Chinese Hackers

[kyonides]

RELEVANT WARNINGS

The Chinese cyber-attack that could have stolen data from every American

In 2024, reports emerged of a highly sophisticated cyber espionage campaign against US telecoms companies, which some analysts believe went all the way up to the Chinese government.

The group behind this campaign would later be codenamed Salt Typhoon, and it is believed to have quietly infiltrated critical US telecoms infrastructure in order to collect private information on influential Americans – including presidential candidates. In the process, it may have also swept up data from millions of ordinary Americans. The Chinese government has denied responsibility for Salt Typhoon.

We speak to former Deputy National Security Adviser Anne Neuberger, who was working inside the White House when the attacks were first uncovered. We also speak to BBC cyber correspondent Joe Tidy about how this hack unfolded – and what it reveals about who may be winning the cyber war.

I know the article is quite short, but you can listen to the podcast at any time.

Chinese hackers using everyday devices to target UK firms, warns cybersecurity agency

British businesses are being urged to step up their vigilance against a China-linked hacking ploy that uses everyday devices for espionage.

The UK’s National Cyber Security Centre (NCSC) and agencies in nine other countries have warned of persistent attempts by Beijing-backed groups to hack equipment such as wifi routers to launch cyber-attacks.

Known as “covert networks” or “botnets”, they typically target vulnerable equipment – for instance devices that have not had a software update or are old – as a base for staging activities such as surveillance and data theft.

The NCSC said the technique was used by the majority of China-linked hackers. Richard Horne, the centre’s chief executive, said on Wednesday that China’s intelligence and military agencies had an “eye-watering level of sophistication in their cyber-operations”. Speaking at his NCSC’s annual conference in Glasgow, he said: “We face more than just a capable cyber-threat but a peer competitor in cyberspace.”

The advisory notice from the NCSC and cyber-agencies in countries including the US, Australia, Canada and Germany warns there has been a “major shift” in Chinese tactics to using devices linked to the internet as a means of obscuring where an attack comes from. The most commonly hijacked devices are routers but printers and web cameras are also vulnerable.

Security officials compare routers to virtual private networks, which allow web users to obscure their location. They say a household’s wifi router could be used as a conduit for attacking an unrelated major company.

While the NCSC guidance is not directed at members of the public who might be unwittingly providing a launchpad for espionage, it urges companies and organisations to take a number of steps such as mapping out their IT systems, including connections to consumer broadband networks. It also recommends multifactor authentication – where users are asked to give another form of verification along with their password – for members of staff trying to access a system remotely. They also advise limiting network connections to external devices.

The centre said in the advisory notice published on Thursday: “The NCSC believes that the majority of China-nexus threat actors are using these networks, that multiple covert networks have been created and are being constantly updated, and that a single covert network could be being used by multiple actors. These networks are mainly made up of compromised small office home office routers, as well as internet of things [connected devices] and smart devices.”

A China-backed group, dubbed Volt Typhoon by western authorities, has been flagged by agencies as a user of covert networks and has quietly burrowed into key US infrastructure including rail, aviation and water systems. The NCSC said these covert networks were now built and maintained by private Chinese companies. In one example, a Chinese business created a covert network by infecting 200,000 devices worldwide.

This year, Google announced it had disrupted a “residential proxy” network where cybercrime groups and state actors used hacked household and IT devices to launch attacks.

HACKERS ARRESTED

DOJ charges 2 Chinese nationals who allegedly ran overseas cryptocurrency scam center targeting Americans
Huang Xingshan and Jiang Wen Jie were arrested in Thailand and face extradition to the US

The Justice Department unveiled charges Thursday against two Chinese nationals allegedly behind an overseas cryptocurrency scam center, as U.S. Attorney for the District of Columbia Jeanine Pirro vowed that the Trump administration is "just getting started" in combating these schemes.

Pirro told reporters in Washington, D.C., that cyber-enabled and cryptocurrency investment fraud is "among the fastest growing and the most financially devastating form of cybercrime that is targeting Americans today." The DOJ’s actions come after Pirro launched the Scam Center Strike Force in November last year, following an executive order from President Donald Trump.

"Today, we announce significant milestones in that fight. We have charged Chinese bosses who ran a scam compound in Burma where thousands were trafficked, enslaved, beaten and then forced to steal from Americans for years. We have seized also a Telegram channel, and that channel was luring workers into a forced compound in Cambodia," Pirro said. "There they were ordered to pose as U.S. banks, as the New York City Police Department, to steal Americans’ life savings."

"We have taken down more than 500 websites. They were used to steal Americans life savings. My office is going to continue to work to identify the funds stolen," Pirro added. "We have also restrained more than $700 million in cryptocurrency from U.S. victims of fraud. The administration of President Trump is lockstep in combating these scams, and we are just getting started."

The Justice Department said the two Chinese nationals, identified as Huang Xingshan and Jiang Wen Jie, were arrested in Thailand earlier this year after allegedly being linked to "cryptocurrency investment fraud operations" out of the Shunda compound in Burma. The pair were charged with wire fraud conspiracy and the U.S. is working to extradite them to face justice on American soil, according to Pirro.

"The Shunda compound operated from at least January 2025 until approximately November 2025, when it was seized by the Karen National Liberation Army of Burma. The compound used scam websites and mobile applications disguised as legitimate investment platforms to defraud victims, including Americans," the DOJ said. "Workers within the compound were trafficked individuals who were held against their will and forced to defraud victims under the threat of violence and torture."

"According to the investigation, Huang served at Shunda as a high-level manager and enforcer and personally participated in the physical punishment of trafficked compound workers. Jiang served as a team leader directly supervising workers who specifically targeted American victims," the DOJ added. "Under Jiang’s supervision, one of the people under his command successfully defrauded a single American victim of over $3 million utilizing a fraudulent investment platform. The theft was celebrated within the organization as a paradigm of success."

FBI extradites Chinese hacker accused of stealing COVID-19 research
Xu Zewei's capture is 'historic win for our cybersecurity efforts under President Trump,' Kash Patel says

A Chinese hacker accused of stealing COVID-19 research from U.S. institutions in a massive cyberattack has been extradited to American soil.

FBI Director Kash Patel said the case involving Xu Zewei is a "historic win for our cybersecurity efforts under President Trump, bringing bad actors who target American infrastructure to justice no matter where they try to hide."

Patel said Xu, a Chinese national and accused state-sponsored hacker, is "allegedly responsible for a massive cyber intrusion campaign in 2020 and 2021 stealing COVID-19 research from American institutions."

"Xu has been extradited to the U.S. out of Italy as of this weekend, and he will now face federal charges," Patel revealed Tuesday in a post on X.

"During 2020 and 2021, at the height of the COVID-19 pandemic, Xu and his co-conspirators allegedly targeted and hacked U.S. based universities, immunologists, and virologists conducting COVID-19 research – including key treatment and vaccines – accessing email accounts and more," Patel said.

The Justice Department said Xu is facing nine charges, including two counts of wire fraud, two counts of obtaining information by unauthorized access to protected computers and aggravated identity theft. The wire fraud charges carry a maximum penalty of 20 years in prison for each count.

"According to court documents, officers of the PRC’s Ministry of State Security’s (MSS) Shanghai State Security Bureau (SSSB) directed Xu to conduct this hacking. The MSS and SSSB are PRC intelligence services responsible for PRC’s domestic counterintelligence, non-military foreign intelligence, and aspects of the PRC’s political and domestic security," the Justice Department said.

"Xu and others reported their activities to officers in the SSSB who were supervising and directing the hacking activities," the Justice Department added. "For example, on or about Feb. 19, 2020, Xu provided an SSSB officer with confirmation that he had compromised the network of a research university located in the Southern District of Texas. On or about Feb. 22, 2020, the SSSB officer directed Xu to target and access specific email accounts (mailboxes) belonging to virologists and immunologists engaged in COVID-19 research for the university. Xu later confirmed for the SSSB officer that he acquired the contents of the researchers’ mailboxes."

THEIR ALLIES ARE VALID TARGETS AS WELL

Spying on Its Own Ally: Chinese Hackers Accessed Secret Emails at the Cuban Embassy in the US

A major cyber espionage operation tied to China recently hacked into the internal communications of the Cuban embassy in Washington D.C. This breach exposes a glaring weak spot in a long-standing geopolitical alliance. Hackers gained unauthorised access to the private email accounts of 68 senior diplomatic figures, which included the ambassador and the deputy chief of mission. The cybersecurity firm Gambit Security publicly disclosed this unprecedented digital intrusion on Wednesday following initial reports from Bloomberg.

The digital infiltration began in January 2026 during a period of immense domestic instability for the Cuban regime. The nation was already grappling with an intense energy crisis after the Trump administration decided to completely halt oil shipments to the island. This diplomatic and economic pressure resulted in catastrophic nationwide blackouts, leaving vast territories without power for up to 25 to 30 hours daily and creating critical blind spots in institutional security.

Exploiting Old Microsoft Exchange Flaws to Access Cuban Intelligence

Digital investigators found that the hackers gained entry by exploiting severely outdated systems at the embassy. The diplomatic mission was still relying on older Microsoft Exchange email servers that were missing basic security updates. These critical weak points had been ignored for at least five years, giving the attackers an incredibly easy path right into their secure networks.

Because of this, the hackers easily accessed entire email archives belonging to top Cuban political strategists and intelligence officials. It is a massive security failure for Havana. Curtis Simpson, the strategy director at Gambit Security, pointed out the broader context of the attack. 'This breach illustrates how global events can fuel cyber activity,' Simpson remarked.

How Leaked Communications Could Affect US-Cuba Diplomatic Talks

The timing and scale of this operation are especially sensitive at present. Cuba and the United States have been in high-level diplomatic talks since February 2026. The negotiations hit a significant milestone recently when the Cuban government agreed to release over 2,000 political prisoners. But now, security analysts are warning that the stolen emails may have exposed sensitive details about those very discussions.

Getting direct access to these sensitive conversations gives Beijing a huge strategic advantage on the world stage. It could allow Chinese intelligence to see where US-Cuba relations are heading without relying on secondhand diplomatic channels. This relationship is highly significant to China at present as it navigates its own complicated dynamic with the United States.

Breaching Venezuelan Government Servers and Global React Development Systems
The hacking campaign did not stop at the Cuban embassy in Washington. During the same period, this identical group of Chinese-affiliated hackers executed a coordinated digital strike against the Venezuelan government and its Ministry of Foreign Affairs. This simultaneous intrusion strongly indicates a sweeping regional surveillance operation designed to monitor multiple Latin American governments.

Furthermore, the attackers weaponised a separate software vulnerability found in the widely used React development tool. This secondary exploit allowed them to compromise roughly 5,000 independent servers worldwide in less than a week. Prominent institutional victims of this global sweep included the Texas Department of Health and Human Services and the investment firm Santé Ventures.

ASIAN GOVERNMENTS + POLAND HACKED

China-Linked Hackers Target Asian Governments, NATO State, Journalists, and Activists

Cybersecurity researchers have disclosed details of a new China-aligned espionage campaign targeting government and defense sectors across South, East, and Southeast Asia, along with one European government belonging to NATO.

Trend Micro has attributed the activity to a threat activity cluster it tracks under the temporary designation SHADOW-EARTH-053. The adversarial collective is assessed to be active since at least December 2024, while sharing some level of network overlap with CL-STA-0049, Earth Alux, and REF7707.

"The group exploits N-day vulnerabilities in internet-facing Microsoft Exchange and Internet Information Services (IIS) servers (e.g., ProxyLogon chain), then deploys web shells (Godzilla) for persistent access and stages ShadowPad implants via DLL sideloading of legitimate signed executables," security researchers Daniel Lunghi and Lucas Silva said in an analysis.

Targets of the campaigns include Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan. The lone European country that features in the threat actor's victimology footprint is Poland.

The cybersecurity vendor said it observed nearly half the SHADOW-EARTH-053 targets, particularly those in Malaysia, Sri Lanka, and Myanmar, also compromised earlier by a related intrusion set dubbed SHADOW-EARTH-054, although no evidence of direct operational coordination has been observed.

The starting point of the attacks is the exploitation of known security flaws to breach unpatched systems and drop web shells like Godzilla to facilitate persistent remote access. The web shells function as a delivery vehicle for command execution, enabling reconnaissance and ultimately resulting in the deployment of the ShadowPad backdoor via AnyDesk. The malware is launched using DLL side-loading.

In at least one case, the weaponization of the React2Shell (CVE-2025-55182) is said to have facilitated the distribution of a Linux version of Noodle RAT (aka ANGRYREBEL and Nood RAT). It's worth mentioning here that the Google Threat Intelligence Group (GTIG) linked this attack chain to a group known as UNC6595.

Also put to use are open-source tunneling tools like the IOX, GO Simple Tunnel (GOST), and Wstunnel, as well as RingQ to pack malicious binaries and evade detection. To facilitate privilege escalation, SHADOW-EARTH-053 has been found to use Mimikatz, while lateral movement is accomplished using a custom remote desktop protocol (RDP) launcher and C# implementation of SMBExec known as Sharp-SMBExec.

"The primary entry vector used in this campaign were vulnerabilities in internet-facing IIS applications," Trend Micro said. "Organizations should prioritize applying the latest security updates and cumulative patches to Microsoft Exchange and any web applications hosted on IIS."

"In scenarios where immediate patching is not feasible, we strongly recommend deploying Intrusion Prevention Systems (IPS) or Web Application Firewalls (WAF) with rulesets specifically tuned to block exploit attempts against these known CVEs (Virtual Patching)."

NOTEPAD++ HACKED

Notepad++ says Chinese government hackers hijacked its software updates for months

The developer of the popular open source text editor Notepad++ has confirmed that hackers hijacked the software to deliver malicious updates to users over the course of several months in 2025.

In a blog post published Monday, Notepad++ developer Don Ho said that the cyberattack was likely carried out by hackers associated with the Chinese government between June and December 2025, citing multiple analyses by security experts who examined the malware payloads and attack patterns. Ho said this “would explain the highly selective targeting” seen during the campaign.

Rapid7, which investigated the incident, attributed the hacking to Lotus Blossom, a long-running espionage group known to work for China, and said the hacks targeted government, telecom, aviation, critical infrastructure, and media sectors.

Notepad++ is one of the longest-running open source projects, spanning more than two decades, and it counts at least tens of millions of downloads to date, including by employees at organizations around the world. 

According to Kevin Beaumont, a security researcher who first discovered the cyberattack and wrote up his findings in December, the hackers compromised a small number of organizations “with interests in East Asia” after someone unwittingly used a tainted version of the popular software. Beaumont said that the hackers were able to gain “hands-on” access to the computers of victims who were running hijacked versions of Notepad++.

Ho said that the “exact technical mechanism” of how the hackers broke into his servers remains under investigation, but provided some details as to how the attack went down.

In the blog, Ho said that Notepad++’s website was hosted on a shared hosting server. The attackers “specifically targeted” Notepad++’s web domain with the goal of exploiting a bug in the software to redirect some users to a malicious server run by the hackers. This allowed the hackers to deliver malicious updates to certain users who had requested a software update, until the bug was fixed in November and the hackers’ access was terminated in early December.

“We do have logs indicating that the bad actor tried to re-exploit one of the fixed vulnerabilities; however, the attempt did not succeed after the fix was implemented,” wrote Ho.

In an email, Ho told TechCrunch that his hosting provider confirmed his shared server was compromised but that the provider did not say how the hackers initially broke in.

Ho apologized for the incident, and urged users to download the most recent version of his software, which contains a fix for the bug.

The cyberattack targeting Notepad++ users is somewhat reminiscent of the 2019-2020 cyberattack affecting customers of SolarWinds, a software company that makes IT and network management tools for large Fortune 500 organizations, including government departments. Russian government spies hacked into the company’s servers and secretly planted a backdoor in its software, allowing the Russian spies to access data on those customers’ networks once the update had rolled out.

The SolarWinds breach affected several government agencies, including Homeland Security and the Departments of Commerce, Energy, Justice, and State.

DAEMON TOOLS HACKED

Kaspersky suspects Chinese hackers planted a backdoor into Daemon Tools in ‘widespread’ attack

Security researchers at Kaspersky say they have identified a malicious backdoor planted in the popular and long-running Windows disc imaging software, Daemon Tools.

The Russian cybersecurity company said on Tuesday that data collected from computers around the world running the Kaspersky antivirus software shows a “widespread” attack is under way, targeting thousands of Windows computers running Daemon Tools.

The hackers, whom Kaspersky has linked to a Chinese-language speaking group based on an analysis of the malware, used the backdoor in Daemon Tools to plant additional malware on a dozen computers across the retail, scientific and manufacturing sectors, as well as government systems. Kaspersky said the hacking of these specific computers implied a “targeted” effort.

The company said the targeted organizations are located in Russia, Belarus, and Thailand.

Kaspersky said the backdoor was first detected on April 8.

Kaspersky said it had contacted Disc Soft, the company that maintains Daemon Tools, but did not say if the developer responded or took action. Kaspersky said the supply chain attack is “still active,” suggesting that the hackers can still plant malware on thousands of computers running the disc imaging software.

This is the latest in a string of so-called “supply chain” attacks that have targeted developers of popular software in recent months. Hackers are increasingly taking aim at the accounts of developers who work on widely used code and software, and abusing that access to push malicious code to anyone who relies on the software. This approach lets the hackers break into a large number of computers at once when their malicious code is delivered as a software update.

Earlier this year, hackers associated with the Chinese government hijacked the popular text editing software Notepad++ to deliver malware to a number of organizations with interests in East Asia. Security researchers also warned of another attack last month targeting users who visited the website of CPUID, which makes the popular HWMonitor and CPU-Z tools.

TechCrunch downloaded the Windows installer from Daemon Tools’ website, and the file appeared to contain the backdoor when we checked it with the online malware scanner service VirusTotal.

It’s not known if the macOS version of Daemon Tools was compromised, or if other apps made by Disc Soft are affected.

When contacted for comment, a Disc Soft representative said they are “aware of the report and are currently investigating the situation.”

“Our team is treating this matter with the highest priority and is actively working to assess and address the issue. At this stage, we are not in a position to confirm specific details referenced in the report. However, we are taking all necessary steps to remediate any potential risks and to ensure the security of our users,” the representative said.