Quote:WASHINGTON (AP) — Twelve Chinese nationals — including mercenary hackers, law enforcement officers and employees of a private hacking company — have been charged in connection with global cybercrime campaigns targeting dissidents, news organizations, U.S. agencies and universities, the Justice Department says.
A set of criminal cases filed in New York and Washington add new detail to what U.S. officials said Wednesday is a booming hacking-for-hire ecosystem in China, in which private companies and contractors are paid by the Chinese government to target victims of particular interest to Beijing in an arrangement meant to provide Chinese state security forces cover and deniability.
The indictments come as the U.S. government has warned of an increasingly sophisticated cyber threat from China, such as a hack last year of telecom firms called Salt Typhoon that gave Beijing access to private texts and phone conversations of an unknown number of Americans, including U.S. government officials and prominent public figures.
One indictment charges eight leaders and employees of a private hacking company known as I-Soon with conducting a sweeping array of computer breaches around the world meant to suppress speech, locate dissidents and steal data from victims. Among those charged is Wu Haibo, who founded I-Soon in Shanghai in 2010 and was a member of China’s first hacktivist group, Green Army, and who is accused in the indictment of overseeing and directing hacking operations.
Earlier reporting by The Associated Press on leaked documents from I-Soon mainly showed I-Soon was targeting a wide range of governments such as India, Taiwan or Mongolia, but little on the United States.
But the indictment contains new revelations about I-Soon’s activities targeting a wide range of Chinese dissidents, religious organizations and media outlets based in the U.S., including a newspaper identified as publishing news related to China and opposed to the Chinese Communist Party. Other targets included individual critics of China living in the U.S., the Defense Intelligence Agency and a research university.
The targets were in some cases directed by China’s Ministry of Public Security — two law enforcement officers were charged with tasking certain assignments — but in other instances the hackers acted at their own initiative and tried to sell the stolen information to the government afterward, the indictment says.
The company charged the Chinese government the equivalent of between approximately $10,000 and $75,000 for each email inbox it successfully hacked, officials said.
Phone numbers listed for I-Soon on a Chinese corporate registry rang unanswered, and I-Soon representatives did not immediately respond to an AP email requesting comment Wednesday.
A spokesperson for the Chinese foreign ministry on Thursday denied the charges, calling the U.S. “hypocritical” and pointing to U.S. cyberattacks on China.
“China firmly opposes the groundless accusation made by the US and urges the US to immediately stop abusing sanctions,” Chinese Foreign Ministry spokesperson Lin Jian said at a press conference in Beijing.
Quote:The Government of Costa Rica announced today that the Costa Rican Electricity Institute (ICE) suffered a security attack linked to cyber espionage. Officials revealed the breach during an emergency press conference at Casa Presidencial. They said a threat actor with possible ties to China infiltrated ICE systems and extracted data.
The attack came to light after the Ministry of Science, Innovation, Technology and Telecommunications received an alert in February from Mandiant, a Google cybersecurity firm. The company flagged a breach in ICE infrastructure. Forensic analysis later confirmed the presence of the actor, who targets the telecom sector for espionage purposes.
Minister Paula Bogantes described the group as one that focuses on cyber espionage in telecommunications. She noted it has appeared in 42 countries and is already known internationally. ICE President Marco Acuña said the hackers pulled 9 gigabytes of internal emails from a server located in Costa Rica, not in the cloud. The utility holds far more data of that type, around 10,000 gigabytes in total, he added.
Acuña filed a criminal complaint with the Public Ministry and the Judicial Investigation Organization on Thursday. He called the act a crime under Costa Rican and international law. “We have profiled the threat and we are working on it,” he stated. “We are containing it.”
He stressed that basic telecom services continue to operate normally with no reported impact. Bogantes said the government treats the case as a national security matter. Costa Rican authorities reached out to the United States for technical support and coordination to handle the incident.
The government first spotted suspicious activity at ICE toward the end of January. Teams from the ministry and the utility then worked together on the review. Acuña confirmed the complaint includes a timeline of events. Authorities aim to identify those responsible and check for any local involvement.
This marks the latest cybersecurity challenge for Costa Rica’s critical infrastructure. Officials continue to monitor systems and strengthen defenses.
Quote:Newly discovered Chinese threat operation CL-UNK-1068 has been covertly compromising telecommunications, energy, technology, pharmaceutical, government, and law enforcement organizations in South, Southeast, and East Asia, as part of a years-long hacking campaign, The Hacker News reports.
Misconfigured web servers have been exploited by CL-UNK-1068 to distribute the Godzilla and ANTSWORD webshells, achieve lateral movement, and pilfer browser history, XLSX and CSV files, and database backups, according to Palo Alto Networks Unit 42 researchers. Attackers have also weaponized Python executables to run illicit DLLs. Other tools powering CL-UNK-1068's credential theft activities include Mimikatz, LsaRecorder, DumpItForLinux, Volatility Framework, and the SQL Server Management Studio Password Export Tool.
"This cluster of activity demonstrates versatility by operating across both Windows and Linux environments, using different versions of their tool set for each operating system. While the focus on credential theft and sensitive data exfiltration from critical infrastructure and government sectors strongly suggests an espionage motive, we cannot yet fully rule out cybercriminal intentions," said researchers.
Quote:Multiple China-nexus threat operations have launched cyberattacks against Qatar amid escalating tensions in the Middle East, according to HackRead.
Intrusions by Chinese advanced persistent threat operation Camaro Dragon that commenced on Mar. 1, just a day after the joint U.S.-Israel military strikes against Ukraine, involved the delivery of a file with photos showing the aftermath of an Iranian missile strike against a Bahrain-based U.S. military base, which triggered a DLL hijacking attack leading to the injection of the PlugX backdoor, a report from Check Point Research showed.
Another China-linked attack campaign aimed at Qatar's oil and gas sector entailed the distribution of a password-protected ZIP file detailing strikes against Gulf oil and gas facilities. Threat actors had concealed malicious code within a component of the legitimate open-source screen reader NVDA to deploy Cobalt Strike. Such a development comes after Iranian APT group MuddyWater was reported to have compromised U.S. organizations with the DinDoor malware.
"For God has not destined us for wrath, but for obtaining salvation through our Lord Jesus Christ," 1 Thessalonians 5:9
Maranatha!
The Internet might be either your friend or enemy. It just depends on whether or not she has a bad hair day.
Quote:The FBI last week deemed a recent China-linked cyber intrusion into a sensitive agency surveillance system a “major incident,” meaning it poses significant risks to U.S. national security, according to one congressional aide and two U.S. officials with knowledge of the matter.
The bureau first told Congress on March 4 that it was investigating suspicious activity on an internal agency system that contained “law enforcement sensitive information.” The FBI did not publicly identify who was behind the activity at the time, but POLITICO previously reported that China is suspected.
The FBI determined the intrusion meets the definition of a major incident under a federal data security statute known as FISMA, said the three people. Congress was informed of the decision earlier this week, according to the aide. This person, like others in this report, was granted anonymity because they were not authorized to speak publicly on the investigation.
The determination suggests the hackers successfully compromised swathes of sensitive data stored directly on FBI systems, likely marking a major counterintelligence coup for China. FISMA requires agencies to tell lawmakers within seven days about any digital intrusion it has determined is “likely to result in demonstrable harm” to U.S. national security.
Cynthia Kaiser, the former deputy assistant director of the FBI’s cyber division, said she is not aware of the FBI making any such determination on a hack affecting its own systems since at least 2020.
“Thresholds under FISMA are quite high, and only a few agencies declare a major cyber incident every year,” Kaiser said.
An FBI spokesperson declined to comment on the declaration, instead referring POLITICO to a prior comment it made on the incident in early March: “FBI identified and addressed suspicious activities on FBI networks, and we have leveraged all technical capabilities to respond.”
Under guidelines set by FISMA, an intrusion can meet the major incident threshold if it involves the exfiltration or compromise of personally identifiable data, or presents acute risks to the national security, foreign relations, public confidence or civil liberties of Americans.
It is not clear what finding triggered the FBI determination.
In the March notice to Congress viewed by POLITICO, the FBI told lawmakers that unspecified hackers appeared to break into an agency system by “leveraging a commercial Internet Service Provider’s vendor infrastructure,” which it described as a reflection of the group’s “sophisticated tactics.”
The notice also said the “affected” system contained “returns from legal process, such as pen register and trap and trace surveillance returns, and personally identifiable information pertaining to subjects of FBI investigations.”
Pen register and trap and trace devices allow law enforcement to monitor calls made to or from a specific phone, or websites visited by an internet-connected device. While these tools do not record the content of those communications, the information captured is valuable to foreign intelligence services or organized criminal groups because it could reveal the targets of FBI surveillance or criminal probes.
The breach of the FBI surveillance system does not appear to be connected to a recent Iranian-linked compromise of FBI Director Kash Patel’s personal emails. It is the latest sign that Chinese hackers have advanced to the point where they are consistently able to penetrate some of the country’s most sensitive national security systems.
“This incident is yet another stark reminder that the threat from sophisticated cyber adversaries like China has not gone away — in fact, it’s growing more aggressive by the day,” said Sen. Mark Warner (D-V.A.), the top Democrat on the Senate Intelligence Committee.
When an agency declares a major incident under FISMA, it is also supposed to trigger an interagency cyber response mechanism. It is unclear whether that has happened or if the hack has since been contained.
Separate spokespeople for the White House and the Cybersecurity and Infrastructure Security Agency referred to the FBI for comment. The NSA did not respond to requests for comment.
The White House hosted a meeting about the breach that included officials from the FBI, NSA and CISA in early March, according to the first U.S. official and a third U.S. official with knowledge of the meeting.
Chinese hackers have previously targeted commercial communications providers as a springboard into federal networks or to access sensitive national security data.
One Chinese hacking group dubbed Volt Typhoon has burrowed deep inside critical infrastructure across the United States — including ports, water facilities and energy substations — while a second group labeled Salt Typhoon has breached some of the country’s largest telecommunications providers. In the latter hack, first uncovered in late 2024, Chinese hackers were able to siphon off call records from millions of Americans, view FBI wiretap data and steal unencrypted communications from the phone of then-presidential candidate Donald Trump.
The first U.S. official said they believed the FBI had acted quickly to address the incident. But they noted it was “embarrassing” for the bureau to be breached by the same hackers it is supposed to be tracking.
Quote:A Chinese cyberespionage group has shifted its gaze back to Europe after years of focusing on other parts of the world, Proofpoint research published Wednesday found.
The surge began in mid-2025, with a bevy of issues bubbling up between China and Europe, the company said. Proofpoint labels the government-linked group TA416, but other companies track it as Twill Typhoon, Mustang Panda or other names.
“This renewed focus most heavily targeted individuals or mailboxes associated with diplomatic missions and delegations to NATO and the EU,” Proofpoint’s Mark Kelly and Georgi Mladenov wrote. “TA416’s return to European government targeting occurred during heightened EU–China tensions over trade, the Russia–Ukraine war, and rare earths exports, and commenced immediately following the 25th EU–China summit.”
Separately, the same group took up targeting the Middle East in March after the start of the conflict in Iran, something it had never been spotted doing before, Proofpoint found.
“This aligns with a trend observed by Proofpoint of some state-aligned threat actors shifting targeting toward Middle Eastern government and diplomatic entities in the aftermath of the war,” the firm said. “This likely reflects an effort to gather regional intelligence on the status, trajectory, and broader geopolitical implications of the conflict.”
TA416 was active in Europe in 2022 and 2023, coinciding with the onset of the Ukraine-Russia war, but stepped away from the continent afterward, according to the researchers. Its focus turned to Southeast Asia, Taiwan and Mongolia for a couple years.
The group’s focus on Europe through early 2026 used a variety of web bug and malware delivery methods, including setting up reconnaissance by dangling lures about Europe sending troops to Greenland. It also included phishing emails about humanitarian concerns, interview requests and collaboration proposals, Proofpoint said.
“During this period, TA416 repeatedly altered its initial infection chains while maintaining a consistent goal of loading the group’s customized PlugX backdoor via DLL sideloading triads,” the researchers wrote.
Proofpoint’s is not the only report of late about Chinese cyberespionage groups targeting Europe, with another focused on LinkedIn solicitations to NATO and European institutions.
Quote:A China-based threat actor known for deploying Medusa ransomware has been linked to the weaponization of a combination of zero-day and N-day vulnerabilities to orchestrate "high-velocity" attacks and break into susceptible internet-facing systems.
"The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, the United Kingdom, and the United States," the Microsoft Threat Intelligence team said.
Attacks mounted by Storm-1175 have also leveraged zero-day exploits, in some cases, before they have been publicly disclosed, as well as recently disclosed vulnerabilities to obtain initial access. Select incidents have involved the threat actor chaining together multiple exploits (e.g., OWASSRF) for post-compromise activity.
Upon gaining a foothold, the financially motivated cybercriminal actor swiftly moves to exfiltrate data and deploy Medusa ransomware within a span of a few days, or, in select incidents, within 24 hours.
To aid in these efforts, the group creates persistence by creating new user accounts, deploying web shells or legitimate remote monitoring and management (RMM) software for lateral movement, conducting credential theft, and interfering with the normal functioning of security solutions, before dropping the ransomware.
Since 2023, Storm-1175 has been linked to the exploitation of more than 16 vulnerabilities -
CVE-2023-21529 (Microsoft Exchange Server)
CVE-2023-27351 and CVE-2023-27350 (Papercut)
CVE-2023-46805 and CVE-2024-21887 (Ivanti Connect Secure and Policy Secure)
CVE-2024-1708 and CVE-2024-1709 (ConnectWise ScreenConnect)
CVE-2024-27198 and CVE-2024-27199 (JetBrains TeamCity)
CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 (SimpleHelp)
CVE‑2025‑31161 (CrushFTP)
CVE-2025-10035 (Fortra GoAnywhere MFT)
CVE-2025-52691 and CVE-2026-23760 (SmarterTools SmarterMail)
CVE-2026-1731 (BeyondTrust)
CHINESE HACKERS WILL EXPLOIT TRUECONF'S WEAKNESSES
Quote:A bug in a popular line of video conferencing software is being exploited by hackers, prompting the U.S. government to order all agencies to patch the vulnerability within two weeks.
The Cybersecurity and Infrastructure Security Agency (CISA) gave federal agencies until April 16 to patch CVE-2026-3502, a vulnerability in the video conferencing tool TrueConf. The bug carries a severity score of 7.8 out of 10.
CISA’s confirmation that the vulnerability is being exploited follows a report from cybersecurity researchers at Check Point outlining an alleged Chinese hacking campaign targeting governments in Southeast Asia.
Check Point said Chinese hackers have been exploiting the vulnerability in a campaign they call TrueChaos. The campaign started in early 2026 and typically involved the Havoc penetration testing tool, which Chinese actors have repeatedly abused over the last year.
Check Point said it disclosed the bug to TrueConf, which developed a fix that was released in March.
“At the beginning of 2026, Check Point Research observed a series of targeted attacks against government entities in Southeast Asia carried out via a legitimate TrueConf software installed in the targets’ environment,” the researchers said.
“The flaw affects the application’s updater validation mechanism and allows an attacker controlling an on-premises TrueConf server to distribute and execute arbitrary files across connected endpoints.”
During exploitation of the bug, the hackers used the trusted update channel to distribute malicious updates. Check Point noted that the targeting indicates the campaign was likely focused on espionage.
TrueConf is used widely across organizations in Asia, Europe and the Americas, serving about 100,000 organizations globally. Check Point said it is used primarily by government, military, and critical infrastructure sectors “to ensure absolute data privacy and communication autonomy in secure or remote environments.”
“In locations with poor or no internet connectivity, or during natural disasters when traditional networks are down, it facilitates essential coordination. By hosting the server on internal hardware, all audio, video, and chat traffic remains strictly contained on-site, with offline activation available for fully air-gapped systems,” Check Point explained.
Most infections likely began through a link sent to the victims. The links launched the TrueConf client and showed an update prompt alleging that there is a newer version available.
“Prior to the victim’s interaction, the attacker had already replaced the update package on the TrueConf on-premises server with a weaponized version, ensuring that the client retrieved a malicious file through the normal update process,” Check Point said.
“The compromised TrueConf on-premises server was operated by the governmental IT department and served as a video conferencing platform for dozens of government entities across the country, which were all supplied with the same malicious update.”
Check Point attributed the campaign to Chinese actors based on the tactics deployed and the use of Alibaba Cloud and Tencent hosting tools. The company also saw the same victim targeted with the ShadowPad malware — a hallmark of Chinese actors.
Quote:Threat actors from China, which hosts more hacking groups than any other country, are accelerating ransomware attacks by chaining dozens of vulnerabilities and compressing the entire kill chain into hours. A new report from Microsoft Threat Intelligence sheds light on how one group, tracked as Storm-1175, is turning exposed systems into fast-moving ransomware targets.
The Storm-1175 campaign adds a new dimension to the attacks – speed. According to Microsoft, Storm-1175 runs high-tempo campaigns that deliberately target the gap between vulnerability disclosure and patch adoption.
Since 2023, the attackers have exploited more than 16 vulnerabilities across widely used enterprise platforms, including Microsoft Exchange, ConnectWise tools, and file transfer software. In several cases, they sometimes weaponized zero-day flaws up to a week before public disclosure.
Once Storm-1175 gains access, it wastes no time. The group establishes persistence by creating new user accounts, deploying web shells, or legitimate remote monitoring and management (RMM) software for lateral movement. They begin credential theft almost immediately, though the endgame is deploying the Medusa ransomware.
In its research, Microsoft discovered that the group leverages tools like PowerShell, PsExec, and Impacket for lateral movement, modifies Windows firewall policy rules to enable remote access, and deploys utilities such as PDQ Deploy to push ransomware across compromised networks.
Besides Windows, Storm-1175 has also shown it can go after Linux environments. In late 2024, Microsoft observed the group exploiting vulnerable Oracle WebLogic instances across several organizations, although they were unable to identify the exact flaw that was exploited in those attacks.
Targets span multiple sectors, including healthcare, education, finance, and professional services across the US, UK, and Australia. However, the researchers stress that the common thread isn’t industry, it’s exposure. If an unpatched system sits on the internet, it comes into the group’s crosshairs.
Also worrying is the use of legitimate enterprise tools that give attackers a way to hide in plain sight by routing malicious activity through trusted, encrypted channels and making detection far more difficult for defenders.
"For God has not destined us for wrath, but for obtaining salvation through our Lord Jesus Christ," 1 Thessalonians 5:9
Maranatha!
The Internet might be either your friend or enemy. It just depends on whether or not she has a bad hair day.
Quote:In 2024, reports emerged of a highly sophisticated cyber espionage campaign against US telecoms companies, which some analysts believe went all the way up to the Chinese government.
The group behind this campaign would later be codenamed Salt Typhoon, and it is believed to have quietly infiltrated critical US telecoms infrastructure in order to collect private information on influential Americans – including presidential candidates. In the process, it may have also swept up data from millions of ordinary Americans. The Chinese government has denied responsibility for Salt Typhoon.
We speak to former Deputy National Security Adviser Anne Neuberger, who was working inside the White House when the attacks were first uncovered. We also speak to BBC cyber correspondent Joe Tidy about how this hack unfolded – and what it reveals about who may be winning the cyber war.
I know the article is quite short, but you can listen to the podcast at any time.
Quote:British businesses are being urged to step up their vigilance against a China-linked hacking ploy that uses everyday devices for espionage.
The UK’s National Cyber Security Centre (NCSC) and agencies in nine other countries have warned of persistent attempts by Beijing-backed groups to hack equipment such as wifi routers to launch cyber-attacks.
Known as “covert networks” or “botnets”, they typically target vulnerable equipment – for instance devices that have not had a software update or are old – as a base for staging activities such as surveillance and data theft.
The NCSC said the technique was used by the majority of China-linked hackers. Richard Horne, the centre’s chief executive, said on Wednesday that China’s intelligence and military agencies had an “eye-watering level of sophistication in their cyber-operations”. Speaking at his NCSC’s annual conference in Glasgow, he said: “We face more than just a capable cyber-threat but a peer competitor in cyberspace.”
The advisory notice from the NCSC and cyber-agencies in countries including the US, Australia, Canada and Germany warns there has been a “major shift” in Chinese tactics to using devices linked to the internet as a means of obscuring where an attack comes from. The most commonly hijacked devices are routers but printers and web cameras are also vulnerable.
Security officials compare routers to virtual private networks, which allow web users to obscure their location. They say a household’s wifi router could be used as a conduit for attacking an unrelated major company.
While the NCSC guidance is not directed at members of the public who might be unwittingly providing a launchpad for espionage, it urges companies and organisations to take a number of steps such as mapping out their IT systems, including connections to consumer broadband networks. It also recommends multifactor authentication – where users are asked to give another form of verification along with their password – for members of staff trying to access a system remotely. They also advise limiting network connections to external devices.
The centre said in the advisory notice published on Thursday: “The NCSC believes that the majority of China-nexus threat actors are using these networks, that multiple covert networks have been created and are being constantly updated, and that a single covert network could be being used by multiple actors. These networks are mainly made up of compromised small office home office routers, as well as internet of things [connected devices] and smart devices.”
A China-backed group, dubbed Volt Typhoon by western authorities, has been flagged by agencies as a user of covert networks and has quietly burrowed into key US infrastructure including rail, aviation and water systems. The NCSC said these covert networks were now built and maintained by private Chinese companies. In one example, a Chinese business created a covert network by infecting 200,000 devices worldwide.
This year, Google announced it had disrupted a “residential proxy” network where cybercrime groups and state actors used hacked household and IT devices to launch attacks.
Quote:The Justice Department unveiled charges Thursday against two Chinese nationals allegedly behind an overseas cryptocurrency scam center, as U.S. Attorney for the District of Columbia Jeanine Pirro vowed that the Trump administration is "just getting started" in combating these schemes.
Pirro told reporters in Washington, D.C., that cyber-enabled and cryptocurrency investment fraud is "among the fastest growing and the most financially devastating form of cybercrime that is targeting Americans today." The DOJ’s actions come after Pirro launched the Scam Center Strike Force in November last year, following an executive order from President Donald Trump.
"Today, we announce significant milestones in that fight. We have charged Chinese bosses who ran a scam compound in Burma where thousands were trafficked, enslaved, beaten and then forced to steal from Americans for years. We have seized also a Telegram channel, and that channel was luring workers into a forced compound in Cambodia," Pirro said. "There they were ordered to pose as U.S. banks, as the New York City Police Department, to steal Americans’ life savings."
"We have taken down more than 500 websites. They were used to steal Americans life savings. My office is going to continue to work to identify the funds stolen," Pirro added. "We have also restrained more than $700 million in cryptocurrency from U.S. victims of fraud. The administration of President Trump is lockstep in combating these scams, and we are just getting started."
The Justice Department said the two Chinese nationals, identified as Huang Xingshan and Jiang Wen Jie, were arrested in Thailand earlier this year after allegedly being linked to "cryptocurrency investment fraud operations" out of the Shunda compound in Burma. The pair were charged with wire fraud conspiracy and the U.S. is working to extradite them to face justice on American soil, according to Pirro.
"The Shunda compound operated from at least January 2025 until approximately November 2025, when it was seized by the Karen National Liberation Army of Burma. The compound used scam websites and mobile applications disguised as legitimate investment platforms to defraud victims, including Americans," the DOJ said. "Workers within the compound were trafficked individuals who were held against their will and forced to defraud victims under the threat of violence and torture."
"According to the investigation, Huang served at Shunda as a high-level manager and enforcer and personally participated in the physical punishment of trafficked compound workers. Jiang served as a team leader directly supervising workers who specifically targeted American victims," the DOJ added. "Under Jiang’s supervision, one of the people under his command successfully defrauded a single American victim of over $3 million utilizing a fraudulent investment platform. The theft was celebrated within the organization as a paradigm of success."
Quote:A Chinese hacker accused of stealing COVID-19 research from U.S. institutions in a massive cyberattack has been extradited to American soil.
FBI Director Kash Patel said the case involving Xu Zewei is a "historic win for our cybersecurity efforts under President Trump, bringing bad actors who target American infrastructure to justice no matter where they try to hide."
Patel said Xu, a Chinese national and accused state-sponsored hacker, is "allegedly responsible for a massive cyber intrusion campaign in 2020 and 2021 stealing COVID-19 research from American institutions."
"Xu has been extradited to the U.S. out of Italy as of this weekend, and he will now face federal charges," Patel revealed Tuesday in a post on X.
"During 2020 and 2021, at the height of the COVID-19 pandemic, Xu and his co-conspirators allegedly targeted and hacked U.S. based universities, immunologists, and virologists conducting COVID-19 research – including key treatment and vaccines – accessing email accounts and more," Patel said.
The Justice Department said Xu is facing nine charges, including two counts of wire fraud, two counts of obtaining information by unauthorized access to protected computers and aggravated identity theft. The wire fraud charges carry a maximum penalty of 20 years in prison for each count.
"According to court documents, officers of the PRC’s Ministry of State Security’s (MSS) Shanghai State Security Bureau (SSSB) directed Xu to conduct this hacking. The MSS and SSSB are PRC intelligence services responsible for PRC’s domestic counterintelligence, non-military foreign intelligence, and aspects of the PRC’s political and domestic security," the Justice Department said.
"Xu and others reported their activities to officers in the SSSB who were supervising and directing the hacking activities," the Justice Department added. "For example, on or about Feb. 19, 2020, Xu provided an SSSB officer with confirmation that he had compromised the network of a research university located in the Southern District of Texas. On or about Feb. 22, 2020, the SSSB officer directed Xu to target and access specific email accounts (mailboxes) belonging to virologists and immunologists engaged in COVID-19 research for the university. Xu later confirmed for the SSSB officer that he acquired the contents of the researchers’ mailboxes."
Quote:A major cyber espionage operation tied to China recently hacked into the internal communications of the Cuban embassy in Washington D.C. This breach exposes a glaring weak spot in a long-standing geopolitical alliance. Hackers gained unauthorised access to the private email accounts of 68 senior diplomatic figures, which included the ambassador and the deputy chief of mission. The cybersecurity firm Gambit Security publicly disclosed this unprecedented digital intrusion on Wednesday following initial reports from Bloomberg.
The digital infiltration began in January 2026 during a period of immense domestic instability for the Cuban regime. The nation was already grappling with an intense energy crisis after the Trump administration decided to completely halt oil shipments to the island. This diplomatic and economic pressure resulted in catastrophic nationwide blackouts, leaving vast territories without power for up to 25 to 30 hours daily and creating critical blind spots in institutional security.
Exploiting Old Microsoft Exchange Flaws to Access Cuban Intelligence
Digital investigators found that the hackers gained entry by exploiting severely outdated systems at the embassy. The diplomatic mission was still relying on older Microsoft Exchange email servers that were missing basic security updates. These critical weak points had been ignored for at least five years, giving the attackers an incredibly easy path right into their secure networks.
Because of this, the hackers easily accessed entire email archives belonging to top Cuban political strategists and intelligence officials. It is a massive security failure for Havana. Curtis Simpson, the strategy director at Gambit Security, pointed out the broader context of the attack. 'This breach illustrates how global events can fuel cyber activity,' Simpson remarked.
How Leaked Communications Could Affect US-Cuba Diplomatic Talks
The timing and scale of this operation are especially sensitive at present. Cuba and the United States have been in high-level diplomatic talks since February 2026. The negotiations hit a significant milestone recently when the Cuban government agreed to release over 2,000 political prisoners. But now, security analysts are warning that the stolen emails may have exposed sensitive details about those very discussions.
Getting direct access to these sensitive conversations gives Beijing a huge strategic advantage on the world stage. It could allow Chinese intelligence to see where US-Cuba relations are heading without relying on secondhand diplomatic channels. This relationship is highly significant to China at present as it navigates its own complicated dynamic with the United States.
Breaching Venezuelan Government Servers and Global React Development Systems
The hacking campaign did not stop at the Cuban embassy in Washington. During the same period, this identical group of Chinese-affiliated hackers executed a coordinated digital strike against the Venezuelan government and its Ministry of Foreign Affairs. This simultaneous intrusion strongly indicates a sweeping regional surveillance operation designed to monitor multiple Latin American governments.
Furthermore, the attackers weaponised a separate software vulnerability found in the widely used React development tool. This secondary exploit allowed them to compromise roughly 5,000 independent servers worldwide in less than a week. Prominent institutional victims of this global sweep included the Texas Department of Health and Human Services and the investment firm Santé Ventures.
Quote:Cybersecurity researchers have disclosed details of a new China-aligned espionage campaign targeting government and defense sectors across South, East, and Southeast Asia, along with one European government belonging to NATO.
Trend Micro has attributed the activity to a threat activity cluster it tracks under the temporary designation SHADOW-EARTH-053. The adversarial collective is assessed to be active since at least December 2024, while sharing some level of network overlap with CL-STA-0049, Earth Alux, and REF7707.
"The group exploits N-day vulnerabilities in internet-facing Microsoft Exchange and Internet Information Services (IIS) servers (e.g., ProxyLogon chain), then deploys web shells (Godzilla) for persistent access and stages ShadowPad implants via DLL sideloading of legitimate signed executables," security researchers Daniel Lunghi and Lucas Silva said in an analysis.
Targets of the campaigns include Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan. The lone European country that features in the threat actor's victimology footprint is Poland.
The cybersecurity vendor said it observed nearly half the SHADOW-EARTH-053 targets, particularly those in Malaysia, Sri Lanka, and Myanmar, also compromised earlier by a related intrusion set dubbed SHADOW-EARTH-054, although no evidence of direct operational coordination has been observed.
The starting point of the attacks is the exploitation of known security flaws to breach unpatched systems and drop web shells like Godzilla to facilitate persistent remote access. The web shells function as a delivery vehicle for command execution, enabling reconnaissance and ultimately resulting in the deployment of the ShadowPad backdoor via AnyDesk. The malware is launched using DLL side-loading.
In at least one case, the weaponization of the React2Shell (CVE-2025-55182) is said to have facilitated the distribution of a Linux version of Noodle RAT (aka ANGRYREBEL and Nood RAT). It's worth mentioning here that the Google Threat Intelligence Group (GTIG) linked this attack chain to a group known as UNC6595.
Also put to use are open-source tunneling tools like the IOX, GO Simple Tunnel (GOST), and Wstunnel, as well as RingQ to pack malicious binaries and evade detection. To facilitate privilege escalation, SHADOW-EARTH-053 has been found to use Mimikatz, while lateral movement is accomplished using a custom remote desktop protocol (RDP) launcher and C# implementation of SMBExec known as Sharp-SMBExec.
"The primary entry vector used in this campaign were vulnerabilities in internet-facing IIS applications," Trend Micro said. "Organizations should prioritize applying the latest security updates and cumulative patches to Microsoft Exchange and any web applications hosted on IIS."
"In scenarios where immediate patching is not feasible, we strongly recommend deploying Intrusion Prevention Systems (IPS) or Web Application Firewalls (WAF) with rulesets specifically tuned to block exploit attempts against these known CVEs (Virtual Patching)."
Quote:The developer of the popular open source text editor Notepad++ has confirmed that hackers hijacked the software to deliver malicious updates to users over the course of several months in 2025.
In a blog post published Monday, Notepad++ developer Don Ho said that the cyberattack was likely carried out by hackers associated with the Chinese government between June and December 2025, citing multiple analyses by security experts who examined the malware payloads and attack patterns. Ho said this “would explain the highly selective targeting” seen during the campaign.
Rapid7, which investigated the incident, attributed the hacking to Lotus Blossom, a long-running espionage group known to work for China, and said the hacks targeted government, telecom, aviation, critical infrastructure, and media sectors.
Notepad++ is one of the longest-running open source projects, spanning more than two decades, and it counts at least tens of millions of downloads to date, including by employees at organizations around the world.
According to Kevin Beaumont, a security researcher who first discovered the cyberattack and wrote up his findings in December, the hackers compromised a small number of organizations “with interests in East Asia” after someone unwittingly used a tainted version of the popular software. Beaumont said that the hackers were able to gain “hands-on” access to the computers of victims who were running hijacked versions of Notepad++.
Ho said that the “exact technical mechanism” of how the hackers broke into his servers remains under investigation, but provided some details as to how the attack went down.
In the blog, Ho said that Notepad++’s website was hosted on a shared hosting server. The attackers “specifically targeted” Notepad++’s web domain with the goal of exploiting a bug in the software to redirect some users to a malicious server run by the hackers. This allowed the hackers to deliver malicious updates to certain users who had requested a software update, until the bug was fixed in November and the hackers’ access was terminated in early December.
“We do have logs indicating that the bad actor tried to re-exploit one of the fixed vulnerabilities; however, the attempt did not succeed after the fix was implemented,” wrote Ho.
In an email, Ho told TechCrunch that his hosting provider confirmed his shared server was compromised but that the provider did not say how the hackers initially broke in.
Ho apologized for the incident, and urged users to download the most recent version of his software, which contains a fix for the bug.
The cyberattack targeting Notepad++ users is somewhat reminiscent of the 2019-2020 cyberattack affecting customers of SolarWinds, a software company that makes IT and network management tools for large Fortune 500 organizations, including government departments. Russian government spies hacked into the company’s servers and secretly planted a backdoor in its software, allowing the Russian spies to access data on those customers’ networks once the update had rolled out.
The SolarWinds breach affected several government agencies, including Homeland Security and the Departments of Commerce, Energy, Justice, and State.
Quote:Security researchers at Kaspersky say they have identified a malicious backdoor planted in the popular and long-running Windows disc imaging software, Daemon Tools.
The Russian cybersecurity company said on Tuesday that data collected from computers around the world running the Kaspersky antivirus software shows a “widespread” attack is under way, targeting thousands of Windows computers running Daemon Tools.
The hackers, whom Kaspersky has linked to a Chinese-language speaking group based on an analysis of the malware, used the backdoor in Daemon Tools to plant additional malware on a dozen computers across the retail, scientific and manufacturing sectors, as well as government systems. Kaspersky said the hacking of these specific computers implied a “targeted” effort.
The company said the targeted organizations are located in Russia, Belarus, and Thailand.
Kaspersky said the backdoor was first detected on April 8.
Kaspersky said it had contacted Disc Soft, the company that maintains Daemon Tools, but did not say if the developer responded or took action. Kaspersky said the supply chain attack is “still active,” suggesting that the hackers can still plant malware on thousands of computers running the disc imaging software.
This is the latest in a string of so-called “supply chain” attacks that have targeted developers of popular software in recent months. Hackers are increasingly taking aim at the accounts of developers who work on widely used code and software, and abusing that access to push malicious code to anyone who relies on the software. This approach lets the hackers break into a large number of computers at once when their malicious code is delivered as a software update.
Earlier this year, hackers associated with the Chinese government hijacked the popular text editing software Notepad++ to deliver malware to a number of organizations with interests in East Asia. Security researchers also warned of another attack last month targeting users who visited the website of CPUID, which makes the popular HWMonitor and CPU-Z tools.
TechCrunch downloaded the Windows installer from Daemon Tools’ website, and the file appeared to contain the backdoor when we checked it with the online malware scanner service VirusTotal.
It’s not known if the macOS version of Daemon Tools was compromised, or if other apps made by Disc Soft are affected.
When contacted for comment, a Disc Soft representative said they are “aware of the report and are currently investigating the situation.”
“Our team is treating this matter with the highest priority and is actively working to assess and address the issue. At this stage, we are not in a position to confirm specific details referenced in the report. However, we are taking all necessary steps to remediate any potential risks and to ensure the security of our users,” the representative said.
"For God has not destined us for wrath, but for obtaining salvation through our Lord Jesus Christ," 1 Thessalonians 5:9
Maranatha!
The Internet might be either your friend or enemy. It just depends on whether or not she has a bad hair day.
Chinese Hackers
![[Image: SP1-Scripter.png]](https://www.save-point.org/images/userbars/SP1-Scripter.png)
![[Image: SP1-Writer.png]](https://www.save-point.org/images/userbars/SP1-Writer.png)
![[Image: SP1-Poet.png]](https://www.save-point.org/images/userbars/SP1-Poet.png)
![[Image: SP1-PixelArtist.png]](https://www.save-point.org/images/userbars/SP1-PixelArtist.png)
![[Image: SP1-Reporter.png]](https://i.postimg.cc/GmxWbHyL/SP1-Reporter.png)
