Search results for The Web: Panda | Breaking Cybersecurity News | The Hacker News

The newly discovered Chinese nation-state actor known as Volt Typhoon has been observed to be active in the wild since at least mid-2020, with the hacking crew linked to never-before-seen tradecraft to retain remote access to targets of interest. The findings come from CrowdStrike, which is tracking the adversary under the name  Vanguard Panda . "The adversary consistently employed ManageEngine Self-service Plus exploits to gain initial access, followed by custom web shells for persistent access, and living-off-the-land (LotL) techniques for lateral movement," the cybersecurity company  said . Volt Typhoon, as known as Bronze Silhouette, is a  cyber espionage group  from China that's been linked to network intrusion operations against the U.S government, defense, and other critical infrastructure organizations. "This adversary has been known to leverage credentials and living-off-the-land techniques to remain hidden and move quickly through targeted environments...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday released details of a backdoor named BRICKSTORM that has been put to use by state-sponsored threat actors from the People's Republic of China (PRC) to maintain long-term persistence on compromised systems. "BRICKSTORM is a sophisticated backdoor for VMware vSphere and Windows environments," the agency said . "BRICKSTORM enables cyber threat actors to maintain stealthy access and provides capabilities for initiation, persistence, and secure command-and-control." Written in Golang, the custom implant essentially gives bad actors interactive shell access on the system and allows them to browse, upload, download, create, delete, and manipulate files The malware, mainly used in attacks targeting governments and information technology (IT) sectors, also supports multiple protocols, such as HTTPS, WebSockets, and nested Transport Layer Security (TLS), for command-and-control (C2), DNS-o...

The China-nexus cyber espionage group tracked as Volt Typhoon has been attributed with moderate confidence to the zero-day exploitation of a recently disclosed high-severity security flaw impacting Versa Director. The attacks targeted four U.S. victims and one non-U.S. victim in the Internet service provider (ISP), managed service provider (MSP) and information technology (IT) sectors as early as June 12, 2024, the Black Lotus Labs team at Lumen Technologies said in a technical report shared with The Hacker News. The campaign is believed to be ongoing against unpatched Versa Director systems. The security flaw in question is CVE-2024-39717 (CVSS score: 6.6), a file upload bug affecting Versa Director that was added to the Known Exploited Vulnerabilities (KEV) catalog last week by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). "This vulnerability allowed potentially malicious files to be uploaded by users with Provider-Data-Center-Admin or Provider-Data-Ce...

Cybersecurity researchers are calling attention to malicious activity orchestrated by a China-nexus cyber espionage group known as Murky Panda that involves abusing trusted relationships in the cloud to breach enterprise networks. "The adversary has also shown considerable ability to quickly weaponize N-day and zero-day vulnerabilities and frequently achieves initial access to their targets by exploiting internet-facing appliances," CrowdStrike said in a Thursday report. Murky Panda, also known as Silk Typhoon (formerly Hafnium), is best known for its zero-day exploitation of Microsoft Exchange Server flaws in 2021. Attacks mounted by the hacking group have targeted government, technology, academic, legal, and professional services entities in North America. Earlier this March, Microsoft detailed the threat actor's shift in tactics, detailing its targeting of the information technology (IT) supply chain as a means to obtain initial access to corporate networks....

A China-linked advanced persistent threat (APT) group has been attributed to a highly-targeted cyber espionage campaign in which the adversary poisoned Domain Name System (DNS) requests to deliver its signature MgBot backdoor in attacks targeting victims in Türkiye, China, and India. The activity, Kaspersky said, was observed between November 2022 and November 2024. It has been linked to a hacking group called Evasive Panda , which is tracked as Bronze Highland, Daggerfly, and StormBamboo. It's assessed to be active since at least 2012. "The group mainly performed adversary-in-the-middle (AitM) attacks on specific victims," Kaspersky researcher Fatih Şensoy said in a deep-dive analysis. "These included techniques such as dropping loaders into specific locations and storing encrypted parts of the malware on attacker-controlled servers, which were resolved as a response to specific website DNS requests." This is not the first time Evasive Panda's DNS pois...

A major telecommunications company located in Asia was allegedly breached by Chinese state-sponsored hackers who spent over four years inside its systems, according to a new report from incident response firm Sygnia. The cybersecurity company is tracking the activity under the name Weaver Ant , describing the threat actor as stealthy and highly persistent. The name of the telecom provider was not disclosed. "Using web shells and tunneling, the attackers maintained persistence and facilitated cyber espionage," Sygnia said . "The group behind this intrusion [...] aimed to gain and maintain continuous access to telecommunication providers and facilitate cyber espionage by collecting sensitive information." Oren Biderman, Incident Response and Digital Forensic Team Leader at Sygnia, told The Hacker News that Weaver Ant exploited a misconfiguration in a public-facing application to obtain an initial foothold into the target environment. The attack chain is said to h...

An unnamed Southeast Asian government has been targeted by multiple China-nexus threat actors as part of espionage campaigns targeting the region over extended periods of time. "While this activity occurred around the same time and in some instances even simultaneously on the same victims' machines, each cluster is characterized by distinct tools, modus operandi, and infrastructure," Palo Alto Networks Unit 42 researchers Lior Rochberger, Tom Fakterman, and Robert Falcone  said  in an exhaustive three-part report. The attacks, which targeted different governmental entities such as critical infrastructure, public healthcare institutions, public financial administrators and ministries, have been attributed with moderate confidence to three disparate clusters tracked as  Stately Taurus  (aka Mustang Panda),  Alloy Taurus  (aka Granite Typhoon), and  Gelsemium . Mustang Panda Uses TONESHELL Variant and ShadowPad "The attackers conducted a cyberespiona...

A government entity and a religious organization in Taiwan were the target of a China-linked threat actor known as Evasive Panda that infected them with a previously undocumented post-compromise toolset codenamed CloudScout. "The CloudScout toolset is capable of retrieving data from various cloud services by leveraging stolen web session cookies," ESET security researcher Anh Ho said . "Through a plugin, CloudScout works seamlessly with MgBot, Evasive Panda's signature malware framework." The use of the .NET-based malware tool, per the Slovak cybersecurity company, was detected between May 2022 and February 2023. It incorporates 10 different modules, written in C#, out of which three are meant for stealing data from Google Drive, Gmail, and Outlook. The purpose of the remaining modules remains unknown. Evasive Panda, also tracked as Bronze Highland, Daggerfly, and StormBamboo, is a cyber espionage group that has a track record of striking various entitie...

The China-linked threat actor known as Mustang Panda has been attributed to a cyber attack targeting an unspecified organization in Myanmar with previously unreported tooling, highlighting continued effort by the threat actors to increase the sophistication and effectiveness of their malware. This includes updated versions of a known backdoor called TONESHELL , as well as a new lateral movement tool dubbed StarProxy, two keyloggers codenamed PAKLOG, CorKLOG, and an Endpoint Detection and Response (EDR) evasion driver referred to as SplatCloak . "TONESHELL, a backdoor used by Mustang Panda, has been updated with changes to its FakeTLS command-and-control (C2) communication protocol as well as to the methods for creating and storing client identifiers," Zscaler ThreatLabz researcher Sudeep Singh said in a two-part analysis . Mustang Panda, also known as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, and RedDelta, is a China-aligned state-sponsored threat ...

A quiet tweak in a popular open-source tool opened the door to a supply chain breach—what started as a targeted attack quickly spiraled, exposing secrets across countless projects. That wasn't the only stealth move. A new all-in-one malware is silently stealing passwords, crypto, and control—while hiding in plain sight. And over 300 Android apps joined the chaos, running ad fraud at scale behind innocent-looking icons. Meanwhile, ransomware gangs are getting smarter—using stolen drivers to shut down defenses—and threat groups are quietly shifting from activism to profit. Even browser extensions are changing hands, turning trusted tools into silent threats. AI is adding fuel to the fire—used by both attackers and defenders—while critical bugs, cloud loopholes, and privacy shakeups are keeping teams on edge. Let's dive into the threats making noise behind the scenes. ⚡ Threat of the Week Coinbase the Initial Target of GitHub Action Supply Chain Breach — The supply chain compromise...

It's easy to think your defenses are solid — until you realize attackers have been inside them the whole time. The latest incidents show that long-term, silent breaches are becoming the norm. The best defense now isn't just patching fast, but watching smarter and staying alert for what you don't expect. Here's a quick look at this week's top threats, new tactics, and security stories shaping the landscape. ⚡ Threat of the Week F5 Exposed to Nation-State Breach — F5 disclosed that unidentified threat actors broke into its systems and stole files containing some of BIG-IP's source code and information related to undisclosed vulnerabilities in the product. The company said it learned of the incident on August 9, 2025, although it's believed that the attackers were in its network for at least 12 months. The attackers are said to have used a malware family called BRICKSTORM, which is attributed to a China-nexus espionage group dubbed UNC5221. GreyNoise said it observed elevat...

The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. "Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company," the Symantec Threat Hunter Team said in a new report shared with The Hacker News. "The attacks involved the use of multiple new custom tools, including loaders, credential stealers, and a reverse SSH tool." The intrusion set is also said to have targeted a news agency located in another country in Southeast Asia and an air freight organization located in another neighboring country.  The threat cluster, per Broadcom's cybersecurity division, is assessed to be a continuation of a campaign that was disclosed by the company in December 2024 as targeting various high-profile organizations in Southeast Asia since at least Oct...

A nation-state activity group originating from China has been linked to cyber attacks on dozens of organizations in Taiwan as part of a suspected espionage campaign. The Microsoft Threat Intelligence team is tracking the activity under the name  Flax Typhoon , which is also known as Ethereal Panda. "Flax Typhoon gains and maintains long-term access to Taiwanese organizations' networks with minimal use of malware, relying on tools built into the operating system, along with some normally benign software to quietly remain in these networks," the company  said . It further said it hasn't observed the group weaponize the access to conduct data-collection and exfiltration. A majority of the targets include government agencies, educational institutions, critical manufacturing, and information technology organizations in Taiwan. A smaller number of victims have also been detected in Southeast Asia, North America, and Africa. The group is suspected to have been active si...

The China-linked threat actor known as  Evasive Panda  orchestrated both watering hole and supply chain attacks targeting Tibetan users at least since September 2023. The end goal of the attacks is to deliver malicious downloaders for Windows and macOS that deploy a known backdoor called MgBot and a previously undocumented Windows implant known as Nightdoor. The findings come from ESET, which said the attackers compromised at least three websites to carry out watering-hole attacks as well as a supply-chain compromise of a Tibetan software company. The operation was discovered in January 2024. Evasive Panda, active since 2012 and also known as Bronze Highland and Daggerfly, was  previously disclosed  by the Slovak cybersecurity firm in April 2023 as having targeted an international non-governmental organization (NGO) in Mainland China with MgBot. Another report from Broadcom-owned Symantec around the same time  implicated  the adversary to a cyber espi...

A China-nexus threat actor known as UNC6384 has been attributed to a set of attacks targeting diplomats in Southeast Asia and other entities across the globe to advance Beijing's strategic interests. "This multi-stage attack chain leverages advanced social engineering including valid code signing certificates, an adversary-in-the-middle (AitM) attack, and indirect execution techniques to evade detection," Google Threat Intelligence Group (GTIG) researcher Patrick Whitsell said . UNC6384 is assessed to share tactical and tooling overlaps with a known Chinese hacking group called Mustang Panda , which is also tracked as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus, TEMP.Hex, and Twill Typhoon. The campaign, detected by GTIG in March 2025, is characterized by use of a captive portal redirect to hijack web traffic and deliver a digitally signed downloader called STATICPLUGIN. The downloader then paves the way for the...

What happens when cybercriminals no longer need deep skills to breach your defenses? Today's attackers are armed with powerful tools that do the heavy lifting — from AI-powered phishing kits to large botnets ready to strike. And they're not just after big corporations. Anyone can be a target when fake identities, hijacked infrastructure, and insider tricks are used to slip past security unnoticed. This week's threats are a reminder: waiting to react is no longer an option. Every delay gives attackers more ground. ⚡ Threat of the Week Critical SAP NetWeaver Flaw Exploited as 0-Day — A critical security flaw in SAP NetWeaver (CVE-2025-31324, CVSS score: 10.0) has been exploited by unknown threat actors to upload JSP web shells with the goal of facilitating unauthorized file uploads and code execution. The attacks have also been observed using the Brute Ratel C4 post-exploitation framework, as well as a well-known technique called Heaven's Gate to bypass endpoint protections. ...

Two hacking groups with ties to China have been observed weaponizing the newly disclosed security flaw in React Server Components (RSC) within hours of it becoming public knowledge. The vulnerability in question is CVE-2025-55182 (CVSS score: 10.0), aka React2Shell , which allows unauthenticated remote code execution . It has been addressed in React versions 19.0.1, 19.1.2, and 19.2.1. According to a new report shared by Amazon Web Services (AWS), two China-linked threat actors known as Earth Lamia and Jackpot Panda have been observed attempting to exploit the maximum-severity security flaw. "Our analysis of exploitation attempts in AWS MadPot honeypot infrastructure has identified exploitation activity from IP addresses and infrastructure historically linked to known China state-nexus threat actors," CJ Moses, CISO of Amazon Integrated Security, said in a report shared with The Hacker News. Specifically, the tech giant said it identified infrastructure associated wit...