Security researchers have unveiled a sophisticated Linux rootkit capable of bypassing Elastic Security’s advanced detection mechanisms, demonstrating critical vulnerabilities in endpoint detection and response solutions. The Singularity rootkit employs multiple obfuscation and evasion techniques to defeat static signature analysis and behavioral monitoring systems that typically identify malicious kernel modules. Elastic Security’s endpoint detection framework typically […]
Sophisticated threat actors have orchestrated a coordinated multilingual phishing campaign targeting financial and government organizations across East and Southeast Asia.
The campaign leverages carefully crafted ZIP file lures combined with region-specific web templates to deceive users into downloading staged malware droppers.
Recent analysis reveals three interconnected clusters spanning Traditional Chinese, English, and Japanese-language variants, each tailored to specific geographic and sectoral targets.
This demonstrates a deliberate shift from localized operations toward a scalable, automation-driven infrastructure capable of targeting multiple regions simultaneously with minimal adaptation.
The campaign evolved from earlier phishing waves that originally impersonated Taiwan’s Ministry of Finance, initially delivering malicious PDFs hosted on Tencent Cloud.
As threat actors refined their approach, they transitioned toward custom domains embedding regional markers such as “tw” for Taiwan, expanding their reach to Japan and Southeast Asia.
The infrastructure now employs multilingual web templates with shared backend logic, indicating either a single operator managing multiple campaigns or a distributed toolkit enabling rapid deployment across regions.
Hunt.io analysts identified the campaign through coordinated infrastructure analysis using HuntSQL-based pivoting.
Researchers discovered 28 webpages distributed across three clusters: 12 in Traditional Chinese, 12 in English, and 4 in Japanese.
Each cluster shares unified backend logic utilizing download.php and visitor_log.php scripts, indicating centralized infrastructure designed for automated payload delivery at scale.
The threat actors employ compelling social engineering lures incorporating bureaucratic, payroll, and tax-related filenames.
A mindmap of eleven interconnected webpages with the title ‘文件下載’ (Source – Hunt.io)
The Chinese cluster distributes archives named “Tax Invoice List” and “Financial Confirmation Form,” while the English variant uses “Tax Filing Documents” and generic compliance themes.
Japanese-language pages specifically target salary system revisions and tax agency notifications, demonstrating sophisticated understanding of regional corporate communication patterns.
Infection Mechanism and Detection Evasion
The technical implementation reveals a multi-stage infection approach designed to evade conventional email and web filters.
When users visit phishing pages, JavaScript executes visitor_log.php to record IP addresses and user-agent information, establishing tracking infrastructure for potential follow-up campaigns.
The download button remains hidden until JavaScript runs, then dynamically fetches payload details from download.php.
This approach masks the malicious intent during static analysis while ensuring valid ZIP payloads are served only when conditions match specific criteria.
The filenames themselves function as evasion mechanisms, using legitimate-sounding bureaucratic nomenclature to bypass content filters focused on malware indicators.
Archives containing staged droppers bear authentic organizational contexts—tax filings, salary notices, financial amendments—making them indistinguishable from legitimate business communications.
All phishing infrastructure resolves to Kaopu Cloud HK Limited hosting in multiple Asian locations including Tokyo, Singapore, and Hong Kong, providing geographic distribution that complicates attribution and blocking efforts.
This sophisticated combination of social engineering, dynamic payload delivery, and distributed hosting represents a significant evolution in phishing campaign infrastructure targeting enterprise environments across Asia.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Eclipse Foundation, which maintains the open-source Open VSX project, said it has taken steps to revoke a small number of tokens that were leaked within Visual Studio Code (VS Code) extensions published in the marketplace.
The action comes following a report from cloud security company Wiz earlier this month, which found several extensions from both Microsoft’s VS Code Marketplace and Open VSX
AzureHound, an open-source data collection tool designed for legitimate penetration testing and security research, has become a favored weapon in the hands of sophisticated threat actors.
The tool, which is part of the BloodHound suite, was originally created to help security professionals and red teams identify and fix cloud vulnerabilities.
However, malicious actors have increasingly misused this capability to map out Azure environments and discover pathways for privilege escalation attacks.
The tool operates by collecting data through Microsoft Graph and Azure REST Application Programming Interfaces (APIs), allowing it to enumerate Entra ID and Azure environments to gather information about identities and resources.
Written in the Go programming language and available as precompiled versions for Windows, Linux, and macOS, AzureHound proves particularly dangerous because it does not need to be run from within a victim’s network.
Since both APIs are accessible externally, threat actors can launch discovery operations remotely after gaining initial access to compromised systems.
How Threat Actors Weaponize the Tool
When threat actors gain access to a victim’s Azure environment, they deploy AzureHound to automate discovery procedures that would otherwise require extensive manual effort.
The tool helps attackers discover user hierarchies, identify high-value targets, and uncover misconfigurations or indirect privilege escalation opportunities that might otherwise remain hidden.
Execution of AzureHound to enumerate users
By gathering comprehensive internal Azure information, attackers can develop targeted attack strategies with surgical precision. The tool outputs data in JSON format, which can be ingested by BloodHound’s visualization capabilities.
This creates a graphical representation of hidden relationships and attack paths within the target’s infrastructure, giving attackers a complete roadmap of the environment they have infiltrated.
This combination of automated discovery and visual analysis transforms cloud reconnaissance from a time-consuming process into an efficient operation. Recent threat intelligence reveals the widespread adoption of AzureHound across multiple adversary groups.
BloodHound illustration of available key vaults
Unit 42 researchers have tracked the Iranian-backed group Curious Serpens, also known as Peach Sandstorm and active since at least 2013, leveraging AzureHound to conduct internal discovery operations against target Microsoft Entra ID environments.
In May 2025, Microsoft disclosed that suspected nation-state threat actor Void Blizzard employed AzureHound during the discovery phase of their campaigns to enumerate Entra ID configurations.
More recently, in August 2025, Microsoft reported Storm-0501, a ransomware operator, using AzureHound to enumerate target Entra ID tenants while operating in hybrid, multi-tenant Azure environments.
Organizations using Azure and Microsoft Entra ID must recognize that tools like AzureHound leave detectable evidence when used maliciously.
Security teams should focus on detecting abnormal API activity, monitoring for suspicious enumeration patterns, and implementing strong identity and access controls.
AzureHound API test requests
Understanding how threat actors misuse legitimate tools is essential for building effective detection capabilities and responding quickly to compromise indicators in cloud environments.
The Cybersecurity and Infrastructure Security Agency (CISA) has raised alarm over active exploitation of a critical privilege escalation vulnerability affecting Broadcom’s VMware Tools and VMware Aria Operations. Tracked as CVE-2025-41244, this 0-day flaw poses significant risk to organizations managing virtualized infrastructure, potentially allowing attackers to gain root-level access to compromised systems. CVE ID Vendor Affected […]
North Korean state-sponsored threat actors have escalated their cyber operations with the deployment of sophisticated new malware variants designed to establish persistent backdoor access to compromised systems. Recent investigations by threat intelligence researchers have uncovered two distinct toolsets from prominent DPRK-aligned hacking groups: Kimsuky’s newly identified HttpTroy backdoor and an upgraded version of Lazarus’s BLINDINGCAN […]
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about a severe injection vulnerability in the XWiki Platform, designated as CVE-2025-24893.
This flaw allows unauthenticated attackers to execute arbitrary remote code, posing significant risks to organizations using the open-source wiki software.
Discovered and actively exploited, the vulnerability underscores the dangers of eval injection in web applications, particularly those handling search functionalities.
XWiki, a popular platform for collaborative content management, suffers from this eval injection issue in its SolrSearch feature. Attackers can exploit it without logging in, potentially compromising entire installations.
CISA added the CVE to its Known Exploited Vulnerabilities catalog on October 30, 2025, emphasizing the need for immediate action amid reports of real-world exploitation.
While it’s unclear if ransomware groups are leveraging it specifically, the flaw’s severity aligns with tactics seen in broader campaigns targeting content management systems.
Vulnerability Mechanics and Impact
At its core, CVE-2025-24893 stems from improper handling of user input in the SolrSearch endpoint, classified under CWE-95 for improper neutralization of directives in dynamically evaluated code. Any guest user can send a crafted request to trigger code execution.
For instance, a simple test involves accessing the SolrSearch RSS feed with a payload like %7D%7D%7D%7B%7Basync async=false%7D%7D%7B%7Bgroovy%7D%7Dprintln(“Hello from” + ” search text:” + (23 + 19))%7B%7B/groovy%7D%7D%7B%7B/async%7D%7D. If the response includes “Hello from search text:42” in the RSS title, the instance is vulnerable.
The impact is devastating: complete remote code execution undermines confidentiality, integrity, and availability. Attackers could steal data, deploy malware, or pivot to other systems.
Affected versions include those prior to the patches, primarily impacting enterprise users in education, government, and corporate sectors who rely on XWiki for internal knowledge bases.
CVE ID
Description
Affected Products/Versions
CVSS 3.1 Score
CWE
Exploitation Status
CVE-2025-24893
Eval injection in SolrSearch allowing arbitrary RCE
XWiki Platform < 15.10.11, < 16.4.1, < 16.5.0RC1
9.8 (Critical)
CWE-95
Actively exploited in the wild
Mitigations
CISA urges users to promptly apply vendor mitigations, adhere to Binding Operational Directive 22-01 for cloud services, or discontinue use of the product if patches are unavailable.
XWiki has released fixes in versions 15.10.11, 16.4.1, and 16.5.0RC1, which sanitize inputs and prevent eval execution.
As a temporary workaround, administrators can modify the Main.SolrSearchMacros file, specifically line 955, to enforce an application/xml content type for the rawResponse macro, mirroring the template’s secure output handling.
This blocks malicious payloads without a full upgrade. Organizations should also monitor logs for suspicious SolrSearch requests and restrict guest access where possible.
This incident highlights the ongoing threats to legacy web platforms. With exploitation confirmed, swift patching remains critical to safeguard sensitive environments.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a high-severity security flaw impacting Broadcom VMware Tools and VMware Aria Operations to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild.
The vulnerability in question is CVE-2025-41244 (CVSS score: 7.8), which could be exploited by an attacker to attain
In an unprecedented cybersecurity incident that occurred in September 2025, over 500 gigabytes of internal data from China’s Great Firewall infrastructure were exposed in what security experts are calling one of the most consequential breaches in digital surveillance history.
The massive leak encompasses more than 100,000 documents, including internal source code, work logs, configuration files, emails, technical manuals, and operational runbooks from Chinese infrastructure firms associated with the censorship apparatus.
The exposed material reveals the technical scaffolding behind China’s digital surveillance regime, containing raw IP access logs from state-run telecom providers such as China Telecom, China Unicom, and China Mobile.
The dataset provides unprecedented visibility into real-time traffic monitoring and endpoint interaction protocols, offering researchers a multidimensional forensic cross-section of the Great Firewall’s operational anatomy.
Far from being an accidental disclosure, this archive represents a curated corpus likely compiled over an extended period, suggesting either a trusted insider with comprehensive access or a methodical external data exfiltration campaign.
The breach reveals critical vulnerabilities within China’s distributed enforcement model, exposing moments where the censorship apparatus faltered.
DomainTools analysts noted that multiple instances of cross-border leakage routes allowed foreign IP addresses to establish unfiltered sessions for extended periods, indicating delays in rule propagation, temporary policy gaps, or failures in heuristic detection systems.
These lapses demonstrate that while the system maintains high surveillance capabilities, it remains reactive and inconsistently enforced across different regions.
Among the most sensitive exposed artifacts are packet captures (PCAPs) and routing tables paired with blackhole sinkhole exports, detailing how traffic is intercepted, redirected, or silently dropped.
Excel spreadsheets enumerate known VPN IP addresses, DNS query patterns, SSL certificate fingerprints, and behavioral signatures of proxy services, providing insight into identification and blocking heuristics.
The dataset also contains Visio diagrams mapping internal firewall architecture from hardware deployments to logical enforcement chains spanning various ministries and provinces.
Metadata Exposure and Attribution Tracking
The leak’s most strategically valuable component lies in the accidentally embedded metadata across thousands of files, offering unprecedented visibility into the human and organizational machinery behind China’s censorship apparatus.
Network Topology (Source – Domaintools)
The dump exposes dozens of unique usernames following consistent naming conventions indicative of internal departmental hierarchies, including system-level account names and author tags in Office documents that enable correlation to individual operators.
Authorship data and revision histories link technical documents to specific personnel across government agencies, telecom subsidiaries, and third-party contractors.
System Status Network Topology (Source – Domaintools)
Cross-referencing these metadata fields with known Chinese corporate entities and state-linked research institutes has enabled the construction of preliminary attribution clusters showing clear ties to China’s major telecommunications providers and academic partners, including digital forensics laboratories and infrastructure vendors with suspected MSS connections.
Multiple files retain internal IP address references and machine hostnames mapped to sandbox and testbed environments used for evaluating censorship evasion tools, including systems specifically tagged for analyzing Psiphon, V2Ray, and Shadowsocks protocols.
Some remote server addresses and reverse-proxy logs point to Great Firewall staging zones used to pilot domain interdiction and traffic shaping prior to national deployment.
The organizational fingerprints reveal a complex lattice of state-linked entities operating in tightly controlled silos, with core traffic monitoring and enforcement responsibilities handled by major telecommunications providers whose infrastructure appears repeatedly in PCAP logs, IP registries, and system-level telemetry.
This breach fundamentally shifts the asymmetry between censor and censored, providing detailed blueprints of China’s digital surveillance infrastructure for the first time in history.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
In a historic breach of China’s censorship infrastructure, over 500 gigabytes of internal data were leaked from Chinese infrastructure firms associated with the Great Firewall (GFW) in September 2025. Researchers now estimate the full dump is closer to approximately 600 GB, with a single archive comprising around 500 GB alone. The material includes more than […]
.webp)
.webp)
.webp)