Quand le cyber-espionnage d’état avec Windows et Google Drive espionne les gouvernements Des postes Windows et un accès à Google Drive servent désormais de façade à des intrusions patientes. Derrière cette normalité numérique, un cyber-espionnage étatique infiltre des organisations gouver...

#SilverDragon est 1 opération d’ #espionnage informatique suivie par plusieurs équipes de threat intelligence.Les chercheurs y voient une attribution à #APT41 avec 1 outillage soigné, des phases discrètes de reconnaissance et 1 intérêt marqué pour les réseaux gouvernementaux

tr92.fr/quand-le-cyb...

Alert: Silver Dragon, linked to China's APT41, targets global governments using Cobalt Strike and Google Drive C2. Stay vigilant! #CyberSecurity #APT41 #SilverDragon #CobaltStrike #GoogleDriveC2 Link: thedailytechfeed.com/silver-drago...

Silver Dragon APT Targets SE Asia & Europe

~Checkpoint~
Chinese-nexus APT Silver Dragon deploys the GearDoor backdoor via Google Drive C2 to target gov entities.
-
IOCs: zhydromet[. ]com, ampolice[. ]org, onedriveconsole[. ]com
-
#APT41 #SilverDragon #ThreatIntel

APT41: Innovative Tactics of a Malware Campaign APT41, a sophisticated cyber threat actor from China, is known for its innovative malware campaigns targeting government, healthcare, technology sectors.

Dive into our latest blog post on APT41 and the innovative tactics behind their sophisticated malware campaigns! 🦠💻 Learn more: innovirtuoso.com/cybersecurity-analysis/a... #Cybersecurity #APT41 #Malware

China-Linked Hackers Step Up Quiet Spying Across South-East Asia Threat actors linked to China have been blamed for a new wave of cyber-espionage campaigns targeting government and law-enforcement agencies across South-East Asia during 2025, according several media reports. Researchers at Check Point Research said they are tracking a previously undocumented cluster, which they have named Amaranth-Dragon, that has targeted Cambodia, Thailand, Laos, Indonesia, Singapore and the Philippines.  The activity shows technical and operational links to APT41, a well-known Chinese hacking ecosystem.  “Many of the campaigns were timed to coincide with sensitive local political developments, official government decisions, or regional security events,” Check Point said. “By anchoring malicious activity in familiar, timely contexts, the attackers significantly increased the likelihood that targets would engage with the content.”  The firm described the operations as tightly scoped and deliberately restrained, suggesting an effort to establish long-term access rather than cause disruption. Infrastructure was configured to communicate only with victims in specific countries, reducing the risk of discovery.  A key technique involved exploiting CVE-2025-8088, a now-patched flaw in WinRAR that allows arbitrary code execution when a malicious archive is opened. Check Point said the group began exploiting the vulnerability within days of its public disclosure in August. “The speed and confidence with which this vulnerability was operationalised underscores the group’s technical maturity and preparedness,” the researchers said.  Although the initial infection vector remains unclear, analysts believe spear-phishing emails were used to distribute malicious RAR files hosted on cloud services such as Dropbox. Once opened, the archive launches a loader using DLL side-loading, a tactic frequently associated with Chinese groups. The loader then retrieves an encryption key from one server, decrypts a payload from another location and executes it directly in memory.  The final stage deploys Havoc, an open-source command-and-control framework. Earlier versions of the campaign relied on ZIP files containing Windows shortcuts and batch files, while a separate operation in Indonesia delivered a custom remote-access trojan known as TGAmaranth RAT. That malware used a hard-coded Telegram bot for command and control and supported functions such as taking screenshots, running shell commands and transferring files.  Check Point said the command infrastructure was shielded by Cloudflare and restricted by geography, accepting traffic only from targeted countries. Compilation times and working patterns pointed to operators based in China’s time zone.  “In addition, the development style closely mirrors established APT41 practices,” the company said, adding that overlaps in tools and techniques suggest shared resources within the ecosystem. The findings come as another Chinese group, Mustang Panda, was linked to a separate espionage campaign uncovered by Dream Research Labs. The operation, dubbed PlugX Diplomacy, targeted officials involved in diplomacy, elections and international coordination between December 2025 and mid-January 2026.   “Rather than exploiting software vulnerabilities, the operation relied on impersonation and trust,” Dream said.  Victims were lured into opening files disguised as diplomatic or policy documents, which triggered infection automatically. The files installed a modified version of PlugX, a long-used Chinese espionage tool, through a multi-step process involving Windows shortcuts, PowerShell scripts and DLL search-order hijacking using a legitimate signed executable. A decoy document was shown to victims while the malware quietly embedded itself in the system.  “The correlation between actual diplomatic events and the timing of detected lures suggests that analogous campaigns are likely to persist as geopolitical developments unfold,” Dream concluded.

China-Linked Hackers Step Up Quiet Spying Across South-East Asia #APT41 #China #cybersecuritySoutheastAsia

Amaranth-Dragon Exploits CVE-2025-8088

~Checkpoint~
Amaranth-Dragon (APT-41 nexus) exploits WinRAR CVE-2025-8088 in espionage campaigns targeting government entities in Southeast Asia.
-
IOCs: 92. 223. 120. 10, 93. 123. 17. 151, dns. annasoft. gcdn. co
-
#APT41 #CVE20258088 #ThreatIntel

Il tuo AV/EDR è inutile contro MoonBounce: La minaccia che vive nella tua scheda madre

📌 Link all'articolo : www.redhotcyber.com/post/il-...

#redhotcyber #news #malware #cybersecurity #apt41 #moonbounce #hacking #sicurezzainformatica #firmware

Chinese Hackers Attack Prominent U.S Organizations Chinese cyber-espionage groups attacked U.S organizations with links to international agencies. This has now become a problem for the U.S, as state-actors from China keep attacking.  Attackers were trying to build a steady presence inside the target network. Series of attacks against the U.S organizations  Earlier this year, the breach was against a famous U.S non-profit working in advocacy, that demonstrated advanced techniques and shared tools among Chinese cyber criminal gangs like APT41, Space Pirates, and Kelp. They struck again in April with various malicious prompts checking both internal network breach and internet connectivity, particularly targeting a system at 192.0.0.88. Various tactics and protocols were used, showing both determination and technical adaptability to get particular internal resources. Attack tactics  Following the connectivity tests, the hackers used tools like netstat for network surveillance and made an automatic task via the Windows command-line tools. This task ran a genuine MSBuild.exe app that processed an outbound.xml file to deploy code into csc.exe and connected it to a C2 server.  These steps hint towards automation (through scheduled tasks) and persistence via system-level privileges increasing the complexity of the compromise and potential damage. Espionage methods  The techniques and toolkit show traces of various Chinese espionage groups. The hackers weaponized genuine software elements. This is called DLL sideloading by abusing vetysafe.exe (a VipreAV component signed by Sunbelt Software, Inc.) to load a malicious payload called sbamres.dll. This tactic was earlier found in campaigns lkmkedytl Earth Longzhi and Space Pirates, the former also known as APT41 subgroup. Coincidentally, the same tactic was found in cases connected to Kelp, showing the intrusive tool-sharing tactics within Chinese APTs.

Chinese Hackers Attack Prominent U.S Organizations #AI #APT41 #Cloud

Attori cinesi compromettono una ong USA influente su policy, sfruttando exploit noti e tecniche APT41 per persistenza stealthy.

#apt #APT41 #Blackfly #cina #Grayfly #Redfly #SaltTyphoon
www.matricedigitale.it/2025/11/08/a...

TA415 APT41 spoofa Moolenaar: phishing con WhirlCoil, C2 su Google Sheets e Zoho, persistenza via VS Code Remote Tunnels contro esperti USA-Cina.

#apt41 #GoogleSheets #TA415 #VisualStudio
www.matricedigitale.it/2025/09/19/t...

APT41: Innovative Tactics of a Malware Campaign APT41, a sophisticated cyber threat actor from China, is known for its innovative malware campaigns targeting government, healthcare, technology sectors.

Dive into our latest blog post on APT41 and the innovative tactics behind their sophisticated malware campaigns! 🦠💻 Learn more: innovirtuoso.com/cybersecurity-analysis/a... #Cybersecurity #APT41 #Malware

China-linked APT41 intensifies cyber espionage amid U.S.-China trade talks, targeting officials and organizations. Stay informed and secure. #CyberSecurity #APT41 #USChinaRelations Link: thedailytechfeed.com/china-linked...

🚨 Chinese hackers impersonate US Congressman in malware campaign

Chinese-linked APT41 sent malware-laced emails posing as Congressman John #Moolenaar to trade groups, law firms and agencies ahead of US–China trade talks.

#ransomNews #apt41 #cyberespionage

U.S. authorities probe cyberattack targeting trade talks with China. Emails impersonated Rep. Moolenaar, linked to APT41. #CyberSecurity #TradeNegotiations #APT41 Link: thedailytechfeed.com/u-s-authorit...

US Probes Malware Targeting US-China Trade Negotiations via Email Impersonating Lawmaker U.S. authorities are investigating a malware campaign linked to APT41 that targeted U.S.-China trade negotiations by impersonating a lawmaker.

Details: www.technadu.com/us-probes-ma...

How do you see cyber operations shaping future trade negotiations?
#CyberSecurity #APT41 #USChina

🚨 U.S. investigates malware campaign linked to China’s APT41

📎 Fake “draft legislation” emails spoofed Rep. John Moolenaar
🎯 Targets: trade groups, gov agencies, law firms
🇨🇳 Analysts say campaign tied to Chinese espionage

#APT41 #CyberSecurity #Espionage

APT41: Innovative Tactics of a Malware Campaign APT41, a sophisticated cyber threat actor from China, is known for its innovative malware campaigns targeting government, healthcare, technology sectors.

🚨 Check out our latest blog post on APT41 and their innovative tactics in a sophisticated malware campaign! Stay informed and secure. 🔍💻 Read more: innovirtuoso.com/cybersecurity-analysis/a... #Cybersecurity #APT41 #Malware

APT41: Innovative Tactics of a Malware Campaign APT41, a sophisticated cyber threat actor from China, is known for its innovative malware campaigns targeting government, healthcare, technology sectors.

🚨 Check out our latest blog post on APT41 and their innovative tactics in a sophisticated malware campaign! Stay informed and secure. 🔍💻 Read more: innovirtuoso.com/cybersecurity-analysis/a... #Cybersecurity #APT41 #Malware

APT41 Unleashes Full Arsenal in Rare African Cyberespionage Campaign Kaspersky uncovers a sophisticated APT41 cyberespionage campaign targeting African government IT, showcasing the Chinese group's full TTPs, including Impacket and Cobalt Strike.

APT41攻击非洲：网络间谍活动详情暴露了！

中国政府支持的黑客组织APT41针对南部非洲政府机构发起攻击。

#APT41 #网络间谍 #非洲网络安全

securityonline.info/apt41-unleas...

Kaspersky rivela campagna APT41 contro infrastrutture IT governative in Africa, con tool come Cobalt Strike e Impacket per cyberespionaggio.

#africa #apt #apt41 #cina #CobaltStrike #cyberspionaggio #Impacket #Kaspersky
www.matricedigitale.it/2025/07/22/a...

APT41 Mashers Leveraging Atexec and WmiExec Windows Modules to Deploy Malware
potatosecuritynews.com/apt41-masher...

#Infosec #Security #Potatosecurity #CeptBiro #APT41 #Atexec #WmiExec #WindowsModules #Malware

APT41 Hackers Leveraging Atexec and WmiExec Windows Modules to Deploy Malware APT41 expands into Africa, using advanced Windows admin tools like Atexec and WmiExec to target government IT services with stealthy attacks.

APT41 Hackers Leveraging Atexec and WmiExec Windows Modules to Deploy Malware
cybersecuritynews.com/apt41-hacker...

#Infosec #Security #Cybersecurity #CeptBiro #APT41 #Atexec #WmiExec #WindowsModules #Malware

APT41 expands operations to Africa, using Atexec & WmiExec for malware deployment. #CyberSecurity #APT41 #Malware #Africa Link: thedailytechfeed.com/apt41s-advan...

Awakari App

Chinese Espionage Crews Circle SentinelOne in Year-Long Reconnaissance Campaign Anti-malware vend...


#Incident #Response #Malware #& #Threats #Nation-State #APT41 #China #PurpleHaze #SentinelLabs #SentinelOne
Origin | Interest | Match

APT41 Exploits Google Calendar in Stealthy Cyberattack; Google Shuts It Down   Chinese state-backed threat actor APT41 has been discovered leveraging Google Calendar as a command-and-control (C2) channel in a sophisticated cyber campaign, according to Google’s Threat Intelligence Group (TIG). The team has since dismantled the infrastructure and implemented defenses to block similar future exploits. The campaign began with a previously breached government website — though TIG didn’t disclose how it was compromised — which hosted a ZIP archive. This file was distributed to targets via phishing emails. Once downloaded, the archive revealed three components: an executable file and a dynamic-link library (DLL) disguised as image files, and a Windows shortcut (LNK) masquerading as a PDF. When users attempted to open the phony PDF, the shortcut activated the DLL, which then decrypted and launched a third file containing the actual malware, dubbed ToughProgress. Upon execution, ToughProgress connected to Google Calendar to retrieve its instructions, embedded within event descriptions or hidden calendar events. The malware then exfiltrated stolen data by creating a zero-minute calendar event on May 30, embedding the encrypted information within the event's description field. Google noted that the malware’s stealth — avoiding traditional file installation and using a legitimate Google service for communication — made it difficult for many security tools to detect. To mitigate the threat, TIG crafted specific detection signatures, disabled the threat actor’s associated Workspace accounts and calendar entries, updated file recognition tools, and expanded its Safe Browsing blocklist to include malicious domains and URLs linked to the attack. Several organizations were reportedly targeted. “In partnership with Mandiant Consulting, GTIG notified the compromised organizations,” Google stated. “We provided the notified organizations with a sample of TOUGHPROGRESS network traffic logs, and information about the threat actor, to aid with detection and incident response.” Google did not disclose the exact number of impacted entities.

APT41 Exploits Google Calendar in Stealthy Cyberattack; Google Shuts It Down #APT41 #Attack #Calendar

brief alt text description of the first image

Google exposed Chinese state-backed APT41 using TOUGHPROGRESS malware to exploit Google Calendar for C2. This group hid commands in calendar events, targeting government entities. Google shut down the malicious ops. #CyberAttack #APT41 #ThreatIntel