A Chinese national allegedly involved in a massive, pandemic-era attack spree that compromised nearly 13,000 U.S. organizations was extradited from Italy to the United States and formally charged in federal court, the Justice Department said Monday.

Xu Zewei and his co-conspirators are accused of exploiting a string of zero-day vulnerabilities in Microsoft Exchange Server to steal research on COVID-19 vaccines, treatment and testing during the initial wave and subsequent height of the pandemic.

His alleged crimes, directed by China’s intelligence services, were part of a broader espionage campaign known as HAFNIUM, which targeted infectious disease experts, law firms, universities, defense contractors and policy think tanks, according to an indictment filed against Xu and Zhang Yu, who remains at large. 

The China state-sponsored threat group behind those attacks against Microsoft customers, and many other vendors’ customers since, is now more widely known as Silk Typhoon.

“Xu will now answer for his alleged role in HAFNIUM, a group responsible for a vast intrusion campaign directed by China’s Ministry of State Security that compromised more than 12,700 U.S. organizations,” Brett Leatherman, assistant director of the FBI’s Cyber Division, said in a statement.

“He is one of many contractors the Chinese government uses to obscure its hand in cyber operations, and others who do the same face the same risk,” he added.

Xu allegedly committed the attacks while working for Shanghai Powerock Network, one of many companies that conducted attacks for China’s various intelligence services, according to court records.

Italian authorities arrested Xu at the United States’ request in Milan in July. His capture underscores a window of opportunity U.S. officials and allies can take when nation-state attackers travel to countries that cooperate with the United States.

Italy extradited Xu to the United States Saturday but didn’t release his extradition orders until Monday, Simona Candido, his attorney in Italy, told CyberScoop.

Officials said Monday marked Xu’s first appearance in the U.S. District Court for the Southern District of Texas. He is currently being held at a federal prison in Houston.

“We have pursued this moment across years and continents, and the message this office sends today is the same one we sent when we first unsealed this indictment: we will work to protect the American people,” John G.E. Marck, acting U.S. attorney for the Southern District of Texas, said in a statement.

Xu allegedly worked under the direction of China’s Ministry of State Security’s Shanghai State Security Bureau to break into U.S. organizations’ networks, steal data and implant webshells for persistent remote access. Officials also accuse Xu of stealing information regarding U.S. policymakers and government agencies from a global law firm with offices in Washington. 

Microsoft first warned customers about the HAFNIUM campaign in March 2021. The FBI and Cybersecurity and Infrastructure Security Agency followed soon after with a joint advisory about the widespread compromise of Microsoft Exchange Server. 

“Today’s law enforcement action demonstrates the real-world consequences of this state-led activity, which is fueled by a vast network of private companies operating under the direction of the Chinese government,” Aaron Shraberg, senior team lead of global intelligence at Flashpoint, told CyberScoop.

“Extraditing these individuals from countries in coordination with international law enforcement demonstrates a united stance on these actions, and the importance of bringing real-world consequences to China’s notorious targeting of not just the American people and their businesses, but individuals globally as well,” Shraberg added.

Xu is charged with conspiracy to commit wire fraud; two counts of wire fraud; conspiracy to cause damage to and obtain information by unauthorized access to protected computers, to commit wire fraud, and to commit identity theft; two counts of obtaining information by unauthorized access to protected computers; two counts of intentional damage to a protected computer; and aggravated identity theft. 

The 34-year-old faces up to 62 years in prison for his alleged crimes.

The post Chinese national extradited to US for pandemic-era Silk Typhoon attacks appeared first on CyberScoop.

Two years ago, it was revealed that Chinese hackers had compromised at least ten U.S. telecoms, giving them broad access to phone data affecting nearly all Americans. Since then, public officials charged with responding to the campaign and bolstering the nation’s cyber defenses have reported a common problem.

Many of their constituents struggle to understand why the hacks – carried out by a group called Salt Typhoon – should rank among their top concerns, or how it impacts their day to day lives.

Some state and federal officials worry that this lack of interest is depriving policymakers the public pressure needed to build momentum for stronger action to improve the nation’s telecommunications cybersecurity.

Mike Geraghty, the CISO and director of the New Jersey Cybersecurity and Communications Cell, said New Jersey is the nation’s most densely populated state, with a high concentration of critical infrastructure and a major telecommunications footprint. For that reason, a campaign like Salt Typhoon should, in theory, be of strong interest to Garden State residents.

“However, if you talk to a person on the street in New Jersey, they’’ll say who cares that the Chinese are looking at – you know – what numbers I call?” he said Wednesday at the Billington State and Local Cybersecurity Summit. “It has a big role to play in my job, but trying to get people to understand what that means for New Jersey is really difficult.”

Congress hasn’t passed comprehensive privacy legislation in decades. Meanwhile, cyberattacks that expose sensitive data are widespread, and U.S. companies routinely collect and sell customers’ personal information. Some officials speculate that, taken together, these trends have left Americans numb to data theft and data-for-profit–so additional breaches feel like just another drop in the bucket.

Mischa Beckett, deputy chief information security officer and director of cyber threat intelligence at GDIT, said Salt Typhoon’s focus on telecom data can feel like an abstract threat to many Americans. By contrast, other Chinese hacking campaigns like Volt Typhoon suggest potential damage to water plants and electric grids that are easier to grasp.

“It’s maybe a little bit easier to write off a loss of data..and move on, as unfortunate but no big deal,” said Beckett. “I think that case is much harder to make when we’re talking about pre-positioning and critical infrastructure, things that touch all of our lives every day.”

Last year, a former intelligence official at the Office of the Director of National Intelligence told CyberScoop that a lack of outrage from the public following the Salt Typhoon attacks was dampening momentum for broader regulation or reforms to telecom cybersecurity.

“We can’t accept this level of espionage on our networks,” said Laura Galante who led the Cyber Threat Intelligence Integration Center under the Biden administration. “If you had 50 Chinese [Ministry of State Security] spies or contractors sitting inside a major [telecom company’s] building, they would be walked out and it would be a full-scale effort. That’s in broad strokes what has happened, but the access was digital.”

The post Officials worry Salt Typhoon apathy is killing momentum for tougher telecom security rules appeared first on CyberScoop.

A China-based threat group operating for almost two decades broke into the internal systems of Notepad++, an extremely popular open source-code editor, to spy on a select group of targeted users, researchers at Rapid7 said Monday.

Don Ho, the author and maintainer of the open-source tool, said independent security researchers confirmed a China state-sponsored group compromised Notepad++’s server for a six-month period starting in June 2025. Ho, who did not respond to a request for comment, released a software update Dec. 9 claiming to address authentication weaknesses that allowed attackers to hijack the Notepad++ updater client and user traffic.

The Chinese APT group Lotus Blossom, which has been active since at least 2009, gained recurring access and deployed various payloads — including a custom backdoor — to snoop on some users’ activities, according to Rapid7. The espionage group is also known as Billbug, Thrip and Raspberry Typhoon. 

“We have no evidence of bulk data exfiltration,” Christiaan Beek, senior director of threat intelligence and analytics at Rapid7, told CyberScoop. “The tooling observed is consistent with post-compromise reconnaissance, command execution, and selective data access, rather than broad data harvesting.”

The attacks, which showcased resilience and stealth tradecraft, did not result in a mass compromise of all Notepad++ users, but rather a limited number of affected environments, according to Rapid7.

“Post-compromise behavior included system profiling, persistence mechanisms, and remote command execution consistent with long-term espionage access rather than immediate disruption or monetization,” Beek added. “The objective appears aligned with strategic intelligence collection, consistent with Lotus Blossom’s historical operations.”

The former hosting provider for Notepad++ said the attackers lost access to the tool’s server on Sept. 2, but maintained legitimate credentials to internal services until Dec. 2, which allowed the attackers to redirect Notepad++ update traffic to malicious servers, Ho said in a blog post. 

Ho did not say when or how they first became aware of unauthorized access to Notepad++’s systems. The website, which attackers targeted to exploit “insufficient update verification controls that existed in older versions of Notepad++,” was moved to a new hosting provider with stronger security practices, Ho said in the blog post.

Beek confirmed that Lotus Blossom’s unauthorized access appears to have been disrupted, noting that its known infrastructure linked to the months-long campaign is no longer active. Some security researchers started surfacing reports of incidents linked to Notepad++ in November.

While Notepad++’s internal system improvements appear to have halted the malicious activity, users running older versions of the software should still update as a precaution, Beek said. “We are not seeing ongoing active exploitation tied to this campaign.”

Lotus Blossom targeted software that provided potential access to many sensitive targets. The Windows-based tool, which was first released in 2003 and typically used as an alternative to Windows Notepad, is widely used by developers, IT administrators, engineers and analysts, including some working in government, telecom, critical infrastructure and media, Beek said.

Many security researchers, analysts and users have taken their concerns to social media to warn about the potential risk of the long-term intrusion and share worries about the ultimate impact of the campaign.

“Observed activity suggests selective, targeted follow-on exploitation,” Beek added, “not opportunistic mass infection.”

The post China-based espionage group compromised Notepad++ for six months appeared first on CyberScoop.

A North Korea-backed threat group operating since 2009 has splintered into three distinct groups with specialized malware and objectives, CrowdStrike said in a report released Thursday.

Labeled “Labyrinth Chollima” by the company, the group follows a divergence pattern CrowdStrike observed previously. Labyrinth Chollima has spawned two additional groups: Golden Chollima and Pressure Chollima. The spin-offs, which have been operating since 2020, allow Labyrinth Chollima to narrow its focus on espionage, targeting victims in the manufacturing, logistics, defense and aerospace industries. 

Golden Chollima and Pressure Chollima are squarely focused on stealing cryptocurrency, which funnels money back to the regime, with some of the proceeds funding North Korea’s cyber operations. Pressure Chollima, which was responsible for last year’s record-breaking $1.46 billion cryptocurrency theft, targets high-payout opportunities and has evolved into one of North Korea’s most technically advanced threat groups, according to CrowdStrike.

The groups, which share lineage with the more broadly defined Lazarus Group, share some tools and infrastructure, which indicates centralized coordination, but they’ve also developed more specialized capabilities for their specific objectives, researchers said.

As North Korea’s threat groups continue to branch out, the rogue nation is developing more capabilities and expanding its reach and impact, Adam Meyers, head of counter adversary operations at CrowdStrike, told CyberScoop.

“What we’re seeing down range is now aligned with what we’ve seen from a bureaucratic perspective up range,” Meyers said. 

“Over time, as their mission was successful, the bureaucracy grew and the scope of the mission grew, and obviously the organization grew,” he added. “They’ve been operating a resistance economy for many, many years and cyber gives them the ability to do this deniably and at a distance.” 

CrowdStrike currently tracks eight distinct North Korea-backed threat groups, with the addition of Golden Chollima and Pressure Chollima. The cybersecurity firm expects the groups focused on cryptocurrency theft to scale their operations as international sanctions impair North Korea’s economy.

Labyrinth Chollima has more recently targeted European aerospace companies, defense manufacturers, logistics and shipping companies, and U.S.-based critical infrastructure providers, including those involved in hydroelectric power. The threat group, which other firms track as Diamond Sleet and Operation Dream Job, has also developed a knack for employment-themed social engineering, researchers said.

“North Korea is probably one of the top-notch actors out there. A lot of people don’t give them credit for that,” Meyers said.

CrowdStrike’s research on Labyrinth Chollima’s spin-offs aims to help organizations defend against these distinct threats by also providing indicators of compromise and malware samples observed in various attacks.

“You need to know who the threats are to your specific industry and geolocation, because you can’t defend against all the threats all the time,” Meyers said. “You can’t boil the ocean.”

The post Long-running North Korea threat group splits into 3 distinct operations appeared first on CyberScoop.

The House Homeland Security Committee is calling on Anthropic CEO Dario Amodei to provide testimony on a likely-Chinese espionage campaign that used Claude, the company’s AI tool, to automate portions of a wide-ranging cyber campaign targeting at least 30 organizations around the world.

The committee sent Amodei a letter Wednesday commending Anthropic for disclosing the campaign. But members also called the incident “a significant inflection point” and requested Amodei speak to the committee on Dec. 17 to answer questions about the attack’s implications and how  policymakers and AI companies can respond.

“This incident is consequential for U.S. homeland security because it demonstrates what a capable and well-resourced state-sponsored cyber actor, such as those linked to the PRC, can now accomplish using commercially available U.S. AI systems, even when providers maintain strong safeguards and respond rapidly to signs of misuse.” wrote House Homeland Chair Rep. Andrew Garbarino, R-N.Y. and subcommittee leaders Reps. Josh Brecheen, R-Okla., and Andy Ogles, R-Tenn.

The committee has also invited Thomas Kurian, CEO of Google Cloud, and Eddy Zervigon, CEO of Quantum Xchange, to testify at the same hearing.

Committee leaders cited a need to closely examine “how advances in artificial intelligence, quantum computing and related technologies, and hyperscale cloud infrastructure are reshaping both defensive capabilities and the operational tradecraft available to state-sponsored cyber actors,” according to a copy of the letter sent to Zervigon.

As “adversaries may seek to pair AI-enabled tradecraft with emerging quantum capabilities to undermine today’s cryptographic protections, your insight into integrating quantum-resilient technologies into existing cybersecurity systems, managing cryptographic agility at scale, and preparing federal and commercial networks for post-quantum threats will be critical,” the members wrote.

 News of the upcoming hearing was first reported by Axios.

The hearing comes as policymakers and cybersecurity defenders continue to grapple with the fallout from Anthropic’s disclosure, with some cybersecurity experts asking for more technical details that would allow organizations to prepare for any heightened threats from AI hacking campaigns. Others have questioned the extent to which human expertise was relied upon to orchestrate, validate and guide Anthropic’s AI model during the attack.

The post Congress calls on Anthropic CEO to testify on Chinese Claude espionage campaign appeared first on CyberScoop.

Amazon’s threat intelligence team said it observed an advanced persistent threat group exploiting zero-day vulnerabilities affecting Cisco Identity Service Engine and Citrix NetScaler products before the vendors disclosed and patched the defects last summer.

Amazon’s MadPot honeypot service detected active exploitation of the critical defects — CVE-2025-5777 in Citrix and CVE-2025-20337 in Cisco — and through further investigation determined a highly resourced threat actor was behind the attacks, CJ Moses, chief information security officer of Amazon Integrated Security, said in a blog post Wednesday.

“We assess with high confidence it was the same threat actor observed exploiting both vulnerabilities,” Moses told CyberScoop in an email.

Amazon said its discovery reinforced multiple trends afoot, including threat groups’ increased focus on identity and network edge infrastructure and their ability to quickly weaponize vulnerabilities as zero-days before vendors disclose or patch defects in their products.

The origins and identity of the threat group behind the attacks remains unknown, yet Moses said “prolonged access to the target for espionage is the most likely objective.”

Amazon threat researchers said the threat group used custom malware with a backdoor specifically designed for Cisco ISE environments that demonstrated advanced evasion techniques. “The threat actor’s custom tooling demonstrated a deep understanding of enterprise Java applications, Tomcat internals and the specific architectural nuances of the Cisco ISE,” Moses said in the blog post.

Cisco disclosed CVE-2025-20337 on June 25, yet Amazon said exploitation was already underway in May. Amazon discovered the pre-disclosure exploits in early July and traced attacks back to May and June, Moses said.

Amazon disclosed active exploitation of the defect to Cisco, which informed its customers of the issue within hours, Moses added. He did not share information about how many organizations have been impacted by CVE-2025-20337 exploits.

Citrix disclosed CVE-2025-5777, also known as CitrixBleed 2 due to striking similarities with a 2023 defect in the same products, on June 17. The Cybersecurity and Infrastructure Security Agency added the exploit to its known exploited vulnerabilities catalog on July 10.

By mid-July, researchers had observed more than 11.5 million attack attempts, targeting thousands of sites since the exploit was disclosed.

Amazon declined to explain why it’s sharing information about active zero-day exploitation of the Cisco and Citrix defects months later, and the company said it doesn’t have additional information about more recent attacks linked to the vulnerabilities.

Moses noted the threat group’s use of multiple zero-day exploits indicates the attackers have advanced vulnerability research capabilities or access to undisclosed vulnerability information.

The post Amazon pins Cisco, Citrix zero-day attacks to APT group appeared first on CyberScoop.