hunt for the three-shell framework and centralized callback traffic per ReliaQuest.

Hackers spied on a stock exchange executive's Outlook mailbox for five months via malicious OAuth app and inbox-rule persistence

Researchers have detailed a cyber-espionage campaign in which attackers maintained access to a global stock exchange executive's Microsoft Outlook mailbox for roughly five months. The intrusion relied on a malicious OAuth application and inbox-rule persistence to quietly read and forward mail while evading detection. By abusing OAuth consent rather than stealing a password, the attackers retained access that survived password changes and looked like routine application traffic in logs. The five-month dwell time on a single high-value executive points to a patient, intelligence-driven operation rather than opportunistic crime. The case reinforces the now-recurring pattern of OAuth-app abuse and malicious inbox rules as the core of stealthy Microsoft 365 mailbox compromise.

Check
Audit Microsoft 365 for unfamiliar OAuth app consents and mailbox inbox rules, especially on executive accounts. Review consent-grant and rule-creation logs for the past six months.
Affected
High-value Microsoft 365 mailboxes, particularly executives. OAuth-consent abuse plus malicious inbox rules grants persistent, password-change-surviving access that blends into normal application traffic.
Fix
Restrict third-party OAuth app consent to admin approval. Alert on new mailbox-forwarding rules. Enforce phishing-resistant MFA and periodically review granted OAuth applications on sensitive accounts.

MuddyWater (Seedworm) 'Operation Olalampo' espionage hits 9 countries with DLL sideloading via sentinelmemoryscanner.exe and ChromElevator browser theft

Symantec and Carbon Black, working with Huntress, have documented Operation Olalampo, a new MuddyWater (also tracked as Seedworm) espionage campaign that has hit at least nine countries. The Iran-linked actor uses DLL sideloading by abusing two trusted binaries - sentinelmemoryscanner.exe sideloads sentinelagentcore.dll - to deploy the open-source ChromElevator tool, which steals passwords, cookies, and payment-card data from Chromium browsers while bypassing App-Bound Encryption. The campaign also uses Node.js-based implants that drop PowerShell scripts for reconnaissance, SAM-hive theft, screenshot capture, and SOCKS5 reverse-proxy tunneling. Stolen data has been staged on the public file-transfer service sendit[.]sh.

Check
Hunt Windows endpoints for sentinelmemoryscanner.exe with a sideloaded sentinelagentcore.dll. Check outbound traffic to 157.20.182[.]49 and sendit[.]sh. Watch for Node.js execution on non-developer hosts.
Affected
Organizations in MuddyWater's typical target sectors (telecom, government, defense, energy) across nine countries. Symantec/Carbon Black/Huntress confirm at least one South Korean electronics manufacturer hit.
Fix
Block 157.20.182[.]49 and sendit[.]sh at egress. Apply Huntress and Symantec IoCs. Hunt for ChromElevator browser-credential theft. Restrict Node.js execution on non-developer endpoints.

Calypso (Red Lamassu) Chinese APT hits APAC and Middle East telcos with Showboat Linux SOCKS5 backdoor and JMFBackdoor Windows RAT

Lumen Black Lotus Labs and PwC Threat Intelligence have detailed a Chinese cyber-espionage campaign tied to the Calypso group (also tracked as Red Lamassu) that has been hitting telecommunications providers across Asia Pacific and parts of the Middle East since mid-2022. The operators run a Linux post-exploitation framework called Showboat (or kworker) that doubles as a SOCKS5 proxy and port-forwarder, plus a Windows RAT called JMFBackdoor delivered via DLL-sideloading of fltMC.exe + FLTLIB.dll. Showboat retrieves a 'hide' command from public dead-drops like Pastebin to mask its process. The tooling appears to be shared across multiple China-aligned clusters targeting distinct victim sets.

Check
Hunt telco environments for processes named kworker or fltMC.exe with anomalous DLL loads (FLTLIB.dll). Inspect outbound traffic for SOCKS5 traffic to unexpected destinations. Check Pastebin requests.
Affected
Telecommunications providers across Asia Pacific and the Middle East. Multiple China-aligned clusters share the Showboat and JMFBackdoor tooling and certificate-generation patterns across distinct victim sets.
Fix
Block dead-drop dependencies by restricting Pastebin and similar code-paste domains at egress. Hunt for fltMC.exe sideloaded with non-Microsoft FLTLIB.dll. Apply Lumen Black Lotus Labs and PwC IoCs.

Webworm Chinese APT adds EchoCreep (Discord C2) and GraphWorm (MS Graph API C2) backdoors, targets European governments

ESET has documented Chinese-aligned threat actor Webworm adding two new custom backdoors to its toolset: EchoCreep, which uses a Discord channel for command-and-control, and GraphWorm, which routes C2 through the Microsoft Graph API and uploads exfiltrated files to OneDrive. Webworm is staging tools out of a GitHub repository disguised as a WordPress fork and has been observed targeting government organizations in Belgium, Italy, Serbia, Poland, Spain, and a university in South Africa. The earliest EchoCreep Discord commands date to March 21, 2024; about 433 messages have been sent through the channel. Initial access is still unclear, but dirsearch and nuclei are involved.

Check
Search outbound traffic and EDR logs for connections to Discord webhook and CDN domains and Microsoft Graph API endpoints from unexpected hosts. Look for SoftEther VPN binaries on European-government endpoints.
Affected
Government organizations in Belgium, Italy, Serbia, Poland, Spain, and a South African university - Webworm's known European targets. The Graph and Discord C2 patterns also apply to other Chinese APTs.
Fix
Block Webworm GitHub staging repos and ESET-published IoCs. Restrict outbound Discord and Graph API usage where not a legitimate business need. Hunt for dirsearch and nuclei scan signatures.