惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V2EX - 技术
V2EX - 技术
T
Troy Hunt's Blog
The Last Watchdog
The Last Watchdog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
S
Secure Thoughts
Hacker News - Newest:
Hacker News - Newest: "LLM"
WordPress大学
WordPress大学
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
博客园 - 司徒正美
TaoSecurity Blog
TaoSecurity Blog
博客园 - Franky
有赞技术团队
有赞技术团队
Google Online Security Blog
Google Online Security Blog
罗磊的独立博客
L
LINUX DO - 最新话题
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
NISL@THU
NISL@THU
小众软件
小众软件
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Recent Commits to openclaw:main
Recent Commits to openclaw:main
K
Kaspersky official blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
W
WeLiveSecurity
SecWiki News
SecWiki News
Google DeepMind News
Google DeepMind News
O
OpenAI News
V
V2EX
AI
AI
博客园_首页
Apple Machine Learning Research
Apple Machine Learning Research
大猫的无限游戏
大猫的无限游戏
美团技术团队
C
Cyber Attacks, Cyber Crime and Cyber Security
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Security Archives - TechRepublic
Security Archives - TechRepublic
博客园 - 三生石上(FineUI控件)
G
GRAHAM CLULEY
月光博客
月光博客
T
Threatpost
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
V
Vulnerabilities – Threatpost
Last Week in AI
Last Week in AI
爱范儿
爱范儿
C
CXSECURITY Database RSS Feed - CXSecurity.com
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Cloudbric
Cloudbric
酷 壳 – CoolShell
酷 壳 – CoolShell
The Hacker News
The Hacker News
N
News | PayPal Newsroom
Know Your Adversary
Know Your Adversary

The Register - Security: Cyber-crime

Election interlopers register 5K+ domains, hope to catch some voting phish Palo Alto VPN bug graduates from advisory to active exploitation ShinyHunters adds Charter to trophy shelf after 4.9M customer records leak Carnival confirms ShinyHunters cruised off with 6M customer records after April breach CrowdStrike, Google shatter Glassworm botnet MyPillow must decide whether to be firm or soft as ransomware crims demand pay A Russian speaker and jailbroken Gemini went on a hacking spree and emptied at least one MAGA victim's crypto wallets Shai-Hulud copycat worm infects yet another npm package Grafana Labs admits all its codebase are belong to someone who popped its GitHub account Nobody believes the 'criminals and scumbags' who hacked Canvas really deleted stolen student data Malware crew TeamPCP open-sources its Shai-Hulud worm on GitHub Foxconn confirms cyberattack after ransomware crew claims it stole confidential Apple, Nvidia files Cache-poisoning caper turns TanStack npm packages toxic 'CopyFail' attackers start cashing in on Linux flaw Cushman & Wakefield confirms vishing cyberattack ShinyHunters claims dump puts 119K Vimeo emails in the wild ShinyHunters claims 119K Vimeo emails in the wild Critical cPanel exploited: 'Millions' of sites could be hit Pro-Iran group turns Ubuntu DDoS into shakedown French prosecutors link 15-year-old to gov mega-breach UK business breach rate stuck at 43%... blame the phishing What type of 'C2 on a sleep cycle' do they leave behind? Novel Chinese spy group found in critical networks in Poland, Asia Don’t pay VECT a ransom - your big files are likely gone Pitney Bowes the latest victim of ShinyHunters’ breach-spree Ongoing supply-chain attack targets security, dev tools Medical and utility tech companies admit digital breakins Burglar alarm biz gets burgled, ShinyHunters pursues ransom Crime crew impersonates help desk, abuses Teams chats ShinyHunters claim they have cruise giant Carnival’s booty CISA, NCSC issue Firestarter backdoor warning 500k Biobank volunteers' data listed for sale on Alibaba Another npm supply chain worm hits dev environments France's 'Secure' ID agency probes breach as crooks claim 19M records France's 'Secure' ID agency probes claimed 19M record breach macOS ClickFix attacks deliver AppleScript stealers to snarf credentials, wallets macOS ClickFix attacks deliver AppleScript stealers Yet another ex-ransomware negotiator admits turning rogue after payoff from crimelords Third ransomware pro pleads guilty to cybercrime U-turn AI-assisted intruders pwned Vercel via OAuth abuse and a pilfered employee account AI-pwned: Vercel breach traced to stolen employee creds Crook claims to leak 'video surveillance footage' of companies Crook claims to leak 'video surveillance footage' of firms Adaptavist Group breach spawns imposter emails as ransomware crew claims mega-haul Adaptavist Group breach: Ransomware crew claims mega-haul Scot becomes second Scattered Spider-linked crook to plead guilty in US US gets second Scattered Spider-linked guilty plea North Korea targets macOS users in latest heist McGraw Hill linked to 13.5M-record data leak McGraw Hill linked to 13.5M-record data leak Autovista blames ransomware for service disruption Autovista blames ransomware for service disruption No honor among thieves as 0APT threatens rival ransomware gang Krybit 0APT ransomware gang extorts Krybit amid doxxing threat Fake Linux leader using Slack to con devs into giving up their secrets Fake Linux Foundation leader using Slack to phish devs Booking.com warns of possible reservation data exposure Booking.com warns of possible reservation data exposure Gym giant Basic-Fit breached with at least 1M affected US, UK, Canadian cops disrupt $45M global crypto scam www.theregister.com Old Adobe Reader zero-day uses PDFs to size up targets Zephyr Energy loses £700K to contractor payment fraud Russia's Fancy Bear still attacking routers to boost fake sites, NCSC warns Russia's APT28 behind latest wave of router, DNS attacks AI recruiting biz Mercor says it was 'one of thousands' hit in LiteLLM supply-chain attack Mercor says it was 'one of thousands' hit in LiteLLM attack Telnyx package latest hit in PyPI supply-chain compromise Telnyx package latest hit in PyPI supply-chain compromise European Commission admits breach of public web systems European Commission admits breach of public web systems AFC Ajax drops ball as hackers transfer tickets, lift bans AFC Ajax drops ball as hackers transfer tickets, lift bans HackerOne slams supplier for delayed breach notice after staff data exposed HackerOne slams supplier over delayed breach notice Russian initial access broker jailed for 81 months in US Russian initial access broker jailed for 81 months in US Smooth criminals talking their way into cloud environments, Google says Chip tester shrugged off ransomware – then came the leak Chip tester shrugged off ransomware – then came the leak Russians posing as Signal support to launch phishing raids JLR cyber bailout risks dangerous precedent, watchdog warns Unknown attackers exploit yet another critical SharePoint bug Microsoft Intune: Lock it down, warn feds after Stryker Ransomware crims abused Cisco 0-day weeks before disclosure North Korea's 100,000-strong fake IT worker army rake in $500M a year for Kim Jong Un Robotics surgical biz Intuitive discloses phishing attack Cybercrime up 245% since the start of the Iran war AI-driven fraud far more profitable, Interpol warns Credential-stealing crew spoofs Ivanti, Fortinet, Cisco VPNs Interpol sinkholes 45,000 IPs linked to global cybercrime SocksEscort fraud-enabling proxy service taken down CISA warns max-severity n8n bug is being exploited in the wild Iran-linked cyber crew claims hit on US med-tech firm Meta, cops deploy AI and handcuffs in scam crackdown Dutch police collar teen over string of bank card frauds EU law advisor wants cybercrime protections fast-tracked Cybercrime isn't just a cover for Iran's government goons Crooks compromise WordPress sites, spread infostealers Ericsson breach blamed on third party vendor vishing attack Polish cyber police busts gang of alleged teen DDoS peddlers
Chinese spy group caught lurking in Poland, Asia networks
Jessica Lyons Jessica Lyons · 2026-04-30 · via The Register - Security: Cyber-crime

EXCLUSIVE A novel China-linked threat group infiltrated more than a dozen critical networks in Poland, Asian countries, and possibly beyond, beginning in December 2024 and with activity uncovered as recently as this month.

I'm concerned about what they are leaving behind: What type of C2 on a sleep cycle is still lingering in these environments?

In a report shared exclusively with The Register, TrendAI researchers say the new group, which they track as Shadow-Earth-053, targeted government agencies, defense contractors, technology firms, and the transportation industry. The Chinese spies typically gain initial access to victim environments via vulnerable Microsoft Exchange Servers. 

In "multiple" of these intrusions, they compromised victim organizations up to 8 months before deploying ShadowPad, a custom backdoor used by China's APT41 for almost a decade, and shared among multiple China-aligned groups since 2019.

About half of the victims were also compromised by a related group, Shadow-Earth-054, which exploited the same vulnerabilities and shared identical tool hashes and overlapping techniques with Shadow-Earth-053. The 054 group has some network overlaps with Chinese crews tracked as CL-STA-0049 by Palo Alto Networks' Unit 42, REF7707 by Elastic Security Labs, and Earth Alux.

Tom Kellermann, TrendAI VP of AI security and threat research, likened the new Chinese groups to Salt Typhoon and Volt Typhoon

Salt hacked telecommunications and government agencies to gain stealthy, long-term access to victim organizations going back as far as 2019. And Volt followed in mid-2021, burrowing deep into critical US networks to preposition for future destructive attacks. Neither of these hacking campaigns came to light until late 2023. 

"Shadow-Earth-053 followed Shadow-Earth-054, conducting reconnaissance and borrowing into the defense industries and defense ministries of nation states that are aligned with the US and also supportive of Taiwan's independence," Kellermann said in an exclusive interview with The Register

"I'm concerned about what they are leaving behind: What type of C2 on a sleep cycle is still lingering in these environments? Whether or not they have already prepositioned wipers or destructive capabilities," Kellermann continued. "They're following in the footsteps of the Typhoon campaigns, they look like the younger brother and sister of the Typhoon campaigns, and they're island-hopping through the defense sectors and ministries of those nations for a reason."

Shadow-Earth-053's victims spanned at least eight countries, according to TrendAI's investigation. Most of the observed targets were located in Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan, with at least one target - a defense-sector organization - in Poland.  

Kellermann also suggested that the network intruders are paying close attention to next month's summit between US President Trump and Chinese President Xi.

"Volt essentially had unrequited access to critical infrastructures, energy sector, etc., and it was all for the purposes of ongoing espionage, but most importantly, maintaining sabotage capability, like destructive attacks, should geopolitical tension exacerbate," Kellermann said in an exclusive interview with The Register. "Here we are, leading up to the May 14 and 15 meeting between President Trump and President Xi and, God forbid, the 15th goes sideways."

Exchange server bugs: the gifts that keep on giving

Shadow-Earth-053 typically exploits external services to hack into targeted networks. The years-old ProxyLogon (CVE-2021-26855), which can be chained with other Microsoft Exchange Server bugs (CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) to achieve remote code execution, is a favorite. 

Salt Typhoon and other Chinese government snoops also abused ProxyLogon to breach critical US networks back in 2021, when it was first disclosed, and it's remained a top-exploited vulnerability ever since. So if you haven't already: patch these Exchange server bugs.

After compromising the sever, Shadow-Earth-053 installs web shells - Godzilla is a commonly used one with this and other China-based crews - and then deploys the ShadowPad backdoor.

In one instance, the snoops delivered ShadowPad malware via legitimate, and popular, remote desktop tool AnyDesk. TrendAI says this suggests the attacker either used a prior compromise or abused stolen credentials. "The limited visibility into this intrusion prevents us from determining whether this represents an alternative initial access method or a later-stage deployment following an unobserved entry point," the authors wrote. 

Shadow-y malware and legit Windows tools

In a separate instance, the incident responders found Linux NoodleRat backdoors - also widely used by Chinese espionage and cybercrime groups - deployed after Shadow-Earth-053 exploited another widely-abused Microsoft security hole: React2Shell (CVE-2025-55182), a critical flaw in React Server Components that can allow attackers to run arbitrary code on vulnerable servers.

The group takes measures to avoid being detected on networks and make their malicious traffic appear legitimate. In one victim's environment, TrendAI detected RingQ, an open-source tool developed in China and available on GitHub that can be used to pack malicious binaries to evade detection by security solutions. The intruders also use domain names that impersonate products, security companies, or are related to the DNS protocol.

In some instances, the group renamed legitimate Windows system binaries to evade process-based detection. 

"They're using tools that we've seen before, and I think they are doing that on purpose, just to get lost in the noise," Kellermann said. 

To move laterally through victim environments, Shadow-Earth-053 uses Windows Management Instrumentation Command-line (WMIC) and installs backdoors onto additional hosts. In one environment, the group propagated web shells to additional internal Exchange servers by using existing administrative credentials - and they continue collecting credentials as they travel through compromised systems, using tools like Evil-CreateDump.

Targeting Poland, a NATO country, "highlights how cyber espionage and a cyber warfare is burgeoning," Kellermann said. "And not only is it burgeoning, but this is the direct prepositioning of these assets to colonize these infrastructures for the purpose of not just espionage, but long term sabotage, if need be." ®