Tag: chinese threat actor

5 Attack Reports | 0 Vulnerabilities

Attack reports

WEBJACK: Evolving IIS Hijacking Campaign Abuses SEO for Fraud and Monetization

A malware campaign called WEBJACK is compromising Microsoft IIS servers to deploy BadIIS malware modules for SEO poisoning and fraud. The attackers hijack high-profile targets, including government and educational institutions, to redirect users to gambling websites. The campaign uses various tools…
seo poisoning
cobalt strike
chinese threat actor
latin america
southeast asia
badiis
iis modules
2025-11-19
xlanyloader
iis hijacking
m0yv
gambling redirection
Published: November 19, 2025
Downloadable IOCs: 34

Operation Rewrite: Chinese-Speaking Threat Actors Deploy BadIIS in a Wide Scale SEO Poisoning Campaign

A Chinese-speaking threat actor group, tracked as CL-UNK-1037, has been conducting a large-scale SEO poisoning campaign called Operation Rewrite. The attackers use a malicious IIS module named BadIIS to intercept and alter web traffic on compromised servers, manipulating search engine results to re…
seo poisoning
vietnam
iis module
dragonrank
chinese threat actor
badiis
chinese-speaking
web shells
2025-09-23
operation rewrite
iis modules
group 9
2025-09-25
Published: September 25, 2025
Downloadable IOCs: 71

Weaponizing FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA

A Chinese state-affiliated threat actor, BrazenBamboo, has exploited a zero-day vulnerability in Fortinet's Windows VPN client to steal user credentials. The vulnerability allows extraction of login information from the FortiClient process memory. BrazenBamboo uses two malware families: DEEPDATA, a…
lightspy
zero-day
credential theft
vpn
post-exploitation
chinese threat actor
2024-11-16
deeppost
deepdata
forticlient
Published: November 16, 2024
Downloadable IOCs: 0

Financially Motivated Chinese Threat Actor SilkSpecter Targeting Black Friday Shoppers

A Chinese financially motivated threat actor, dubbed SilkSpecter, has been uncovered targeting e-commerce shoppers in Europe and USA with a phishing campaign leveraging Black Friday discounts. The actor uses fake discounted products as lures to steal Cardholder Data, Sensitive Authentication Data, …
phishing
financial fraud
e-commerce
chinese threat actor
2024-11-14
oemapps
black friday
google translate
stripe
Published: November 14, 2024
Downloadable IOCs: 13

Inside the Open Directory of the “You Dun” Threat Group

An open directory exposed a Chinese-speaking threat actor's toolkit and operational history. The actor conducted extensive scanning and exploitation targeting organizations in South Korea, China, Thailand, Taiwan, and Iran using tools like WebLogicScan, Vulmap, and Xray. The Viper C2 framework and …
ransomware
lockbit
cobalt strike
2024-10-28
weblogic exploitation
viper c2
chinese threat actor
Published: October 28, 2024
Downloadable IOCs: 3
Click here to see more Attack Reports