The cybersecurity firm has not explicitly accused China of being behind the attack, but the evidence suggests it was. 

The post Palo Alto Zero-Day Exploited in Campaign Bearing Hallmarks of Chinese State Hacking appeared first on SecurityWeek.

Dubbed GopherWhisper, the group relies on multiple Go-based backdoors alongside custom loaders and injectors.

The post China-Linked APT GopherWhisper Abuses Legitimate Services in Government Attacks appeared first on SecurityWeek.

The APT28 threat group exploited vulnerable TP-Link and MikroTik routers to conduct adversary-in-the-middle (AitM) attacks.

The post US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS Hijacking appeared first on SecurityWeek.

The state-sponsored group’s campaign has targeted government, higher education, financial, and legal entities, as well as think tanks.

The post Russian APT Star Blizzard Adopts DarkSword iOS Exploit Kit appeared first on SecurityWeek.

The state-sponsored threat actor deployed kernel implants and passive backdoors enabling long-term, high-level espionage.

The post Chinese Hackers Caught Deep Within Telecom Backbone Infrastructure appeared first on SecurityWeek.

A new report from Google found evidence that state-sponsored hacking groups have leveraged AI tool Gemini at nearly every stage of the cyber attack cycle.

The research underscores how AI tools have matured in their cyber offensive capabilities, even as it doesn’t reveal novel or paradigm shifting uses of the technology.

John Hultquist, chief analyst at Google’s Threat Intelligence Group, told CyberScoop that many countries still appear to be experimenting with AI tools, determining where they best fit into the attack chain and provide more benefit than friction.

“Nobody’s got everything completely worked out,” Hultquist said. “They’re all trying to figure this out and that goes for attacks on AI, too.”

But the report also reveals that frontier AI models can build speed, scale and sophistication into a myriad of hacking tasks, and state-sponsored hacking groups are taking advantage.

Gemini was a useful, dynamic and convenient tool for many tasks, helping threat actors in a variety of different ways. In nearly all cases, Google’s reporting suggests that state-sponsored actors relied on Gemini as one tool among many, using it for specific purposes such as automating routine processes, conducting research or reconnaissance and experimenting with malware.

One North Korean group used it to synthesize open-source intelligence about job roles and salary information at cybersecurity and defense companies. Another North Korean group consulted it “multiple days a week” for technical support, using it to troubleshoot problems and generate new malware code when they got stuck during an operation. One Iranian APT used Gemini to “significantly augment reconnaissance” techniques against targeted victims. China, Russia, Iran and North Korea all also used Gemini to create fake articles, personas, and other assets for information operations.

“What’s so interesting about this capability is it’s going to have an effect across the entire intrusion cycle,” Hultquist said.

There are no instances of state groups using Gemini to automate large portions of a cyber attack, like a Chinese-government backed campaign identified by Anthropic last year. It suggests threat actors may still be struggling to implement fully or mostly-automated hacks using AI.

Hultquist said that some state groups, particularly those focused on espionage, may not find the speed and scale advantages of agentic AI useful if it results in louder, more detectable operations. In fact, while state actors continue to experiment with AI models, he believes on average these developments will help smaller cybercriminal outfits more than state-sponsored hackers.

But that could change in the future. Frontier AI companies like Anthropic and cybersecurity startups like XBOW have already developed models with powerful defensive cybersecurity capabilities in vulnerability scanning, reconnaissance and automation. Foreign governments with similar technology could use those same features for offensive hacking, as Chinese actors did with Claude before being discovered.

In December, the UK AI Security Institute’s inaugural report on frontier AI trends found that Al capabilities are improving rapidly across all tested domains, and particularly in cybersecurity.

And the gap between frontier and free, open-source models is shrinking. According to the institute, open-source AI models can now catch up and provide similar capabilities within 4-8 months of a frontier model release.

“The duration of cyber tasks that Al systems can complete without human direction is also rising steeply, from less than 10 minutes in early 2023 to over an hour by mid-2025,” the institute said in its Frontier AI Trends Report in December.

The post Google finds state-sponsored hackers use AI at ‘all stages’ of attack cycle  appeared first on CyberScoop.

Ransomware groups crop up like weeds, angling for striking positions in a crowded field rife with turnover, infighting and unbridled competition. Yet, they rarely emerge, as 0APT did late last month, claiming roughly 200 victims out of the gate.

Researchers have thus far seen no evidence confirming 0APT attacked any of its alleged victims, which includes high-profile organizations. Alleged victim data samples and the structure and size of placeholder file trees published by 0APT place further doubt on the group’s supposed criminal escapades. 

Most signs suggest the group is running a massive hoax, but at least some of the threat 0APT poses is grounded in truth. The group’s inflated pretense may be a ruse to create a sense of momentum, gain recognition and attract affiliates.

“While 0APT is probably bluffing about the victims it has already compromised, it is not bluffing on the technical capabilities of its actual ransomware,” Cynthia Kaiser, senior vice president at Halcyon’s ransomware research center, told CyberScoop.

0APT’s infrastructure is sound, including cryptographically strong and fully operational ransomware binaries, unique code and a well organized panel for affiliates, she said. “Even if researchers assess most claimed victims as fabricated, the underlying ransomware payload represents genuine risk to any organization that encounters it.”

The group’s outlandish claims accentuates the messy state of ransomware, with researcher interest and widespread fear among potential victims — perceived or real — delivering benefits for criminal syndicates that compete for mindshare and co-conspirators. 

0APT’s apparent swift rise with a massive alleged victim count that hovered around 200 organizations within its first week online caught the attention of multiple ransomware research firms, resulting in reports this week by Halcyon and GuidePoint Security.

Researchers roundly consider the group’s initial claims an act of deception. This pattern of claiming a high number of victims without substantiating evidence surfaced last year with other ransomware groups, including Babuk2 and FunkSec, which eventually disclosed confirmed victims.

“After those initial fake lists, we started to see legitimate victims as the gangs attracted affiliates and matured into fully functioning ransomware-as-a-service organizations,” Kaiser said.

GuidePoint researchers acknowledge 0APT could evolve into a genuine problem, but they are more dismissive of the group’s capabilities. 

Justin Timothy, principal threat intelligence consultant at GuidePoint, said 0APT’s encryptor isn’t unique or noteworthy amongst its ransomware peers.

“The ransomware encryptor is only one piece of the attack kill chain,” he said. “Threat actors still need to be able to obtain initial access, escalate privilege, and move laterally all while evading detection and endpoint detection and response. These aspects can often take more skill and technical knowledge compared to the creation of encryption malware.”

While 0APT might be running a scam, it doesn’t appear to be a fly-by-night operation. 

The group’s alleged victims are opportunistic and predominantly operate in critical infrastructure and data-rich sectors, according to Halcyon. Most of the claimed victims are based in the United States, and the top sectors targeted include health care, professional services, technology, transportation and logistics, energy and manufacturing. 

0APT has been consistently adding and removing alleged victims from its data-leak site, which went offline briefly before returning earlier this week with a much lower victim count.

“The group’s early claims appear to focus more on gaining visibility and momentum, believing those will recruit affiliates faster than validity,” Kaiser said.

Attracting affiliates and attention for future operations could be driving some of 0APT’s behavior, but cybercriminals frequently deride such activities once the extent of their lies becomes widely known, said Jason Baker, managing security consultant of threat intelligence at GuidePoint.

“That strategy was almost certainly shortsighted and undermined by 0APTs fabrications, which render them an unattractive partner or destination for affiliates going forward,” Baker said. “After all, if they’re willing to lie this brazenly about their victims and capabilities, why wouldn’t they lie to their affiliates as well?”

The make-up of 0APT remains unknown, with no obvious lineage or overlap with other ransomware variants, but the group is financially motivated and very aggressive in communications, Kaiser said. 

“While the operators appear to not be novices, we have no evidence of who is running the group or its exact origins,” she added.

Halcyon, which is developing technical analysis on the group, insists 0APT poses a genuine threat that will eventually ensnare legitimate victims. 

“Given the fact that they are attracting attention and operating a capable encryptor, we see the potential as high that real victims may soon appear,” Kaiser said. A focused rebrand, such as removing all the fake victims and starting to list real victims, even only a few, will be a strong signal that the group has evolved into a serious operation.”

The post 0APT ransomware group rises swiftly with bluster, along with genuine threat of attack appeared first on CyberScoop.

A China-based threat group operating for almost two decades broke into the internal systems of Notepad++, an extremely popular open source-code editor, to spy on a select group of targeted users, researchers at Rapid7 said Monday.

Don Ho, the author and maintainer of the open-source tool, said independent security researchers confirmed a China state-sponsored group compromised Notepad++’s server for a six-month period starting in June 2025. Ho, who did not respond to a request for comment, released a software update Dec. 9 claiming to address authentication weaknesses that allowed attackers to hijack the Notepad++ updater client and user traffic.

The Chinese APT group Lotus Blossom, which has been active since at least 2009, gained recurring access and deployed various payloads — including a custom backdoor — to snoop on some users’ activities, according to Rapid7. The espionage group is also known as Billbug, Thrip and Raspberry Typhoon. 

“We have no evidence of bulk data exfiltration,” Christiaan Beek, senior director of threat intelligence and analytics at Rapid7, told CyberScoop. “The tooling observed is consistent with post-compromise reconnaissance, command execution, and selective data access, rather than broad data harvesting.”

The attacks, which showcased resilience and stealth tradecraft, did not result in a mass compromise of all Notepad++ users, but rather a limited number of affected environments, according to Rapid7.

“Post-compromise behavior included system profiling, persistence mechanisms, and remote command execution consistent with long-term espionage access rather than immediate disruption or monetization,” Beek added. “The objective appears aligned with strategic intelligence collection, consistent with Lotus Blossom’s historical operations.”

The former hosting provider for Notepad++ said the attackers lost access to the tool’s server on Sept. 2, but maintained legitimate credentials to internal services until Dec. 2, which allowed the attackers to redirect Notepad++ update traffic to malicious servers, Ho said in a blog post. 

Ho did not say when or how they first became aware of unauthorized access to Notepad++’s systems. The website, which attackers targeted to exploit “insufficient update verification controls that existed in older versions of Notepad++,” was moved to a new hosting provider with stronger security practices, Ho said in the blog post.

Beek confirmed that Lotus Blossom’s unauthorized access appears to have been disrupted, noting that its known infrastructure linked to the months-long campaign is no longer active. Some security researchers started surfacing reports of incidents linked to Notepad++ in November.

While Notepad++’s internal system improvements appear to have halted the malicious activity, users running older versions of the software should still update as a precaution, Beek said. “We are not seeing ongoing active exploitation tied to this campaign.”

Lotus Blossom targeted software that provided potential access to many sensitive targets. The Windows-based tool, which was first released in 2003 and typically used as an alternative to Windows Notepad, is widely used by developers, IT administrators, engineers and analysts, including some working in government, telecom, critical infrastructure and media, Beek said.

Many security researchers, analysts and users have taken their concerns to social media to warn about the potential risk of the long-term intrusion and share worries about the ultimate impact of the campaign.

“Observed activity suggests selective, targeted follow-on exploitation,” Beek added, “not opportunistic mass infection.”

The post China-based espionage group compromised Notepad++ for six months appeared first on CyberScoop.

Cisco customers are confronting a fresh wave of attacks from a Chinese threat group that has actively exploited a critical zero-day vulnerability affecting the vendor’s software for email and web security since at least late November, the company said in an advisory Wednesday. 

Cisco said it became aware of the attacks Dec. 10. The defect CVE-2025-20393, which has a CVSS rating of 10, is an improper input validation vulnerability affecting Cisco AsyncOS software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager that allows attackers to execute commands with unrestricted privileges and implant persistent backdoors on compromised devices.

There is no patch for the vulnerability and Cisco declined to say when one would be made available. Cisco said “non-standard configurations” have been observed in compromised networks, specifically customer systems that are configured with a publicly exposed spam quarantine feature.

Cisco Talos researchers attributed the attacks to a Chinese advanced persistent threat group it tracks as UAT-9686, which has used tooling and infrastructure consistent with other China state-sponsored threat groups such as APT41 and UNC5174.

Cisco declined to answer questions about how many customers have been impacted. The company encouraged customers to follow guidance in its advisory to determine if they’re exposed and take steps to mitigate risk, including isolating or rebuilding affecting systems.

The spam quarantine feature, which must be on and publicly exposed for attackers to exploit the vulnerability, is not enabled by default, Cisco said. The Cybersecurity and Infrastructure Security Agency added the zero-day to its known exploited vulnerabilities catalog Thursday. 

“Highlighting non-standard configurations isn’t the same as blaming users — it’s a relevant technical detail that helps defenders assess exploitation likelihood,” Douglas McKee, director of vulnerability intelligence at Rapid7, told CyberScoop. 

“The core issue doesn’t change,” he added. “The software fails under certain conditions, and that’s on the vendor to fix. Secure design means accounting for edge cases, even when it’s hard, and not shifting responsibility when they’re exploited.”

Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said the non-standard configurations that trigger the defect is an indication attacks are targeting specific users. Yet, he added, it’s unknown how many Cisco customers have enabled the spam quarantine feature and exposed it to the internet.

Chinese threat groups have consistently exploited Cisco vulnerabilities. The latest attacks follow a widespread attack spree involving actively exploited zero-day vulnerabilities affecting Cisco firewalls. 

Federal cyber authorities issued an emergency directive in September about the attacks, which impacted multiple government agencies in May. CISA and Cisco did not at that time fully explain why they waited four months from initial response to the attacks to disclose the malicious activity, patch the zero-days and issue the emergency directive.

A spokesperson for Cisco said there’s no evidence the recent attacks are connected to the attacks earlier this year. Cisco attributed the previous attacks to the same threat group behind an early 2024 campaign targeting Cisco devices, which it dubbed “ArcaneDoor.”

The post Cisco customers hit by fresh wave of zero-day attacks from China-linked APT appeared first on CyberScoop.

Amazon’s threat intelligence team said it observed an advanced persistent threat group exploiting zero-day vulnerabilities affecting Cisco Identity Service Engine and Citrix NetScaler products before the vendors disclosed and patched the defects last summer.

Amazon’s MadPot honeypot service detected active exploitation of the critical defects — CVE-2025-5777 in Citrix and CVE-2025-20337 in Cisco — and through further investigation determined a highly resourced threat actor was behind the attacks, CJ Moses, chief information security officer of Amazon Integrated Security, said in a blog post Wednesday.

“We assess with high confidence it was the same threat actor observed exploiting both vulnerabilities,” Moses told CyberScoop in an email.

Amazon said its discovery reinforced multiple trends afoot, including threat groups’ increased focus on identity and network edge infrastructure and their ability to quickly weaponize vulnerabilities as zero-days before vendors disclose or patch defects in their products.

The origins and identity of the threat group behind the attacks remains unknown, yet Moses said “prolonged access to the target for espionage is the most likely objective.”

Amazon threat researchers said the threat group used custom malware with a backdoor specifically designed for Cisco ISE environments that demonstrated advanced evasion techniques. “The threat actor’s custom tooling demonstrated a deep understanding of enterprise Java applications, Tomcat internals and the specific architectural nuances of the Cisco ISE,” Moses said in the blog post.

Cisco disclosed CVE-2025-20337 on June 25, yet Amazon said exploitation was already underway in May. Amazon discovered the pre-disclosure exploits in early July and traced attacks back to May and June, Moses said.

Amazon disclosed active exploitation of the defect to Cisco, which informed its customers of the issue within hours, Moses added. He did not share information about how many organizations have been impacted by CVE-2025-20337 exploits.

Citrix disclosed CVE-2025-5777, also known as CitrixBleed 2 due to striking similarities with a 2023 defect in the same products, on June 17. The Cybersecurity and Infrastructure Security Agency added the exploit to its known exploited vulnerabilities catalog on July 10.

By mid-July, researchers had observed more than 11.5 million attack attempts, targeting thousands of sites since the exploit was disclosed.

Amazon declined to explain why it’s sharing information about active zero-day exploitation of the Cisco and Citrix defects months later, and the company said it doesn’t have additional information about more recent attacks linked to the vulnerabilities.

Moses noted the threat group’s use of multiple zero-day exploits indicates the attackers have advanced vulnerability research capabilities or access to undisclosed vulnerability information.

The post Amazon pins Cisco, Citrix zero-day attacks to APT group appeared first on CyberScoop.