IT supply chains targeted by Chinese cyber-espionage group Silk Typhoon
Researchers report that the Chinese cyber-espionage group Silk Typhoon has shifted its focus to supply chain attacks, targeting remote management tools and cloud services to access downstream customer networks.
The group has breached multiple industries, including government, IT services, health care, defense, education, NGOs and energy, by exploiting unpatched applications to escalate privileges. They leverage stolen API keys and compromised credentials from IT providers and identity management services, RMM solutions to infiltrate cloud environments stealthily. Previously known for exploiting zero-day vulnerabilities in edge devices, Silk Typhoon now relies on abusing cloud applications to steal data while erasing logs to minimize detection.
The attackers scan public repositories like GitHub for leaked credentials and conduct password spray attacks to gain unauthorized access. Microsoft recently observed the group exploiting a zero-day vulnerability (CVE-2025-0282) in Ivanti Pulse Connect VPN to breach corporate networks.
Infostealers and cryptominers unleashed from Eastern Europe, targeting over 4,000 Chinese and U.S. ISPs
A large-scale cyberattack from Eastern Europe is targeting ISPs in China and the U.S. West Coast to deploy infostealers and cryptominers on compromised systems.
Threat actors use brute-force attacks on weak credentials to gain access, then install malware that exfiltrates data, ensures persistence, and disables security defenses. The attackers rely on scripting languages like PowerShell and Python to execute commands stealthily, leveraging API calls via Telegram for command-and-control (C2) operations.
Once inside, they drop binaries in a folder named “Migration,” disable security features, and use tools like masscan.exe for network scanning. The malware also captures screenshots and cryptocurrency wallet addresses from victims’ clipboards, sending the stolen data to its C2 infrastructure. The attack is designed to minimize its footprint while maximizing processing power for cryptomining, blocking remote access and avoiding detection.
Sagerunex backdoor variants released by Chinese APT Lotus Panda target organizations in several Asian countries
The Chinese APT group Lotus Panda has been observed targeting governments, manufacturing, telecommunications and media sectors in the Philippines, Vietnam, Hong Kong and Taiwan with updated variants of the Sagerunex backdoor.
Active since at least 2009 and also known as Billbug or Lotus Blossom, the group has a history of cyber espionage, previously breaching a digital certificate authority and government agencies across Asia. The latest campaign introduces two "beta" versions of Sagerunex, which exploit legitimate services like Dropbox, X, and Zimbra as command-and-control (C2) tunnels to evade detection. The Zimbra variant, in particular, allows attackers to issue commands directly through webmail content, with the results of executed commands stored in draft emails for exfiltration.
Additionally, Lotus Panda deploys tools such as a Chrome cookie stealer, the Venom proxy tool, and privilege escalation utilities to enhance persistence and control over compromised systems. The group also performs reconnaissance using system commands and adapts to network restrictions by leveraging proxy settings or the Venom tool to maintain access.
Enterprises in Spanish-speaking South American regions hit after threat actor Dark Caracal deploys Poco RAT
Researchers have uncovered another campaign back from 2024 linking the threat actor Dark Caracal to the deployment of Poco RAT, targeting Spanish-speaking regions in Latin America.
Poco RAT has got espionage capabilities, can upload files, capture screenshots, execute commands, and manipulate system processes. Initially documented in July 2024 in phishing attacks against industries like mining and manufacturing, it was later connected to Dark Caracal by researchers, highlighting similarities with the group's previous operations, such as the 2021 Bandidos cyber espionage campaign.
In this campaign the attackers continue to use phishing emails with invoice-themed lures, leading victims to download malicious files from cloud services like Google Drive and Dropbox. Once installed, Poco RAT grants full remote access to compromised systems, enabling data theft and further malicious actions.
U.A.E. aviation sector suspected to have been attacked by Iranian-aligned threat actor
A suspected Iranian-aligned threat actor leveraged a compromised Indian electronics company’s email to launch a targeted phishing campaign against fewer than five entities in the U.A.E. aviation and satellite communications sectors.
The attackers, tracked as UNK_CraftyCamel, distributed a malicious ZIP file containing polyglot files that installed a custom Golang backdoor named Sosano. The phishing emails originated from a spoofed domain impersonating INDIC Electronics, a trusted business partner of the targets, making the attack highly deceptive.
Once executed, the Sosano backdoor connected to a command-and-control (C2) server, allowing attackers to execute commands, download additional payloads and manipulate system directories. Researchers found no direct overlap with existing threat actors but assess that the campaign is likely linked to an Iranian-aligned group, possibly affiliated with the IRGC.
