Tag: chinese threat actor

8 Attack Reports | 0 Vulnerabilities

Attack reports

Silver Fox Targeting India Using Tax Themed Phishing Lures

A sophisticated campaign by the Chinese APT group Silver Fox is targeting Indian entities with authentic-looking Income Tax phishing lures. The attack leverages a complex kill chain involving DLL hijacking and the modular Valley RAT to ensure persistence. The campaign uses a multi-stage infection p…
apt
phishing
india
c2 communication
multi-stage attack
dll hijacking
chinese threat actor
2025-12-24
tax-themed
valley rat
Published: December 24, 2025
Downloadable IOCs: 8

UAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager

A Chinese-nexus advanced persistent threat actor, UAT-9686, is actively targeting Cisco AsyncOS Software for Secure Email Gateway and Secure Email and Web Manager. The campaign, ongoing since late November 2025, exploits non-standard configurations to execute system-level commands and deploy a pers…
backdoor
apt
chinese threat actor
email security
2025-12-17
aquapurge
aquashell
aquatunnel
cisco asyncos
log purging
reverse tunneling
Published: December 17, 2025
Downloadable IOCs: 4

Ink Dragon's Relay Network and Stealthy Offensive Operation

Check Point Research has identified a new wave of attacks by the Chinese threat actor Ink Dragon, targeting government entities in Europe, Southeast Asia, and South America. The actor builds a victim-based relay network using a custom ShadowPad IIS Listener module, turning compromised servers into …
espionage
shadowpad
government targets
chinese threat actor
finaldraft
iis exploitation
2025-12-16
relay network
stealthy operations
Published: December 16, 2025
Downloadable IOCs: 16

WEBJACK: Evolving IIS Hijacking Campaign Abuses SEO for Fraud and Monetization

A malware campaign called WEBJACK is compromising Microsoft IIS servers to deploy BadIIS malware modules for SEO poisoning and fraud. The attackers hijack high-profile targets, including government and educational institutions, to redirect users to gambling websites. The campaign uses various tools…
seo poisoning
cobalt strike
chinese threat actor
latin america
southeast asia
badiis
iis modules
2025-11-19
xlanyloader
iis hijacking
m0yv
gambling redirection
Published: November 19, 2025
Downloadable IOCs: 34

Operation Rewrite: Chinese-Speaking Threat Actors Deploy BadIIS in a Wide Scale SEO Poisoning Campaign

A Chinese-speaking threat actor group, tracked as CL-UNK-1037, has been conducting a large-scale SEO poisoning campaign called Operation Rewrite. The attackers use a malicious IIS module named BadIIS to intercept and alter web traffic on compromised servers, manipulating search engine results to re…
seo poisoning
vietnam
iis module
dragonrank
chinese threat actor
badiis
chinese-speaking
web shells
2025-09-23
operation rewrite
iis modules
group 9
2025-09-25
Published: September 25, 2025
Downloadable IOCs: 71

Weaponizing FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA

A Chinese state-affiliated threat actor, BrazenBamboo, has exploited a zero-day vulnerability in Fortinet's Windows VPN client to steal user credentials. The vulnerability allows extraction of login information from the FortiClient process memory. BrazenBamboo uses two malware families: DEEPDATA, a…
lightspy
zero-day
credential theft
vpn
post-exploitation
chinese threat actor
2024-11-16
deeppost
deepdata
forticlient
Published: November 16, 2024
Downloadable IOCs: 0

Financially Motivated Chinese Threat Actor SilkSpecter Targeting Black Friday Shoppers

A Chinese financially motivated threat actor, dubbed SilkSpecter, has been uncovered targeting e-commerce shoppers in Europe and USA with a phishing campaign leveraging Black Friday discounts. The actor uses fake discounted products as lures to steal Cardholder Data, Sensitive Authentication Data, …
phishing
financial fraud
e-commerce
chinese threat actor
2024-11-14
oemapps
black friday
google translate
stripe
Published: November 14, 2024
Downloadable IOCs: 13

Inside the Open Directory of the “You Dun” Threat Group

An open directory exposed a Chinese-speaking threat actor's toolkit and operational history. The actor conducted extensive scanning and exploitation targeting organizations in South Korea, China, Thailand, Taiwan, and Iran using tools like WebLogicScan, Vulmap, and Xray. The Viper C2 framework and …
ransomware
lockbit
cobalt strike
2024-10-28
weblogic exploitation
viper c2
chinese threat actor
Published: October 28, 2024
Downloadable IOCs: 3
Click here to see more Attack Reports