Chinese Hackers | Breaking Cybersecurity News | The Hacker News

Threat hunters have exposed the tactics of a China-aligned threat actor called UnsolicitedBooker that targeted an unnamed international organization in Saudi Arabia with a previously undocumented backdoor dubbed MarsSnake. ESET, which first discovered the hacking group's intrusions targeting the entity in March 2023 and again a year later, said the activity leverages spear-phishing emails using flight tickets as lures to infiltrate targets of interest. "UnsolicitedBooker sends spear-phishing emails, generally with a flight ticket as the decoy, and its targets include governmental organizations in Asia, Africa, and the Middle East," the company said in its latest APT Activity Report for the period ranging from October 2024 to March 2025. Attacks mounted by the threat actor are characterized by the use of backdoors like Chinoxy, DeedRAT, Poison Ivy, and BeRAT, which are widely used by Chinese hacking crews. UnsolicitedBooker is assessed to share overlaps with a clu...

At least two different cybercrime groups BianLian and RansomExx are said to have exploited a recently disclosed security flaw in SAP NetWeaver tracked as CVE-2025-31324 , indicating that multiple threat actors are taking advantage of the bug. Cybersecurity firm ReliaQuest, in a new update published today, said it uncovered evidence suggesting involvement from the BianLian data extortion crew and the RansomExx ransomware family, which is traced by Microsoft under the moniker Storm-2460. BianLian is assessed to be involved in at least one incident based on infrastructure links to IP addresses previously identified as attributed to the e-crime group. "We identified a server at 184[.]174[.]96[.]74 hosting reverse proxy services initiated by the rs64.exe executable," the company said. "This server is related to another IP, 184[.]174[.]96[.]70, operated by the same hosting provider. The second IP had previously been flagged as a command-and-control (C2) server associat...

A recently disclosed critical security flaw impacting SAP NetWeaver is being exploited by multiple China-nexus nation-state actors to target critical infrastructure networks. "Actors leveraged CVE-2025-31324 , an unauthenticated file upload vulnerability that enables remote code execution (RCE)," EclecticIQ researcher Arda Büyükkaya said in an analysis published today. Targets of the campaign include natural gas distribution networks, water and integrated waste management utilities in the United Kingdom, medical device manufacturing plants oil and gas exploration and production companies in the United States, and government ministries in Saudi Arabia that are responsible for investment strategy and financial regulation. The findings are based on a publicly exposed directory uncovered on attacker-controlled infrastructure ("15.204.56[.]106") that contained event logs capturing the activities across multiple compromised systems. The Dutch cybersecurity company h...

A China-linked unnamed threat actor dubbed Chaya_004 has been observed exploiting a recently disclosed security flaw in SAP NetWeaver. Forescout Vedere Labs, in a report published Thursday, said it uncovered a malicious infrastructure likely associated with the hacking group weaponizing CVE-2025-31324 (CVSS score: 10.0) since April 29, 2025. CVE-2025-31324 refers to a critical SAP NetWeaver flaw that allows attackers to achieve remote code execution (RCE) by uploading web shells through a susceptible "/developmentserver/metadatauploader" endpoint. The vulnerability was first flagged by ReliaQuest late last month when it found the shortcoming being abused in real-world attacks by unknown threat actors to drop web shells and the Brute Ratel C4 post-exploitation framework. According to Onapsis, hundreds of SAP systems globally have fallen victim to attacks spanning industries and geographies, including energy and utilities, manufacturing, media and entertainment, oil an...

The nation-state threat actor known as MirrorFace has been observed deploying malware dubbed ROAMINGMOUSE as part of a cyber espionage campaign directed against government agencies and public institutions in Japan and Taiwan. The activity, detected by Trend Micro in March 2025, involved the use of spear-phishing lures to deliver an updated version of a backdoor called ANEL. "The ANEL file from the 2025 campaign discussed in this blog implemented a new command to support an execution of BOF (Beacon Object File) in memory," security researcher Hara Hiroaki said . "This campaign also potentially leveraged SharpHide to launch the second stage backdoor NOOPDOOR." The China-aligned threat actor, also known as Earth Kasha, is assessed to be a sub-cluster within APT10. In March 2025, ESET shed light on a campaign referred to as Operation AkaiRyū that targeted a diplomatic organization in the European Union in August 2024 with ANEL (aka UPPERCUT). The targeting of v...

A new multi-stage attack has been observed delivering malware families like Agent Tesla variants, Remcos RAT, and XLoader. "Attackers increasingly rely on such complex delivery mechanisms to evade detection, bypass traditional sandboxes, and ensure successful payload delivery and execution," Palo Alto Networks Unit 42 researcher Saqib Khanzada said in a technical write-up of the campaign. The starting point of the attack is a deceptive email that poses as an order request to deliver a malicious 7-zip archive attachment, which contains a JavaScript encoded (.JSE) file. The phishing email, observed in December 2024, falsely claimed that a payment had been made and urged the recipient to review an attached order file. Launching the JavaScript payload triggers the infection sequence, with the file acting as a downloader for a PowerShell script from an external server. The script, in turn, houses a Base64-encoded payload that's subsequently deciphered, written to the Wi...

The China-linked threat actor known as Mustang Panda has been attributed to a cyber attack targeting an unspecified organization in Myanmar with previously unreported tooling, highlighting continued effort by the threat actors to increase the sophistication and effectiveness of their malware. This includes updated versions of a known backdoor called TONESHELL , as well as a new lateral movement tool dubbed StarProxy, two keyloggers codenamed PAKLOG, CorKLOG, and an Endpoint Detection and Response (EDR) evasion driver referred to as SplatCloak . "TONESHELL, a backdoor used by Mustang Panda, has been updated with changes to its FakeTLS command-and-control (C2) communication protocol as well as to the methods for creating and storing client identifiers," Zscaler ThreatLabz researcher Sudeep Singh said in a two-part analysis . Mustang Panda, also known as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, and RedDelta, is a China-aligned state-sponsored threat ...

The China-linked threat actor known as UNC5174 has been attributed to a new campaign that leverages a variant of a known malware dubbed SNOWLIGHT and a new open-source tool called VShell to infect Linux systems. "Threat actors are increasingly using open source tools in their arsenals for cost-effectiveness and obfuscation to save money and, in this case, plausibly blend in with the pool of non-state-sponsored and often less technical adversaries (e.g., script kiddies), thereby making attribution even more difficult," Sysdig researcher Alessandra Rizzo said in a report shared with The Hacker News. "This seems to hold especially true for this particular threat actor , who has been under the radar for the last year since being affiliated with the Chinese government." UNC5174, also referred to as Uteus (or Uetus), was previously documented by Google-owned Mandiant as exploiting security flaws in Connectwise ScreenConnect and F5 BIG-IP software to deliver a C-base...

Ivanti has disclosed details of a now-patched critical security vulnerability impacting its Connect Secure product that has come under active exploitation in the wild. The vulnerability, tracked as CVE-2025-22457 (CVSS score: 9.0), concerns a case of a stack-based buffer overflow that could be exploited to execute arbitrary code on affected systems. "A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution," Ivanti said in an alert released Thursday. The flaw impacts the following products and versions - Ivanti Connect Secure (versions 22.7R2.5 and prior) - Fixed in version 22.7R2.6 (Patch released on February 11, 2025) Pulse Connect Secure (versions 9.1R18.9 and prior) - Fixed in version 22.7R2.6 (Contact Ivanti to migrate as the device has reached end-of-support as of December ...

The Chinese threat actor known as FamousSparrow has been linked to a cyber attack targeting a trade group in the United States and a research institute in Mexico to deliver its flagship backdoor SparrowDoor and ShadowPad. The activity, observed in July 2024, marks the first time the hacking crew has deployed ShadowPad , a malware widely shared by Chinese state-sponsored actors. "FamousSparrow deployed two previously undocumented versions of the SparrowDoor backdoor, one of them modular," ESET said in a report shared with The Hacker News. "Both versions constitute considerable progress over previous ones and implement parallelization of commands." FamousSparrow was first documented by the Slovak cybersecurity company in September 2021 in connection with a series of cyber attacks aimed at hotels, governments, engineering companies, and law firms with SparrowDoor, an implant exclusively used by the group. Since then, there have been reports of the adversarial...

The China-linked advanced persistent threat (APT) group known as Aquatic Panda has been linked to a "global espionage campaign" that took place in 2022 targeting seven organizations. These entities include governments, Catholic charities, non-governmental organizations (NGOs), and think tanks across Taiwan, Hungary, Turkey, Thailand, France, and the United States. The activity, which took place over a period of 10 months between January and October 2022, has been codenamed Operation FishMedley by ESET. "Operators used implants – such as ShadowPad, SodaMaster, and Spyder – that are common or exclusive to China-aligned threat actors," security researcher Matthieu Faou said in an analysis. Aquatic Panda , also called Bronze University, Charcoal Typhoon, Earth Lusca, and RedHotel, is a cyber espionage group from China that's known to be active since at least 2019. The Slovakian cybersecurity company is tracking the hacking crew under the name FishMonger. Sai...

Threat hunters have shed more light on a previously disclosed malware campaign undertaken by the China-aligned MirrorFace threat actor that targeted a diplomatic organization in the European Union with a backdoor known as ANEL. The attack, detected by ESET in late August 2024, singled out a Central European diplomatic institute with lures related to Word Expo , which is scheduled to kick off in Osaka, Japan, next month. The activity has been codenamed Operation AkaiRyū (Japanese for RedDragon). Active since at least 2019, MirrorFace is also referred to as Earth Kasha. It's assessed to be a subgroup within the APT10 umbrella. While known for its exclusive targeting of Japanese entities, the threat actor's attack on a European organization marks a departure from its typical victimology footprint. That's not all. The intrusion is also notable for deploying a heavily customized variant of AsyncRAT and ANEL (aka UPPERCUT), a backdoor previously linked to APT10. The use ...

The U.S. Department of Justice (DoJ) has announced charges against 12 Chinese nationals for their alleged participation in a wide-ranging scheme designed to steal data and suppress free speech and dissent globally. The individuals include two officers of the People's Republic of China's (PRC) Ministry of Public Security (MPS), eight employees of an ostensibly private PRC company, Anxun Information Technology Co. Ltd. (安洵信息技术有限公司) also known as i-Soon , and members of Advanced Persistent Threat 27 ( APT27 , aka Budworm, Bronze Union, Emissary Panda, Lucky Mouse, and Iron Tiger) - Wu Haibo (吴海波), Chief Executive Officer Chen Cheng (陈诚), Chief Operating Officer Wang Zhe (王哲), Sales Director Liang Guodong (梁国栋), Technical Staff Ma Li (马丽), Technical Staff Wang Yan (王堰), Technical Staff Xu Liang (徐梁), Technical Staff Zhou Weiwei (周伟伟), Technical Staff Wang Liyu (王立宇), MPS Officer Sheng Jing (盛晶), MPS Officer Yin Kecheng (尹可成), APT27 actor aka "YKC" Zhou Sh...

The new Trump administration has terminated all memberships of advisory committees that report to the Department of Homeland Security (DHS).  "In alignment with the Department of Homeland Security's (DHS) commitment to eliminating the misuse of resources and ensuring that DHS activities prioritize our national security, I am directing the termination of all current memberships on advisory committees within DHS, effective immediately," Acting Secretary Benjamine C. Huffman said in a January 20, 2025, memo. "Future committee activities will be focused solely on advancing our critical mission to protect the homeland and support DHS's strategic priorities." This includes members of the Cybersecurity and Infrastructure Security Agency's (CISA) Cyber Safety Review Board (CSRB), which last year issued a scathing report excoriating Microsoft for a "cascade" of avoidable errors that led to its infrastructure being abused by a China-based nation-st...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday said there are no indications that the cyber attack targeting the Treasury Department impacted other federal agencies. The agency said it's working closely with the Treasury Department and BeyondTrust to get a better understanding of the breach and mitigate its impacts. "The security of federal systems and the data they protect is of critical importance to our national security," CISA said . "We are working aggressively to safeguard against any further impacts and will provide updates, as appropriate." The latest statement comes a week after the Treasury Department said it was the victim of a "major cybersecurity incident" that allowed Chinese state-sponsored threat actors to remotely access some computers and unclassified documents. The cyber attack, which came to light in early December 2024, involved a breach of BeyondTrust's systems that allowed the adversary to in...