Google Disrupts China-Linked UNC2814 Cyber Espionage Network Targeting 70+ Countries   Google on Wednesday revealed that it collaborated with industry partners to dismantle the digital infrastructure of a suspected China-aligned cyber espionage group known as UNC2814, which compromised at least 53 organizations spanning 42 countries. "This prolific, elusive actor has a long history of targeting international governments and global telecommunications organizations across Africa, Asia, and the Americas," Google Threat Intelligence Group (GTIG) and Mandiant said in a report published today. UNC2814 is believed to be associated with additional breaches across more than 20 other nations. Google, which has monitored the group since 2017, observed the attackers leveraging API requests to interact with software-as-a-service (SaaS) platforms as part of their command-and-control (C2) framework. This method allowed the threat actor to blend malicious communications with normal traffic patterns. At the core of the campaign is a previously undocumented backdoor named GRIDTIDE. The malware exploits the Google Sheets API as a covert channel for C2 operations, enabling attackers to conceal communications while transferring raw data and executing shell commands. Written in C, GRIDTIDE supports file uploads and downloads, along with arbitrary command execution. Dan Perez, GTIG researcher, told The Hacker News via email that they cannot confirm if all the intrusions involved the use of the GRIDTIDE backdoor. "We believe many of these organizations have been compromised for years," Perez added. Investigators are still examining how UNC2814 gains its initial foothold. However, the group has a documented track record of exploiting web servers and edge devices to infiltrate targeted networks. Once inside, the attackers reportedly used service accounts to move laterally via SSH, while relying on living-off-the-land (LotL) tools to perform reconnaissance, elevate privileges, and maintain long-term persistence. "To achieve persistence, the threat actor created a service for the malware at /etc/systemd/system/xapt.service, and once enabled, a new instance of the malware was spawned from /usr/sbin/xapt," Google explained. The campaign also involved the use of SoftEther VPN Bridge to establish encrypted outbound connections to external IP addresses. Security researchers have previously linked misuse of SoftEther VPN technology to several Chinese state-sponsored hacking groups. Evidence suggests that GRIDTIDE was deployed on systems containing personally identifiable information (PII), aligning with espionage objectives aimed at monitoring individuals of strategic interest. Despite this, Google stated that it did not detect any data exfiltration during the observed operations. The malware’s communication mechanism relies on a spreadsheet-based polling system, assigning specific functions to designated cells for two-way communication: * A1: Used to retrieve attacker-issued commands and update status responses (e.g., S-C-R or Server-Command-Success) * A2–An: Facilitates the transfer of data such as command outputs and files * V1: Stores system-related data from the compromised endpoint In response, Google terminated all Google Cloud projects associated with the attackers, dismantled known UNC2814 infrastructure, and revoked access to malicious accounts and Google Sheets API operations used for C2 activity. The company described UNC2814 as one of the "most far-reaching, impactful campaigns" encountered in recent years. It confirmed that formal notifications were issued to affected entities and that assistance is being provided to organizations with verified breaches linked to the group. Security experts note that this activity reflects a broader strategy by Chinese state-backed actors to secure prolonged access within global networks. The findings further emphasize the vulnerability of network edge devices, which frequently become entry points due to exposed weaknesses and misconfigurations. Such appliances are increasingly targeted because they often lack advanced endpoint detection capabilities while offering direct access or pivot opportunities into internal enterprise systems once compromised. "The global scope of UNC2814's activity, evidenced by confirmed or suspected operations in over 70 countries, underscores the serious threat facing telecommunications and government sectors, and the capacity for these intrusions to evade detection by defenders," Google said. "Prolific intrusions of this scale are generally the result of years of focused effort and will not be easily re-established. We expect that UNC2814 will work hard to re-establish its global footprint."

Google Disrupts China-Linked UNC2814 Cyber Espionage Network Targeting 70+ Countries #CyberEspionageCampaign #CyberSecurity #Google

Evasive Panda Uses DNS Poisoning to Deploy MgBot Backdoor in Long-Running Espionage Campaign   Security researchers at Kaspersky have uncovered a sophisticated cyber-espionage operation attributed to the China-linked advanced persistent threat (APT) group known as Evasive Panda, also tracked as Daggerfly, Bronze Highland, and StormBamboo. The campaign leveraged DNS poisoning techniques to distribute the MgBot backdoor, targeting select victims across Türkiye, China, and India. Active for over a decade, Evasive Panda is widely recognized for developing and deploying the custom MgBot malware framework. In 2023, Symantec previously linked the group to an intrusion at an African telecommunications provider, where new MgBot plugins were observed—demonstrating the group’s continued refinement of its cyber-espionage toolkit. According to Kaspersky, the latest campaign was highly selective in nature and operated for nearly two years, beginning in November 2022 and continuing through November 2024. The attackers employed adversary-in-the-middle (AiTM) techniques, delivering encrypted malware components through manipulated DNS responses. Each target received a tailored implant designed to evade detection. The MgBot backdoor was injected directly into legitimate processes in memory, frequently using DLL sideloading, allowing the malware to remain concealed for extended periods. Initial compromise was achieved through fake software updates masquerading as legitimate applications. In one observed case, threat actors distributed a malicious executable posing as a SohuVA update, likely delivered through DNS poisoning that redirected update requests to infrastructure under attacker control. “The malicious package, named sohuva_update_10.2.29.1-lup-s-tp.exe, clearly impersonates a real SohuVA update to deliver malware from the following resource” “There is a possibility that the attackers used a DNS poisoning attack to alter the DNS response of p2p.hd.sohu.com[.]cn to an attacker-controlled server’s IP address, while the genuine update module of the SohuVA application tries to update its binaries located in appdata\roaming\shapp\7.0.18.0\package.” Beyond SohuVA, similar trojanized updaters were observed targeting widely used applications such as iQIYI Video, IObit Smart Defrag, and Tencent QQ, often launched by legitimate system services to reinforce trust and avoid suspicion. The initial malware loader, written in C++ and built using the Windows Template Library, was disguised as a harmless sample project. Once executed, it decrypted and decompressed its configuration data, revealing installation directories, command-and-control domains, and encrypted MgBot parameters. The malware dynamically altered its behavior based on the active user context, decrypted strings only at runtime, and used XOR and LZMA obfuscation to hinder analysis. Ultimately, it executed shellcode directly in memory after modifying memory permissions, enabling covert deployment without leaving obvious forensic traces. The infection chain followed a multi-stage execution model. The first-stage loader launched shellcode that concealed API usage by resolving Windows functions via hashing. This shellcode searched for a specific DAT file within the installation directory. If found, the file was decrypted using Windows CryptUnprotectData, ensuring it could only be accessed on the infected system, before being deleted to erase evidence. If the DAT file was absent, the shellcode retrieved the next stage from the internet. Through DNS poisoning, victims were redirected to attacker-controlled servers while believing they were accessing legitimate domains such as dictionary.com. System details, including the Windows version, were transmitted via HTTP headers, allowing attackers to tailor payloads accordingly. The downloaded data was decrypted using XOR, memory permissions were altered, and the payload was executed. The malware later re-encrypted the payload and stored it in a newly created DAT file, often unique to each victim. Researchers also identified a secondary loader named libpython2.4.dll, which masqueraded as a legitimate Windows library. This component was loaded through a signed executable, evteng.exe—an outdated Python binary—to further mask malicious activity. The loader recorded its file path in status.dat, likely to support future updates, and decrypted additional payloads from perf.dat, which were also delivered via DNS poisoning. Throughout this process, the attackers repeatedly renamed and relocated the payloads, decrypting them with XOR and re-encrypting them using a customized combination of DPAPI and RC5, effectively binding the malware to the infected host and complicating analysis. Kaspersky telemetry indicates confirmed victims in Türkiye, China, and India, with some systems remaining compromised for more than a year. The prolonged duration of the operation highlights the attackers’ persistence, operational maturity, and access to substantial resources. The observed tactics, techniques, and procedures (TTPs) strongly align with previous Evasive Panda operations. While a new loader was introduced, the attackers continued to rely on the long-established MgBot implant, albeit with updated configuration elements. As seen in earlier campaigns, Evasive Panda favored stealthy propagation methods such as supply-chain compromise, adversary-in-the-middle attacks, and watering-hole techniques to avoid detection. “The Evasive Panda threat actor has once again showcased its advanced capabilities, evading security measures with new techniques and tools while maintaining long-term persistence in targeted systems.” “Our investigation suggests that the attackers are continually improving their tactics, and it is likely that other ongoing campaigns exist. The introduction of new loaders may precede further updates to their arsenal.”

Evasive Panda Uses DNS Poisoning to Deploy MgBot Backdoor in Long-Running Espionage Campaign #ChinalinkedAPT #CyberAttacks #CyberEspionageCampaign

Iranian Infy Prince of Persia Cyber Espionage Campaign Resurfaces  Security researchers have identified renewed cyber activity linked to an Iranian threat actor known as Infy, also referred to as Prince of Persia, marking the group’s re-emergence nearly five years after its last widely reported operations in Europe and the Middle East. According to SafeBreach, the scale and persistence of the group’s recent campaigns suggest it remains an active and capable advanced persistent threat.  Infy is considered one of the longest-operating APT groups, with its origins traced back to at least 2004. Despite this longevity, it has largely avoided the spotlight compared with other Iranian-linked groups such as Charming Kitten or MuddyWater. Earlier research attributed Infy’s attacks to a relatively focused toolkit built around two primary malware families: Foudre, a downloader and reconnaissance tool, and Tonnerre, a secondary implant used for deeper system compromise and data exfiltration. These tools are believed to be distributed primarily through phishing campaigns.  Recent analysis from SafeBreach reveals a previously undocumented campaign targeting organizations and individuals across multiple regions, including Iran, Iraq, Turkey, India, Canada, and parts of Europe. The operation relies on updated versions of both Foudre and Tonnerre, with the most recent Tonnerre variant observed in September 2025. Researchers noted changes in initial infection methods, with attackers shifting away from traditional malicious macros toward embedding executables directly within Microsoft Excel documents to initiate malware deployment.  One of the most distinctive aspects of Infy’s current operations is its resilient command-and-control infrastructure. The malware employs a domain generation algorithm to rotate C2 domains regularly, reducing the likelihood of takedowns. Each domain is authenticated using an RSA-based verification process, ensuring that compromised systems only communicate with attacker-approved servers. SafeBreach researchers observed that the malware retrieves encrypted signature files daily to validate the legitimacy of its C2 endpoints. Further inspection of the group’s infrastructure uncovered structured directories used for domain verification, logging communications, and storing exfiltrated data. Evidence also suggests the presence of mechanisms designed to support malware updates, indicating ongoing development and maintenance of the toolset.  The latest version of Tonnerre introduces another notable feature by integrating Telegram as part of its control framework. The malware is capable of interacting with a specific Telegram group through its C2 servers, allowing operators to issue commands and collect stolen data. Access to this functionality appears to be selectively enabled for certain victims, reinforcing the targeted nature of the campaign.  SafeBreach researchers also identified multiple legacy malware variants associated with Infy’s earlier operations between 2017 and 2020, highlighting a pattern of continuous experimentation and adaptation. Contrary to assumptions that the group had gone dormant after 2022, the new findings indicate sustained activity and operational maturity over the past several years.  The disclosure coincides with broader research into Iranian cyber operations, including analysis suggesting that some threat groups operate with structured workflows resembling formal government departments. Together, these findings reinforce concerns that Infy remains a persistent espionage threat with evolving technical capabilities and a long-term strategic focus.

Iranian Infy Prince of Persia Cyber Espionage Campaign Resurfaces #cyberespionage #CyberEspionageCampaign #Cyberattacks

Chinese Hackers Use Anthropic's AI to Launch Automated Cyber Espionage Campaign measures to identify such attacks read more about Chinese Hackers Use Anthropic's AI to Launch Automated Cyber Espionage Campaign

Chinese Hackers Use Anthropic’s AI to Launch Automated Cyber Espionage Campaign reconbee.com/chinese-hack...

#chinesehackers #hackers #Anthropic #AI #cyberespionagecampaign #cyberespionage #cyberattack #chinese

Cyber Espionage Campaign Hits Russian Aerospace Sector Using EAGLET Backdoor Russian defense firms hit by cyberattacks using EAGLET malware via phishing lures; threat actors linked to Head Mare and Hive0156.

Cyber Espionage Campaign Hits Russian Aerospace Sector Using EAGLET Backdoor
thehackernews.com/2025/07/cybe...

#Infosec #Security #Cybersecurity #CeptBiro #CyberEspionageCampaign #Russian #AerospaceSector #EAGLET #Backdoor

Winnti APT41 Targets Japanese Firms in RevivalStone Cyber Espionage Campaign Winnti’s RevivalStone campaign exploited an ERP SQL flaw to deploy upgraded malware, breaching an MSP and infecting multiple firms.

Winnti APT41 Targets Japanese Firms in RevivalStone Cyber Espionage Campaign
thehackernews.com/2025/02/winn...

#Infosec #Security #Cybersecurity #CeptBiro #Winnti #APT41 #JapaneseFirms #RevivalStone #CyberEspionageCampaign

Winnti APT41 Targets Japanese Firms in RevivalStone Cyber Espionage Campaign instruments to accomplish its objectives read more about Winnti APT41 Targets Japanese Firms in RevivalStone Cyber Espionage Campaign

Winnti APT41 Targets Japanese Firms in RevivalStone Cyber Espionage Campaign reconbee.com/winnti-apt41...

#winnti #apt41 #japanese #revivalstone #cyberespionagecampaign #CybersecurityNews #CyberSecurityAwareness

Chinese Hackers Infiltrate U.S. Internet Providers in Cyber Espionage Campaign Chinese hackers breach US internet providers, targeting sensitive data and critical infrastructure. Government responds as cybersecurity concerns esca

Chinese Hackers Infiltrate U.S. Internet Providers in Cyber Espionage Campaign
thehackernews.com/2024/09/chin...
#Infosec #Security #Cybersecurity #CeptBiro #ChineseHackers #USInternetProviders #CyberEspionageCampaign