APT

This report details two threat campaigns using the PeckBirdy JavaScript framework, attributed to China-aligned advanced persistent threat (APT) actors. The campaigns, temporarily named SHADOW-VOID-044 and SHADOW-EARTH-045, demonstrate the increasing sophistication and adaptability of these groups. Analysis of the SHADOW-VOID-044 Campaign The SHADOW-VOID-044 campaign has been linked to the UNC3569 threat actor, with moderate to high confidence, based on overlapping TTPs and victims. Link to UNC3569: Observed use of the GRAYRABBIT backdoor, previously associated with UNC3569. The Command and Control (C&C) server center.myrnicrosoft.com is the same one used by UNC3569, and the campaign target (Chinese gaming industry) matches the known targets of this actor. The GRAYRABBIT implementation in this campaign uses a DLL sideloading technique combined with the UuidFromStringA PowerShell function. Link to TheWizard: The campaign also deployed the HOLODONUT backdoor. Some HOLODONUT samples connected to the same C&C server (mkdmcdn.com) used by the APT group TheWizard. TheWizard has also used the DarkNimbus backdoor, associated with the Earth Minotaur actor. Stolen Certificate: SHADOW-VOID-044 used a Cobalt Strike sample signed with a certificate stolen from a South Korean game company. This same certificate was used in the BIOPASS RAT campaign, linked to the actor Earth Lusca. Infection Detection Technique: The BIOPASS RAT and MKDOOR campaigns employ a technique to verify infection: they open a local HTTP server on a high port so that a watering hole attack script can scan and confirm the presence of the backdoor on the host. Analysis of the SHADOW-EARTH-045 Campaign This campaign focused on a Filipino educational institution in July 2024. ...

The Russian state-linked Sandworm hacking group has been identified as responsible for what is described as the “largest cyberattack” targeting Poland’s power system in the last week of December 2025. Although the attack was detected and neutralized without causing any disruption, experts have linked this activity to a new variant of “wiper” malware deployed by the threat actor. Details of the DynoWiper attack and malware According to a report by ESET, the attack was the work of Sandworm, which used a previously undocumented wiper malware called DynoWiper (also known as Win32/KillFiles.NMO). The attribution to Sandworm is based on similarities with the group’s previous activities, especially in the context of the Russian invasion of Ukraine. ...

ESET researchers have discovered new activities of the Iran-aligned cyber espionage group MuddyWater (also known as Mango Sandstorm or TA450). This campaign primarily targets organizations in Israel and, in one confirmed case, Egypt, showing significant evolution in their technical and tactical evasion capabilities. Key Aspects of the Campaign Unlike previous operations, this MuddyWater campaign is more stealthy and sophisticated. ESET highlights the following points: ...

Cisco has issued an alert regarding a maximum severity zero-day vulnerability in its Cisco AsyncOS software. This flaw has been actively exploited by an advanced persistent threat (APT) actor with ties to China, dubbed UAT-9686, in attacks targeting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. Threat Details The intrusion campaign was detected on December 10, 2025. Cisco identified that a limited subset of its appliances, with specific ports exposed to the Internet, were targeted. The vulnerability, tracked as CVE-2025-20393, has a CVSS score of 10.0 and allows attackers to execute arbitrary commands with root privileges on the underlying operating system of the affected appliance. Attackers have managed to establish persistence mechanisms to maintain control over compromised systems. ...

The threat group known as Jewelbug, also tracked by Check Point Research as Ink Dragon, has intensified its attacks against government targets in Europe since July 2025. Although the actor, aligned with China and active since at least March 2023, continues to attack entities in Southeast Asia and South America, its focus has expanded significantly. Check Point Research has detailed the operations of this hacking group, highlighting its combination of solid software engineering, disciplined operational playbooks, and the reuse of native platform tools to blend into normal company telemetry. These tactics make their intrusions “effective and stealthy.” ...

The cyber threat landscape targeting Chinese-speaking users has intensified with the detection of multiple malware campaigns. Two recent reports highlight the sophistication of threat actors using the Gh0st RAT remote access trojan, a malware known for its versatility. One of the campaigns involves the threat actor known as Dragon Breath (also APT-Q-27 or Golden Eye), which uses a multi-phase loader called RONINGLOADER to deliver a modified variant of Gh0st RAT. Simultaneously, another series of large-scale phishing campaigns have been distributing the same malware. ...

The threat group known as Dragon Breath, also tracked as APT-Q-27 and Golden Eye, has been detected using a multi-stage loader called RONINGLOADER to deliver a modified variant of the Gh0st RAT remote access Trojan. This campaign primarily targets Chinese-speaking users and uses Trojanized NSIS installers that impersonate legitimate software such as Google Chrome and Microsoft Teams. According to researchers at Elastic Security Labs, the infection chain employs a multi-stage delivery mechanism that incorporates advanced evasion techniques. These techniques are specifically designed to neutralize popular endpoint security products in the Chinese market. ...

 The PlushDaemon threat actor has been identified using a new Go-based network backdoor, called EdgeStepper, to facilitate Adversary in the Middle (AitM) attacks. EdgeStepper has the ability to redirect all DNS queries to an external malicious node, diverting traffic from legitimate software update infrastructure to attacker-controlled infrastructure. About Threat Actor PlushDaemon PlushDaemon is a China-aligned threat group, active since at least 2018. It is known for directing attacks against entities in the United States, New Zealand, Cambodia, Hong Kong, Taiwan, South Korea, and mainland China. ...

 The threat group known as PlushDaemon has been detected using a new Go-based network backdoor, called EdgeStepper, to facilitate Adversary in the Middle (AitM) attacks and hijack software update mechanisms. EdgeStepper, a previously undocumented implant, has been designed to reroute victims’ DNS queries to attacker-controlled infrastructure. This backdoor allows PlushDaemon to redirect legitimate software update traffic to malicious nodes, facilitating the delivery of second-stage payloads. The Threat Actor PlushDaemon and His Objectives PlushDaemon is a China-aligned advanced persistent threat (APT) group, active since at least 2018. It has targeted entities in various regions, including the US, New Zealand, Cambodia, Hong Kong, Taiwan, South Korea, and mainland China. ...