惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
T
Troy Hunt's Blog
P
Proofpoint News Feed
V
Vulnerabilities – Threatpost
C
Cybersecurity and Infrastructure Security Agency CISA
K
Kaspersky official blog
Cyberwarzone
Cyberwarzone
T
Tor Project blog
Cisco Talos Blog
Cisco Talos Blog
S
Securelist
L
Lohrmann on Cybersecurity
Security Latest
Security Latest
T
Threatpost
H
Heimdal Security Blog
W
WeLiveSecurity
A
Arctic Wolf
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
G
GRAHAM CLULEY
IT之家
IT之家
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
TaoSecurity Blog
TaoSecurity Blog
A
About on SuperTechFans
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
N
News and Events Feed by Topic
Hacker News - Newest:
Hacker News - Newest: "LLM"
Last Week in AI
Last Week in AI
T
The Blog of Author Tim Ferriss
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Microsoft Azure Blog
Microsoft Azure Blog
Hugging Face - Blog
Hugging Face - Blog
Google DeepMind News
Google DeepMind News
量子位
Stack Overflow Blog
Stack Overflow Blog
Know Your Adversary
Know Your Adversary
B
Blog RSS Feed
阮一峰的网络日志
阮一峰的网络日志
WordPress大学
WordPress大学
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
AI
AI
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
博客园 - 司徒正美
Apple Machine Learning Research
Apple Machine Learning Research
GbyAI
GbyAI
Vercel News
Vercel News
C
Cyber Attacks, Cyber Crime and Cyber Security
Latest news
Latest news
D
Darknet – Hacking Tools, Hacker News & Cyber Security
大猫的无限游戏
大猫的无限游戏
Forbes - Security
Forbes - Security

The Register - Security

Are we human? MyPillow must decide whether to be firm or soft as ransomware crims demand pay Experts pour cold borscht on Farage's Russian hack claim AI eyes scanning for bugs create a worrisome Linux security trend A Russian speaker and jailbroken Gemini went on a hacking spree and emptied at least one MAGA victim's crypto wallets Techie claims Trump Mobile website was leaking thousands of people's data Dems slam Trump for making cybersecurity hold out the tin cup while splurging on ballroom and Jan. 6 'slush fund' Attackers spill plaintext passwords of 46k Myspace93 users after 2021 breach Microsoft open-sources agentic AI safety tools Are we human? America's top cyber-defense agency left a GitHub repo open with with passwords, keys, tokens – and incredibly obvious filenames America's top cyber-defense agency left a GitHub repo open with passwords, keys, tokens – and incredibly obvious filenames Shai-Hulud copycat worm infects yet another npm package MPs want social media treated more like unsafe toys than harmless apps Nobody believes the 'criminals and scumbags' who hacked Canvas really deleted stolen student data To gain root access, intruder just had to ask AWS patched Quick auth bypass, says customers weren't using control Disgruntled researcher releases two more Microsoft zero-days Malware crew TeamPCP open-sources its Shai-Hulud worm on GitHub Foxconn confirms cyberattack after ransomware crew claims it stole confidential Apple, Nvidia files US bank reports itself after slinging customer data at 'unauthorized AI app' Anthropic’s bug-hunting Mythos was greatest marketing stunt ever, says cURL creator Best Western Hotels confirms web app data breach Arctic Wolf cuts 250 jobs in AI push 1 in 8 workers say selling company logins is justifiable Iran cyberspies LARPing as ransomware crims in espionage ops UK age-gating plans risk breaking the internet, privacy groups warn India orders infosec red alert in case Mythos sparks crime 'CopyFail' attackers start cashing in on Linux flaw ShinyHunters claims dump puts 119K Vimeo emails in the wild ShinyHunters claims 119K Vimeo emails in the wild Singapore boffins get diverse SIEMs singing in harmony Shadow IT has given way to shadow AI. Enter AI-BOMs AI-BOMs replace SBOMs as way to track AI agents and bots Home Office adds £216M to travel doc contract before bids FBI: China's hacker-for-hire ecosystem 'out of control' UK business breach rate stuck at 43%... blame the phishing What type of 'C2 on a sleep cycle' do they leave behind? Novel Chinese spy group found in critical networks in Poland, Asia Critical cPanel, WHM flaw probs exploited as 0-day, pros say ORNL builds more sensitive GPS interference detector Microsoft patch fell short. New Windows flaw exploited Fooling large language models just keeps getting simpler Wiz hands GitHub AI-aided bug report that isn Don’t pay VECT a ransom - your big files are likely gone Pitney Bowes the latest victim of ShinyHunters’ breach-spree Ongoing supply-chain attack targets security, dev tools Medical and utility tech companies admit digital breakins Cybersecurity professional getting more work and less pay Crime crew impersonates help desk, abuses Teams chats ShinyHunters claim they have cruise giant Carnival’s booty CISA, NCSC issue Firestarter backdoor warning Intel expects AI inference to drive demand for its CPUs Open source models can find bugs as well as Mythos Researchers find sabotage malware that may predate Stuxnet Attackers could disable all of a city's public EV chargers Age checks could turn internet into an ID checkpoint, complains Proton CEO If malware via monitor cables is a matter of national security, this might be the gadget for you France's 'Secure' ID agency probes breach as crooks claim 19M records Scotland Yard can keep using live facial recognition on Londoners, say judges Nation-states want to cause harm, not just steal cash - stop handing your cyber defenses to the cheapest contractor Murder, she wrote: Ex-FBI chief wants some ransomware crims charged with homicide macOS ClickFix attacks deliver AppleScript stealers to snarf credentials, wallets Yet another ex-ransomware negotiator admits turning rogue after payoff from crimelords AI-assisted intruders pwned Vercel via OAuth abuse and a pilfered employee account Crook claims to leak 'video surveillance footage' of companies Met police trials snoop tech platform in push to cuff more London shoplifters Adaptavist Group breach spawns imposter emails as ransomware crew claims mega-haul Panasonic creates device-locked QR codes to speed facial biometric capture Iran claims US used backdoors to knock out networking equipment during war Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus Scot becomes second Scattered Spider-linked crook to plead guilty in US Just like phishing for gullible humans, prompt injecting AIs is here to stay Locked-out iPhone user tells The Reg that Apple is scrambling to fix character flaw passcode bug Git identity spoof fools Claude into giving bad code the nod McGraw Hill linked to 13.5M-record data leak Microsoft announces product it doesn't want anyone to buy Server-room lock was nothing but a crock Nobody knows how many CVEs Anthropic's Project Glasswing has actually found Autovista blames ransomware for service disruption French cops free mother and son after crypto kidnapping UK told its Big Tech habit is now a national security risk Commvault has a Ctrl+Z for rogue AI agents No honor among thieves as 0APT threatens rival ransomware gang Krybit Fake Linux leader using Slack to con devs into giving up their secrets Booking.com warns of possible reservation data exposure NHS pays £46K to prep next Microsoft licensing round China wants AI to prepare school lessons and mark homework Anthropic's Mythos has The Kettle crew curious, skeptical Two different attackers poisoned popular open source tools Hungary officials used weak passwords exposed in breach dump CPUID hijacked to serve malware as HWMonitor downloads Unpacking AI security 2026 from experimentation agentic era Microsoft locks out top open source devs, blames process NHS Scotland-linked domains push pr0n and illegal streams Iran cyber actors disrupting US water, energy facilities, FBI warns Russia's Fancy Bear still attacking routers to boost fake sites, NCSC warns Hundreds of orgs compromised daily in Microsoft device code phishing attacks AI agents found vulns in this Linux and Unix print server Don't glamorize cybercrims, roast them instead Trump wants to take a battle axe to CISA again and slash $707M from budget
Chinese spy group caught lurking in Poland, Asia networks
Jessica Lyons Jessica Lyons · 2026-04-30 · via The Register - Security

EXCLUSIVE A novel China-linked threat group infiltrated more than a dozen critical networks in Poland, Asian countries, and possibly beyond, beginning in December 2024 and with activity uncovered as recently as this month.

I'm concerned about what they are leaving behind: What type of C2 on a sleep cycle is still lingering in these environments?

In a report shared exclusively with The Register, TrendAI researchers say the new group, which they track as Shadow-Earth-053, targeted government agencies, defense contractors, technology firms, and the transportation industry. The Chinese spies typically gain initial access to victim environments via vulnerable Microsoft Exchange Servers. 

In "multiple" of these intrusions, they compromised victim organizations up to 8 months before deploying ShadowPad, a custom backdoor used by China's APT41 for almost a decade, and shared among multiple China-aligned groups since 2019.

About half of the victims were also compromised by a related group, Shadow-Earth-054, which exploited the same vulnerabilities and shared identical tool hashes and overlapping techniques with Shadow-Earth-053. The 054 group has some network overlaps with Chinese crews tracked as CL-STA-0049 by Palo Alto Networks' Unit 42, REF7707 by Elastic Security Labs, and Earth Alux.

Tom Kellermann, TrendAI VP of AI security and threat research, likened the new Chinese groups to Salt Typhoon and Volt Typhoon

Salt hacked telecommunications and government agencies to gain stealthy, long-term access to victim organizations going back as far as 2019. And Volt followed in mid-2021, burrowing deep into critical US networks to preposition for future destructive attacks. Neither of these hacking campaigns came to light until late 2023. 

"Shadow-Earth-053 followed Shadow-Earth-054, conducting reconnaissance and borrowing into the defense industries and defense ministries of nation states that are aligned with the US and also supportive of Taiwan's independence," Kellermann said in an exclusive interview with The Register

"I'm concerned about what they are leaving behind: What type of C2 on a sleep cycle is still lingering in these environments? Whether or not they have already prepositioned wipers or destructive capabilities," Kellermann continued. "They're following in the footsteps of the Typhoon campaigns, they look like the younger brother and sister of the Typhoon campaigns, and they're island-hopping through the defense sectors and ministries of those nations for a reason."

Shadow-Earth-053's victims spanned at least eight countries, according to TrendAI's investigation. Most of the observed targets were located in Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan, with at least one target - a defense-sector organization - in Poland.  

Kellermann also suggested that the network intruders are paying close attention to next month's summit between US President Trump and Chinese President Xi.

"Volt essentially had unrequited access to critical infrastructures, energy sector, etc., and it was all for the purposes of ongoing espionage, but most importantly, maintaining sabotage capability, like destructive attacks, should geopolitical tension exacerbate," Kellermann said in an exclusive interview with The Register. "Here we are, leading up to the May 14 and 15 meeting between President Trump and President Xi and, God forbid, the 15th goes sideways."

Exchange server bugs: the gifts that keep on giving

Shadow-Earth-053 typically exploits external services to hack into targeted networks. The years-old ProxyLogon (CVE-2021-26855), which can be chained with other Microsoft Exchange Server bugs (CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) to achieve remote code execution, is a favorite. 

Salt Typhoon and other Chinese government snoops also abused ProxyLogon to breach critical US networks back in 2021, when it was first disclosed, and it's remained a top-exploited vulnerability ever since. So if you haven't already: patch these Exchange server bugs.

After compromising the sever, Shadow-Earth-053 installs web shells - Godzilla is a commonly used one with this and other China-based crews - and then deploys the ShadowPad backdoor.

In one instance, the snoops delivered ShadowPad malware via legitimate, and popular, remote desktop tool AnyDesk. TrendAI says this suggests the attacker either used a prior compromise or abused stolen credentials. "The limited visibility into this intrusion prevents us from determining whether this represents an alternative initial access method or a later-stage deployment following an unobserved entry point," the authors wrote. 

Shadow-y malware and legit Windows tools

In a separate instance, the incident responders found Linux NoodleRat backdoors - also widely used by Chinese espionage and cybercrime groups - deployed after Shadow-Earth-053 exploited another widely-abused Microsoft security hole: React2Shell (CVE-2025-55182), a critical flaw in React Server Components that can allow attackers to run arbitrary code on vulnerable servers.

The group takes measures to avoid being detected on networks and make their malicious traffic appear legitimate. In one victim's environment, TrendAI detected RingQ, an open-source tool developed in China and available on GitHub that can be used to pack malicious binaries to evade detection by security solutions. The intruders also use domain names that impersonate products, security companies, or are related to the DNS protocol.

In some instances, the group renamed legitimate Windows system binaries to evade process-based detection. 

"They're using tools that we've seen before, and I think they are doing that on purpose, just to get lost in the noise," Kellermann said. 

To move laterally through victim environments, Shadow-Earth-053 uses Windows Management Instrumentation Command-line (WMIC) and installs backdoors onto additional hosts. In one environment, the group propagated web shells to additional internal Exchange servers by using existing administrative credentials - and they continue collecting credentials as they travel through compromised systems, using tools like Evil-CreateDump.

Targeting Poland, a NATO country, "highlights how cyber espionage and a cyber warfare is burgeoning," Kellermann said. "And not only is it burgeoning, but this is the direct prepositioning of these assets to colonize these infrastructures for the purpose of not just espionage, but long term sabotage, if need be." ®