spear-phishing - TrustStrike Labs

threat

2026-04-27

Italy extradites Chinese national accused of running spear-phishing operation against US Covid researchers - first such extradition from Europe to US

Italy extradited Chinese national Xu Zewei to the US on Friday, where he is accused of running a years-long Chinese government-linked spear-phishing campaign that targeted US Covid-19 researchers, universities, and law firms. The case is notable because it's the first time a European country has extradited a Chinese state-linked hacker to the US, and signals tighter coordination between European and US prosecutors on China-attributed cyber operations. Xu was arrested in Milan in July 2024 on a US warrant; Italy's highest court approved the extradition this month after his appeals were exhausted. He could spend decades in US federal prison.

xu-zewei china extradition italy spear-phishing covid-research cfaa first-european-extradition

Check: If your research, healthcare, or legal organization worked on Covid-related materials, expect renewed targeting from China-linked groups now that one of their operators faces US prosecution.
Affected: Universities, research labs, hospitals, and law firms that worked on Covid-19 vaccine development, treatment research, public health policy, or related litigation between 2020 and 2024. Organizations named in the Xu Zewei indictment are at high risk for retaliation. More broadly: any organization holding biomedical research IP, particularly with Chinese researchers in their network.
Fix: Brief researchers and legal staff on the spear-phishing pattern: emails from people they actually know asking for documents or login help, with subtle indicators like off-pattern grammar or unusual sender domains. Add MFA to research-data and legal-discovery systems. Monitor outbound transfers of research datasets to unfamiliar destinations. Treat the extradition as a likely catalyst for retaliatory campaigns.

threat

2026-04-24

NASA OIG details how Chinese national Song Wu spear-phished aerospace software from NASA, Air Force, Navy, FAA, universities, and private firms over four years by impersonating colleagues

NASA's Office of Inspector General published a retrospective on April 24 detailing how Chinese national Song Wu, an engineer at a state-owned Chinese aerospace and defense conglomerate, ran a multi-year spear-phishing campaign from January 2017 to December 2021. Song impersonated real US engineers known to his targets and asked over email for copies of specific aerospace modeling software and source code that could design or modify weapons platforms. Targets included staff at NASA, US Air Force, Navy, Army, FAA, major universities, and private aerospace firms. Several victims, believing they were helping a friend, sent the requested software - inadvertently violating US export control laws.

nasa song-wu china export-control spear-phishing aerospace itar social-engineering song-wu-case

Check: Use the NASA OIG release as a case study in awareness training for engineering and research staff who handle export-controlled or proprietary technical artifacts.
Affected: Aerospace, defense, advanced manufacturing, and dual-use research organizations are the named target set, but the technique generalizes. Any organization whose staff regularly share technical artifacts with external collaborators based on personal trust is at risk. Universities and contractors holding ITAR or EAR-controlled materials face both security risk and legal liability for export-control violations.
Fix: Brief engineering staff on the Song Wu pattern: the lure is an email from someone you actually know asking for software you actually have. Require a non-email verification step (voice or video call) for any inbound request for source code or controlled software. Tighten outbound DLP around CAD, source code, and simulation file transfers, with managerial approval above a defined threshold.

threat

2026-04-22

Chinese APT Mustang Panda's new LOTUSLITE variant hits Indian banks and South Korean policy circles via CHM lures

Acronis researchers have spotted a new variant of LOTUSLITE, a backdoor associated with the Chinese nation-state group Mustang Panda, now distributed via lures tied to India's banking sector and, in a parallel campaign, impersonating figures from South Korea's Korean-peninsula-policy community. The shift is notable: prior LOTUSLITE activity targeted U.S. government and policy entities with U.S.-Venezuela geopolitical decoys, but this wave pivots the targeting while keeping the delivery playbook intact. The infection chain starts with a Compiled HTML (CHM) file - a legacy Microsoft help-file format that can embed executables and scripts - containing a legitimate signed binary, a rogue DLL, and an HTML pop-up that asks the user to click 'Yes.' Clicking it silently fetches JavaScript malware from cosmosmusic[.]com, which extracts and runs the DLL side-loading chain (trusted EXE loads attacker-supplied DLL) using dnx.onecore.dll as the malicious payload. The backdoor talks HTTPS to editor.gleeze[.]com over dynamic DNS, with remote shell access, file operations, and session management - a classic espionage toolkit. The Indian campaign uses HDFC Bank-themed pop-ups masquerading as legitimate banking software; the South Korean campaign uses spoofed Gmail accounts and Google Drive staging to impersonate a prominent Korean peninsula policy figure. This is active, tailored, human-operated espionage, not a commodity campaign.

mustang-panda lotuslite china-apt india-banking south-korea cyber-espionage chm-files dll-side-loading spear-phishing

Check: Block CHM file delivery through email and web download gateways, hunt for any instance of dnx.onecore.dll on the disk, and alert on DNS resolutions to cosmosmusic[.]com or editor.gleeze[.]com across your network.
Affected: Indian banking, financial services, and corporate employees handling HDFC Bank relationships (target set includes anyone social-engineered with banking-software lures). South Korean policy, diplomatic, think-tank, and government staff working on Korean-peninsula affairs, North Korea policy, or Indo-Pacific security dialogues. Any organisation where users can still open CHM files by default - Windows does not block them.
Fix: Add a mail-transport-agent rule blocking .chm attachments outright. Block CHM execution on endpoints via AppLocker or WDAC application-control policies. Enforce DNS filtering with sinkholes for cosmosmusic[.]com and editor.gleeze[.]com and monitor for similar dynamic-DNS patterns resolving from workstations that never used them before. Run EDR hunts for hh.exe (the CHM viewer) spawning script interpreters or unusual DLL loads, and specifically for dnx.onecore.dll. Provide targeted phishing-awareness training to India-based banking staff and any employees on Korean-peninsula policy briefs, including the specific lure patterns (HDFC Bank pop-ups, spoofed Gmail from named policy figures).

threat

CVE-2026-20700

2026-03-28

Russian APT TA446 weaponizes leaked DarkSword exploit kit to target iPhones via spear-phishing

The leaked DarkSword iOS exploit kit is already being weaponized. Proofpoint attributes a new spear-phishing campaign to TA446 (also known as COLDRIVER/Star Blizzard), a Russian FSB-linked group that has never previously targeted Apple devices. The emails spoof Atlantic Council discussion invitations and redirect iPhone users to the exploit kit, which deploys the GHOSTBLADE dataminer. Proofpoint warns the targeting is unusually broad - hitting government, finance, legal, and education sectors.

ta446 coldriver darksword ios iphone spear-phishing russia

Check: Ensure all company iPhones and iPads are updated, and alert staff about spoofed discussion invitation emails.
Affected: iPhones running iOS 18.4 through 18.7.1. TA446 targets government, think tank, higher education, financial, and legal organizations.
Fix: Update to iOS 18.7.2 or later. Block the domains escofiringbijou[.]com, motorbeylimited[.]com, and bridetvstreaming[.]org. Enable Lockdown Mode on high-risk devices.