ESET has found two previously unknown Windows versions of SprySOCKS, a backdoor until now seen only on Linux, attributed to the China-aligned espionage group FishMonger (also called Earth Lusca and linked to the i-Soon contractor). One variant loads two encrypted kernel drivers that hide the malware's processes, files, registry keys, and network connections, and divert command traffic through a random TCP port so the real listening port never shows. It keeps the Linux version's 30-plus commands and hardcoded command-and-control setup. ESET tied the activity to attacks in 2023 and 2024, mostly against government bodies in Honduras, Taiwan, Thailand, and Pakistan, with the group historically gaining entry through unpatched public-facing servers.
Google's Threat Intelligence Group has detailed a China-linked espionage cluster, tracked as UNC6508, that lurked inside North American medical, academic, and military research networks for more than a year. The attackers got in by planting a backdoor on victims' REDCap research-data servers to steal login credentials. The clever part was exfiltration: instead of using malware to ship data out, they quietly rewrote victims' own Google Workspace mail rules to auto-forward any message matching their target keywords to an attacker-controlled inbox, blending in with normal email behavior. The campaign focused on stealing sensitive research and defense-related communications, and went undetected for an unusually long time.
Sygnia has detailed Operation Highland, a campaign in which the China-linked group Velvet Ant hid inside the Linux authentication stack itself for close to a decade, with traces back to 2016. Instead of dropping detectable malware, the attackers replaced the trusted PAM login module (pam_unix.so) and OpenSSH binaries with backdoored versions, found in nine distinct variants. Some accepted a hardcoded secret password; others silently logged real usernames, passwords, and every command typed, with a hidden switch to turn logging off. Because login programs are trusted and rarely inspected, the activity looked like normal administration and evaded scanners on a network with no direct internet access.
Trend Micro reports that at least two Russia-aligned groups, including Gamaredon, are exploiting a WinRAR flaw that was patched nearly a year ago to attack Ukrainian military and government organizations. The attacks start with emails carrying a booby-trapped RAR archive that abuses a path-traversal bug (CVE-2025-8088) to silently drop a malicious shortcut into the Windows Startup folder using NTFS Alternate Data Streams. One cluster, tracked by Ukraine's CERT-UA as UAC-0226, then installs an updated GiftedCrook stealer that grabs browser passwords, session cookies, and documents before deleting itself. The campaigns are a reminder that unpatched WinRAR remains a reliable foothold for attackers.
The Five Eyes intelligence agencies (US, UK, Canada, Australia, and New Zealand) issued a joint bulletin, "Safeguarding Our Secrets," warning that Chinese military intelligence officers are posing as recruiters on sites like LinkedIn, Indeed, and Upwork. Fronting as think tanks, consultancies, or HR firms, they post fake jobs such as foreign-policy or defense-analyst roles, then use the interview process to pressure targets into handing over classified or non-public information. The agencies say current and former government, military, defense-contractor, research, and journalist personnel are all in scope, with extra focus on those tied to the Indo-Pacific. The goal is harvesting privileged military, political, and economic intelligence.
ReliaQuest has documented OP-512, a China-linked espionage cluster targeting Microsoft IIS web servers with a bespoke web-shell framework - the fourth such group after CL-STA-0048, DragonRank, and GhostRedirector to single out IIS in the past year. The framework uses three web shells that grant remote access while evading signature detection and complicating forensics: each deployment is uniquely generated, access is cryptographically restricted to the attacker, and compromised servers auto-report to centralized management. To hide, the web shells timestomp - scanning surrounding files, computing the median last-modified time, and overwriting their own timestamps to match. ReliaQuest notes close tactical proximity to CL-STA-0048, suggesting a revamped toolset or shared development.
Researchers have detailed a cyber-espionage campaign in which attackers maintained access to a global stock exchange executive's Microsoft Outlook mailbox for roughly five months. The intrusion relied on a malicious OAuth application and inbox-rule persistence to quietly read and forward mail while evading detection. By abusing OAuth consent rather than stealing a password, the attackers retained access that survived password changes and looked like routine application traffic in logs. The five-month dwell time on a single high-value executive points to a patient, intelligence-driven operation rather than opportunistic crime. The case reinforces the now-recurring pattern of OAuth-app abuse and malicious inbox rules as the core of stealthy Microsoft 365 mailbox compromise.
Symantec and Carbon Black, working with Huntress, have documented Operation Olalampo, a new MuddyWater (also tracked as Seedworm) espionage campaign that has hit at least nine countries. The Iran-linked actor uses DLL sideloading by abusing two trusted binaries - sentinelmemoryscanner.exe sideloads sentinelagentcore.dll - to deploy the open-source ChromElevator tool, which steals passwords, cookies, and payment-card data from Chromium browsers while bypassing App-Bound Encryption. The campaign also uses Node.js-based implants that drop PowerShell scripts for reconnaissance, SAM-hive theft, screenshot capture, and SOCKS5 reverse-proxy tunneling. Stolen data has been staged on the public file-transfer service sendit[.]sh.
Lumen Black Lotus Labs and PwC Threat Intelligence have detailed a Chinese cyber-espionage campaign tied to the Calypso group (also tracked as Red Lamassu) that has been hitting telecommunications providers across Asia Pacific and parts of the Middle East since mid-2022. The operators run a Linux post-exploitation framework called Showboat (or kworker) that doubles as a SOCKS5 proxy and port-forwarder, plus a Windows RAT called JMFBackdoor delivered via DLL-sideloading of fltMC.exe + FLTLIB.dll. Showboat retrieves a 'hide' command from public dead-drops like Pastebin to mask its process. The tooling appears to be shared across multiple China-aligned clusters targeting distinct victim sets.
ESET has documented Chinese-aligned threat actor Webworm adding two new custom backdoors to its toolset: EchoCreep, which uses a Discord channel for command-and-control, and GraphWorm, which routes C2 through the Microsoft Graph API and uploads exfiltrated files to OneDrive. Webworm is staging tools out of a GitHub repository disguised as a WordPress fork and has been observed targeting government organizations in Belgium, Italy, Serbia, Poland, Spain, and a university in South Africa. The earliest EchoCreep Discord commands date to March 21, 2024; about 433 messages have been sent through the channel. Initial access is still unclear, but dirsearch and nuclei are involved.