Earth Kasha Updates TTPs in Latest Campaign Targeting Taiwan and Japan

Earth Kasha, an APT group believed to be part of APT10, has launched a new campaign in March 2025 targeting government agencies and public institutions in Taiwan and Japan. The campaign uses spear-phishing to deliver an updated version of the ANEL backdoor, potentially for espionage purposes. Key updates include a new command to support BOF execution in memory and the use of SharpHide for persistence. The second-stage backdoor, NOOPDOOR, now supports DNS over HTTPS for C&C communications. The attack chain involves compromised email accounts, malicious Excel files, and various evasion techniques. This campaign demonstrates Earth Kasha's continued evolution and poses significant geopolitical implications.

Pulse ID: 6813da43537c3d86e6ba3ca2
Pulse Link: https://otx.alienvault.com/pulse/6813da43537c3d86e6ba3ca2
Pulse Author: AlienVault
Created: 2025-05-01 20:32:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Hackers exploram funcionalidade IPv6 para instalar malware através de atualizações falsas
 https://tugatech.com.pt/t66016-hackers-exploram-funcionalidade-ipv6-para-instalar-malware-atraves-de-atualizacoes-falsas

TheWizards APT group uses SLAAC spoofing to perform adversary-in-the-middle attacks

TheWizards, a China-aligned APT group, employs Spellbinder, a lateral movement tool for adversary-in-the-middle attacks through IPv6 SLAAC spoofing. This technique allows them to intercept network traffic and redirect legitimate Chinese software updates to malicious servers. The group targets individuals, gambling companies, and entities in Southeast Asia, UAE, China, and Hong Kong. Their malware chain includes the WizardNet backdoor and utilizes DNS hijacking to deliver malicious updates. Evidence links TheWizards to Sichuan Dianke Network Security Technology Co., Ltd. (UPSEC), suggesting it may be a digital quartermaster for this APT group. The attackers use sophisticated tools and techniques to evade detection and maintain persistence on compromised systems.

Pulse ID: 68124373bde0da2a4679b021
Pulse Link: https://otx.alienvault.com/pulse/68124373bde0da2a4679b021
Pulse Author: AlienVault
Created: 2025-04-30 15:36:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

‘ProtectEU’ security strategy: a step further towards a digital dystopian future https://edri.org/our-work/protecteu-security-strategy-a-step-further-towards-a-digital-dystopian-future/
The European Commission presented an internal security strategy that would undermine digital rights and even increase security threats. We unpack what ‘ProtectEU’ means for the EU’s future digital policy, including on encryption, data retention, and border surveillance. #ChatControl #ProtectEU #BackDoor

Chinese snoops use stealth RAT to #backdoor US orgs – still active last week

"Let the #espionage and access resale campaigns begin (again)"
https://www.theregister.com/2025/04/15/chinese_spies_backdoored_us_orgs/

Alerta WordPress: Falsa atualização crítica para WooCommerce esconde Backdoor perigoso
 https://tugatech.com.pt/t65863-alerta-wordpress-falsa-atualizacao-critica-para-woocommerce-esconde-backdoor-perigoso

Triada strikes back – Source: securelist.com https://ciso2ciso.com/triada-strikes-back-source-securelist-com/ #rssfeedpostgeneratorecho #MalwareDescriptions #MalwareTechnologies #CyberSecurityNews #InstantMessengers #Cryptocurrencies #Financialthreats #GoogleAndroid #MobileMalware #Mobilethreats #securelistcom #backdoor #Facebook #Telegram #WhatsApp #Dropper #Malware #Trojan #Skype

Hackers usam controlo remoto do Zoom para roubar criptomoedas
 https://tugatech.com.pt/t65700-hackers-usam-controlo-remoto-do-zoom-para-roubar-criptomoedas

#Telegram founder and CEO Pavel Durov has taken a page out of #Signal book and says he'll pull the app out of France if officials demand an encryption #backdoor
https://t.me/durov/410 (on Telegram)

Sophisticated backdoor mimicking secure networking software updates

A sophisticated backdoor targeting Russian organizations in government, finance, and industrial sectors has been discovered. The malware masquerades as updates for ViPNet, a secure networking software suite. It is distributed via LZH archives containing legitimate and malicious files. The backdoor exploits a path substitution technique to execute a malicious loader, which then decrypts and loads a versatile payload capable of connecting to a C2 server, stealing files, and launching additional malicious components. The complexity of this attack highlights the need for multi-layered security measures to protect against advanced persistent threats.

Pulse ID: 6807bc7e44edbbe6afa50132
Pulse Link: https://otx.alienvault.com/pulse/6807bc7e44edbbe6afa50132
Pulse Author: AlienVault
Created: 2025-04-22 15:57:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

CEO do Telegram acusa autoridades em França de forçarem criação de backdoor
 https://tugatech.com.pt/t65691-ceo-do-telegram-acusa-autoridades-em-franca-de-forcarem-criacao-de-backdoor

#Florida’s New Social Media Bill Says The Quiet Part Out Loud And Demands An Encryption #Backdoor - https://www.techdirt.com/2025/04/17/floridas-new-social-media-bill-says-the-quiet-part-out-loud-and-demands-an-encryption-backdoor/

New version of MysterySnail RAT and lightweight MysteryMonoSnail backdoor

A new version of the MysterySnail RAT, attributed to the Chinese-speaking IronHusky APT group, has been detected targeting government organizations in Mongolia and Russia. The malware, which hadn't been publicly reported since 2021, now features a modular architecture with five additional DLL modules for command execution. A lightweight version dubbed MysteryMonoSnail was also observed. The infection chain involves a malicious MMC script, an intermediary backdoor, and the main MysterySnail RAT payload. The attackers use public file storage and the piping-server project for command and control. This case highlights the importance of maintaining vigilance against seemingly obsolete malware families, as they may continue operating undetected for extended periods.

Pulse ID: 6800fcd0995e011520970651
Pulse Link: https://otx.alienvault.com/pulse/6800fcd0995e011520970651
Pulse Author: AlienVault
Created: 2025-04-17 13:06:24

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

ProtectEU threatens End-to-End-Encryption across VPNs, messaging apps, and secure email services.

This is part of a growing global trend where governments push for backdoors under the guise of national security. While aimed at combating crime, these proposals risk eroding digital privacy, weakening cybersecurity, and potentially driving privacy-focused services out of EU jurisdictions altogether.

https://forum.hashpwn.net/post/562

Freshly published analysis of BRICKSTORM backdoor samples, now on Windows, identified in a multi-year espionage campaign attributed to the PRC: https://www.nviso.eu/blog/nviso-analyzes-brickstorm-espionage-backdoor

Hackers exploit Fortinet flaws to plant stealth backdoors on FortiGate devices, maintaining access even after patches.

Read: https://hackread.com/fortinet-fixe-attackers-bypass-patches-maintain-access/

Florida’s New #SocialMedia Bill Says the Quiet Part Out Loud and Demands an #Encryption #Backdoor
#privacy #florida #e2ee #security

https://www.eff.org/deeplinks/2025/04/floridas-new-social-media-bill-says-quiet-part-out-loud-and-demands-encryption