CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Chinese State-Sponsored Actors Target Global Critical Infrastructure

First reported
Last updated
5 unique sources, 12 articles

Summary

Hide ▲

Chinese state-sponsored APT actors continue to escalate global espionage infrastructure with **Operation "WrtHug"**, now confirmed to have hijacked **roughly 50,000 ASUS WRT routers** across **Taiwan (50%+ of victims), Southeast Asia, Russia, Central Europe, and the U.S.** The campaign exploits **seven vulnerabilities** (including **CVE-2023-39780**, **CVE-2025-2492**) in **end-of-life SOHO devices**, leveraging the **ASUS AiCloud service** to deploy persistent SSH backdoors. A **shared 100-year TLS certificate** (replacing ASUS’s standard 10-year certificate) enables stealthy C2 communication, with **seven IPs overlapping** with the prior China-linked *AyySSHush* botnet. This operation aligns with broader Chinese APT trends (**Salt Typhoon, RedNovember, Silk Typhoon**) targeting critical infrastructure, government agencies, and now **consumer-grade routers** for resilient espionage networks. Recent breaches include the **U.S. Congressional Budget Office (CBO)**, Treasury Department, and CFIUS, alongside advisories from **CISA, NSA, and allies** warning of a shift toward **potential disruptive cyber capabilities**. ASUS has released patches, but **unpatched or unsupported devices remain at risk** of persistent compromise.

Timeline

  1. 19.11.2025 12:20 3 articles · 1d ago

    China-Linked Operation "WrtHug" Hijacks ASUS Routers for Espionage

    Operation **"WrtHug"** has compromised **roughly 50,000 ASUS WRT routers** worldwide—predominantly in **Taiwan (50%+ of victims), Southeast Asia, Russia, Central Europe, and the U.S.**—with **no infections observed in China**, potentially indicating a China-nexus actor. The campaign exploits **seven vulnerabilities** (including **CVE-2023-39780**, **CVE-2025-2492**) in **end-of-life SOHO devices**, leveraging the **ASUS AiCloud service** to deploy **persistent SSH backdoors** that survive reboots. A **shared 100-year TLS certificate** (replacing ASUS’s standard 10-year certificate) was used as a unique IoC to track infections, with **seven IPs overlapping** with the prior *AyySSHush* botnet. SecurityScorecard assesses **low-to-moderate confidence** in Chinese APT attribution, citing tactical overlaps with **Operational Relay Box (ORB) campaigns** (*LapDogs*, *PolarEdge*). Targeted models include **4G-AC55U, GT-AC5300, RT-AC1300UHP**, and others. ASUS has released **security updates** addressing all exploited flaws, but **unpatched or unsupported devices remain vulnerable** to takeover by other actors.

    Show sources
    Open in new tab
  2. 07.11.2025 02:22 1 articles · 13d ago

    Chinese APT Group Breaches U.S. Congressional Budget Office

    The U.S. Congressional Budget Office (CBO) confirmed a cybersecurity incident after a suspected foreign hacker—potentially linked to Chinese state-sponsored APT groups—breached its network. The intrusion, detected in early November 2025, may have exposed sensitive emails, draft reports, and internal communications between CBO analysts and congressional offices. The CBO contained the incident and deployed additional monitoring and security controls. This breach follows a pattern of targeted attacks on U.S. government agencies, including the **U.S. Treasury Department and CFIUS** in late 2024, both attributed to the Chinese APT group **Silk Typhoon**. The CBO, a nonpartisan agency providing economic analysis to Congress, represents a critical target for espionage or influence operations. The incident underscores the expanding scope of Chinese APT campaigns beyond traditional critical infrastructure to include legislative and economic policy institutions.

    Show sources
    Open in new tab
  3. 20.10.2025 15:15 1 articles · 1mo ago

    Salt Typhoon Exploits Citrix NetScaler Gateway Vulnerability in Global Cyber-Attack

    Salt Typhoon has exploited a Citrix NetScaler Gateway vulnerability in a recent cyber intrusion. The group has used DLL sideloading and zero-day exploits to infiltrate systems. The intrusion involved a European telecommunications organization, beginning in July 2025. The attackers deployed a backdoor identified as SNAPPYBEE (also known as Deed RAT) through DLL sideloading. The backdoor established communication with command-and-control (C2) servers using HTTP and unidentified TCP-based protocols. The C2 domain aar.gandhibludtric[.]com was previously associated with Salt Typhoon infrastructure.

    Show sources
    Open in new tab
  4. 24.09.2025 04:00 2 articles · 1mo ago

    RedNovember Targets Global Infrastructure Using Public Exploits

    RedNovember has targeted perimeter appliances of high-profile organizations globally, including defense and aerospace organizations, space organizations, and law firms. The group has breached at least two U.S. defense contractors, a European engine manufacturer, and a trade-focused intergovernmental cooperation body in Southeast Asia. RedNovember has used the Go-based backdoor Pantegana and Cobalt Strike as part of its intrusions, along with the Spark RAT and LESLIELOADER. The group has also used VPN services like ExpressVPN and Warp VPN to administer and connect to servers used for exploitation and communication.

    Show sources
    Open in new tab
  5. 07.09.2025 17:09 3 articles · 2mo ago

    Czech Republic's NUKIB Issues High Risk Warning on Chinese Technology

    The Czech Republic's National Cyber and Information Security Agency (NUKIB) has issued a warning instructing critical infrastructure organizations to avoid using Chinese technology or transferring user data to servers located in China. The agency has re-evaluated its risk estimate of significant disruptions caused by China, now assessing it at a 'High' level. The NUKIB has confirmed malicious activities of Chinese cyber-actors targeting the Czech Republic, including a recent APT31 campaign targeting the Czech Ministry of Foreign Affairs. The warning includes consumer devices such as smartphones, IP cameras, electric cars, large language models, medical devices, and photovoltaic converters manufactured by Chinese firms as risky devices. All entities subject to the Czech Cybersecurity Act must adopt security measures to mitigate risks associated with Chinese technology.

    Show sources
    Open in new tab
  6. 04.09.2025 23:04 3 articles · 2mo ago

    Czech Republic Issues Advisory on PRC Data Theft

    The Czech Republic's National Cyber and Information Security Agency (NUKIB) issued an advisory warning about data transfers to the People's Republic of China (PRC). The advisory highlights concerns over the transfer of system and user data to China, potentially misused by state, military, or political interests. The Czech government previously accused China of targeting its critical infrastructure through APT 31, an allegation denied by the PRC but condemned by the US, EU, and NATO. The advisory suggests that individuals and organizations consider restricting or prohibiting the use of products and services that transfer data to China.

    Show sources
    Open in new tab
  7. 28.08.2025 17:04 4 articles · 2mo ago

    Salt Typhoon Exploits Edge Devices to Breach 600 Organizations

    The Salt Typhoon group has targeted at least 600 organizations across 80 countries, including 200 in the U.S. The actors have exploited vulnerabilities in Cisco, Ivanti, and Palo Alto Networks devices to gain initial access and have modified routers to maintain persistent access and pivot into other networks. The compromised devices are used to capture TACACS+ traffic for lateral movement and deeper network infiltration. The actors have enabled sshd_operns service on Cisco IOS XR devices to gain root access. The campaign is supported by an ecosystem of contractors, academics, and facilitators aiding in tool development and intrusion operations. The group has also exploited a Citrix NetScaler Gateway vulnerability in a recent cyber intrusion.

    Show sources
    Open in new tab
  8. 27.08.2025 15:00 8 articles · 2mo ago

    Joint Advisory on Chinese State-Sponsored Actors Targeting Global Infrastructure

    The advisory includes previously unknown insights into People's Republic of China (PRC) cyber operations. The advisory notes that the APT actors may target other devices such as Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, Sonicwall firewalls, etc. The advisory highlights a critical shift from Chinese state-sponsored activity from being purely espionage to something more invasive, aiming for long-term access for potential disruption. The advisory also notes that the APT actors may target Citrix NetScaler Gateway vulnerabilities.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

PlushDaemon Hijacks Software Updates in Supply-Chain Attacks

The China-linked threat actor PlushDaemon has been hijacking software update traffic using a new implant called EdgeStepper in cyberespionage operations since 2018. The group targets individuals and organizations in the U.S., China, Taiwan, Hong Kong, South Korea, New Zealand, and Cambodia, deploying custom malware like the SlowStepper backdoor. The attackers compromise routers via known vulnerabilities or weak passwords, install EdgeStepper to redirect update traffic, and deliver the LittleDaemon malware downloader. This leads to the deployment of the SlowStepper backdoor, which enables extensive system control and data theft. EdgeStepper is a Go-based network backdoor that redirects all DNS queries to a malicious hijacking node, facilitating adversary-in-the-middle (AitM) attacks. In May 2024, PlushDaemon targeted a South Korean VPN provider named IPany. The group uses an ELF file named bioset, internally called dns_cheat_v2, to forward DNS traffic to a malicious DNS node. They deploy two downloaders, LittleDaemon and DaemonLogistics, which deliver a backdoor toolkit for cyber espionage operations.

Open in new tab

International Law Enforcement Disrupts Rhadamanthys, VenomRAT, and Elysium Malware Operations

Law enforcement agencies from 11 countries, coordinated by Europol and Eurojust, disrupted operations of Rhadamanthys infostealer, VenomRAT, and Elysium botnet malware as part of Operation Endgame 3.0. The action, which occurred between November 10 and 13, 2025, involved seizing over 1,000 servers and 20 domains, arresting a key suspect in Greece, and uncovering millions of stolen credentials. The operation also involved multiple private cybersecurity partners. The dismantled infrastructure included hundreds of thousands of infected computers, with the main suspect behind Rhadamanthys having access to over 100,000 crypto wallets worth millions of euros. Victims were often unaware of their systems' infections. The latest version of Rhadamanthys added support for collecting device and web browser fingerprints, along with incorporating several mechanisms to fly under the radar. Additionally, the Dutch police seized around 250 physical servers and thousands of virtual servers used by a bulletproof hosting service, which has been involved in over 80 cybercrime investigations since 2022. The seized servers were located in data centers in The Hague and Zoetermeer.

Open in new tab

SesameOp malware leverages OpenAI Assistants API for command-and-control

A new backdoor malware, SesameOp, uses the OpenAI Assistants API as a covert command-and-control channel. The malware was discovered during an investigation into a July 2025 cyberattack. It allowed attackers to gain persistent access to compromised environments and remotely manage backdoored devices for several months. The attackers leveraged legitimate cloud services, avoiding detection and traditional incident response measures. The malware employs a combination of symmetric and asymmetric encryption to secure communications. It uses a heavily obfuscated loader and a .NET-based backdoor deployed through .NET AppDomainManager injection into Microsoft Visual Studio utilities. The attack chain includes internal web shells and malicious processes designed for long-term espionage. The malware uses a loader component named "Netapi64.dll" and a .NET-based backdoor named "OpenAIAgent.Netapi64". The malware supports three types of values in the description field of the Assistants list retrieved from OpenAI: SLEEP, Payload, and Result. Microsoft and OpenAI collaborated to investigate the abuse of the API, leading to the disabling of the account and API key used in the attacks. The malware does not exploit a vulnerability in OpenAI's platform but misuses built-in capabilities of the Assistants API. The OpenAI Assistants API is scheduled for deprecation in August 2026 and will be replaced by a new Responses API.

Open in new tab

RMM Software Exploited in Logistics and Freight Network Intrusions

Cybercriminals have been targeting trucking and logistics companies since at least January 2025, using remote monitoring and management (RMM) software to infiltrate networks and steal cargo freight. The primary targets are food and beverage products, which are often sold online or shipped overseas. The attackers collaborate with organized crime groups and use various methods to gain access, including compromised email accounts, spear-phishing emails, and fraudulent freight listings. They leverage legitimate RMM tools like ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve to maintain persistence and evade detection. Once inside, they conduct reconnaissance, harvest credentials, and manipulate dispatch systems to steal cargo. The use of RMM software allows them to operate undetected, as these tools are commonly used in enterprise environments and are often not flagged as malicious. The attackers have conducted nearly two dozen campaigns targeting North American freight companies in September and October 2025, with volumes ranging from less than 10 to over 1000 messages per campaign. The attackers have been active since at least June 2025, with evidence suggesting campaigns began as early as January 2025. Similar activity has been observed in Brazil, Mexico, India, Germany, Chile, and South Africa. The National Insurance Crime Bureau (NICB) estimates cargo theft losses in the U.S. to $35 billion annually. The attackers use compromised accounts on load boards to post fraudulent freight listings and hijack email threads to lead victims to malicious URLs. They send direct phishing emails to asset-based carriers, freight brokerage firms, and integrated supply-chain providers, targeting a wide range of carriers from small businesses to large transport firms. The attackers aim to compromise any carrier that responds to fake load postings and identify and bid on profitable loads to steal. They use various methods to steal cargo, including direct collaboration with truckers and double brokering, which disrupts the supply chain, leading to increased costs, delays, and insurance claims, and erodes trust within the supply chain.

Open in new tab

Cisco IOS XE devices in Australia targeted by BadCandy webshell

The Australian government has warned of ongoing cyberattacks targeting unpatched Cisco IOS XE devices, exploiting the CVE-2023-20198 vulnerability to install the BADCANDY webshell. This allows attackers to execute commands with root privileges. The flaw was patched in October 2023, but many devices remain unpatched, leading to persistent infections. Over 400 devices were potentially compromised since July 2025, with over 150 still infected as of late October 2025. The Australian Signals Directorate (ASD) is actively notifying victims and providing mitigation guidance. The attacks are attributed to state-sponsored cyber-actors, including the Chinese state actor Salt Typhoon. The ASD has noted that the BADCANDY webshell has been actively exploited since October 2023, with ongoing attacks in 2024 and 2025. The ASD has detected re-exploitation on devices for which notifications were previously issued. The ASD recommends reviewing running configurations for unexpected accounts and unknown tunnel interfaces, and advises reviewing TACACS+ AAA command accounting logging for configuration changes.

Open in new tab