The APTs That Defined 2025 How State-Aligned Threat Actors Shaped the Global Cyber Battlefield

The APTs That Defined 2025 open.substack.com/pub/malwhere...

#APT #China #Russia #DPRK #Iran #ThreatIntel #CyberSecurity #SaltTyphoon #FlaxTyphoon #MustangPanda #APT17 #APT28 #APT29 #Sandworm #LazarusGroup #Kimsuky #APT42

Utah’s Snyderville Basin Water Reclamation District cites Flax Typhoon but reports file encryption on GIS server SBWRD in Utah says it isolated an intrusion on its ArcGIS server after files were encrypted and recovered; no operational impact reported.

Utah's Snyderville Basin Water Reclamation District cites Flax Typhoon but reports file encryption on gis server #Utah #FlaxTyphoon #ArcGIS #Encryption #Cyberattack #cybersecurity dysruptionhub.com/utah-wastewater-district...

Geospatial Tool Turned Into Stealthy Backdoor by Flax Typhoon  Chinese state-backed hacking group Flax Typhoon has been exploiting a feature within Esri’s ArcGIS software to maintain covert access to targeted systems for more than a year, according to new findings from ReliaQuest. The group, active since at least 2021 and known for espionage operations against entities in the U.S., Europe, and Taiwan, weaponized ArcGIS’s Server Object Extension (SOE) to transform the software into a webshell—essentially turning legitimate features into tools for persistent compromise. Researchers found that the attackers targeted a public-facing ArcGIS server linked to a private backend server. By compromising the portal administrator credentials, they deployed a malicious extension that forced the system to create a hidden directory, which became their private command and control workspace.  This extension included a hardcoded key, shielding their access from others while ensuring persistence. The hackers maintained this access long enough for the malicious file to become embedded in backup systems, effectively guaranteeing reinfection even if administrators restored the system from backups. ReliaQuest described this as a particularly deceptive attack chain that allowed the group to mimic normal network activity, thereby bypassing typical detection mechanisms. Because the infected component was integrated into backup files, standard recovery protocols became a liability — a compromised backup meant a built-in reinfection vector. The tactic showcases Flax Typhoon’s hallmark strategy of exploiting trusted internal processes and tools rather than relying on advanced malware or sophisticated exploits. This method is consistent with Flax Typhoon’s history of leveraging legitimate software components for espionage. Microsoft had previously documented the group’s capability to maintain long-term access to dozens of Taiwanese organizations using built-in Windows utilities and benign applications for stealth. The U.S. Treasury Department has sanctioned Integrity Technology Group, a Beijing-based company implicated in supporting Flax Typhoon’s operations, including managing infrastructure for a major botnet dismantled by the FBI. ReliaQuest warned that the real danger extends beyond ArcGIS or Esri’s ecosystem — it highlights the inherent risks in enterprise software that depends on third-party extensions or backend access. The researchers called the case a “wake-up call,” urging organizations to treat every interface with backend connectivity as a high-risk access point, regardless of how routine or trusted it appears.

Geospatial Tool Turned Into Stealthy Backdoor by Flax Typhoon #ArcGIS #BackdoorAttacks #FlaxTyphoon

Chinese gang used ArcGIS as a backdoor for a year : Crims turned trusted mapping software into a hideout - no traditional malware required

Chinese gang used ArcGIS as a backdoor for a year – and no one noticed
www.theregister.com/2025/10/14/c...

#FlaxTyphoon turned trusted mapping software into a covert backdoor.
#CyberSecurity #InfoSec #CyberEspionage

Chinese state-sponsored hackers exploited ArcGIS servers for over a year, turning them into backdoors for cyber espionage. #CyberSecurity #FlaxTyphoon #ArcGIS #CyberEspionage Link: thedailytechfeed.com/chinese-stat...

Flax Typhoon trasforma una SOE ArcGIS in web shell persistente e usa SoftEther VPN per spionaggio e credential harvesting in attacco di lunga durata.

#apt #ArcGIS #cina #credentialharvesting #FlaxTyphoon #SOE #VPN #webshell
www.matricedigitale.it/2025/10/14/f...

🚨 A suspected Chinese state-backed hacking group, likely Flax Typhoon, remained hidden in a target’s network for over a year by turning a component of Esri’s ArcGIS mapping tool into a stealthy web shell.
#CyberSecurity #ThreatIntel #APT #China #FlaxTyphoon

Catching Flax Typhoon in the Honeypot: Footprints in AIDE - GCA | Global Cyber Alliance | Working to Eradicate Cyber Risk Our analysis revealed behavioral signals and infrastructure overlaps consistent with Flax Typhoon’s tactics.

We explored if #FlaxTyphoon activity was detectable within AIDE.

Our analysis revealed tactics including VPN tunneling, web shell traffic, and credential-based reconnaissance.

Read more in Meghal Donde's insightful and data-packed post: globalcyberalliance.org/flax-typhoon...

Experts warn of China-linked APT's Raptor Train IoT Botnet Researchers warn of a new IoT botnet called Raptor Train that already compromised over 200,000 devices worldwide.

"Researchers warn of a new IoT botnet called #RaptorTrain that already compromised over 200,000 devices worldwide." securityaffairs.com/168563/malwa... "experts believe the botnet is controlled by a #China -linked APT group #FlaxTyphoon (also called Ethereal Panda or RedJuliett)" #cybersec #natsec

中国のセキュリティ企業が攻撃者にインフラを「貸し出し」？　米国が制裁へ #ITmedia (Jan 19)

#サイバー攻撃 #米中対立 #FlaxTyphoon #重要インフラ #サイバーセキュリティ

https://buff.ly/3PDL3D8

China’s Salt Typhoon Attacks Guam entity; US Sanctions Chinese Company China is continuing to target U.S. entities in its efforts regarding Taiwan, including using state-sponsored Flax Typhoon to compromise Guam infrastructure. U.S. are pushing back, with the Treasury…

中国の塩台風がグアムを襲う。米国が中国企業に制裁

China’s Salt Typhoon Attacks Guam entity; US Sanctions Chinese Company #SecurityBoulevard (Jan 6)

#サイバー攻撃 #中国ハッカー #SaltTyphoon #FlaxTyphoon #米中関係

US Sanctions Beijing Based Cybersecurity Company A Chinese company was sanctioned for cyberespionage on the United States government and related infrastructure via a cybercriminal group.

👥 Beijing Cybersecurity Company Caught in the US OFAC Radar. Read full story ⤵️

#Cybercrime #CyberEspionage #FlaxTyphoon #USTreasury #Sanctions #StateSponsored #China #ThreatActors

U.S. Sanctions Chinese Cybersecurity Firm for State-Backed Hacking Campaigns U.S. sanctions Integrity Technology Group for aiding Flax Typhoon's state-sponsored hacks, targeting U.S. systems since 2021.

米国、国家支援のハッキング活動で中国のサイバーセキュリティ企業に制裁

U.S. Sanctions Chinese Cybersecurity Firm for State-Backed Hacking Campaigns #HackerNews (Jan 4)

#サイバー攻撃 #中国 #米国財務省 #FlaxTyphoon #サイバーセキュリティ

China-linked APT Salt Typhoon breached a ninth U.S. telco A White House official confirmed that China-linked threat actor Salt Typhoon breached a ninth U.S. telecommunications company.

中国関連のAPT「ソルト・タイフーン」が米国の9番目の通信会社に侵入

China-linked APT Salt Typhoon breached a ninth U.S. telecommunications firm #SecurityAffairs (Dec 29)

#サイバー攻撃 #中国企業 #米国制裁 #FlaxTyphoon #重要インフラ

US sanctions Chinese company linked to Flax Typhoon hackers ​The U.S. Treasury Department has sanctioned Beijing-based cybersecurity company Integrity Tech (also known as Yongxin Zhicheng) for its involvement in cyberattacks attributed to the Chinese…

米国、フラックス・タイフーン・ハッカーと関係のある中国企業に制裁

US sanctions Chinese company linked to Flax Typhoon hackers #BleepingComputer (Jan 3)

#FlaxTyphoon #IntegrityTech #サイバー攻撃 #中国ハッカー #米国制裁

FBI forced Flax Typhoon to abandon its botnet - Help Net Security Botnet operated by Chinese state-sponsored threat actor known as Flax Typhoon has been abandoned by the group after law enforcement action.

FBI forced Flax Typhoon to abandon its botnet
www.helpnetsecurity.com/2024/09/19/f...
#Infosec #Security #Cybersecurity #CeptBiro #FBI #FlaxTyphoon #Botnet

US Disrupts ‘Raptor Train’ Botnet of Chinese APT Flax Typhoon The US government has announced the disruption of Raptor Train, a Flax Typhoon botnet powered by hacked consumer devices.

US Disrupts ‘Raptor Train’ Botnet of Chinese APT Flax Typhoon
www.securityweek.com/us-disrupts-...
#Infosec #Security #Cybersecurity #CeptBiro #US #RaptorTrain #Botnet #ChineseAPT #FlaxTyphoon

Botnetz unter Kontrolle des chinesischen Staates vom FBI übernommen Die US-Bundespolizei FBI hat ein Botnetz, bestehend aus hundert­tau­sen­den internetfähigen Geräten wie Kameras, Videorekordern, Spei­cher­geräten und Routern, unter Kontrolle gebracht. Dieses wurde v...

#Botnetz unter Kontrolle des chinesischen Staates vom FBI übernommen

Die Gruppe #FlaxTyphoon, zielte auf kritische Infrastrukturen in den USA und anderen Ländern ab. Betroffen waren Unternehmen, Medienorganisationen, Universitäten und Regierungsbehörden

winfuture.de/news,145385....