Chinese State-Sponsored Actors Target Global Critical Infrastructure
Summary
Hide ▲
Show ▼
Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the Salt Typhoon group and a newly identified group named RedNovember, have been conducting sustained campaigns to compromise critical infrastructure networks worldwide. The campaigns aim to gain long-term access to telecommunications, government, transportation, lodging, and military networks. This activity has been detailed in a joint advisory by CISA, NSA, FBI, and international partners, including Canada, Australia, New Zealand, the UK, Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland, and Spain. The advisory provides intelligence on tactics used by these actors and recommends mitigations to strengthen defenses. The Czech Republic's National Cyber and Information Security Agency (NUKIB) has issued a warning instructing critical infrastructure organizations to avoid using Chinese technology or transferring user data to servers located in China. The agency has re-evaluated its risk estimate of significant disruptions caused by China, now assessing it at a 'High' level. The NUKIB has confirmed malicious activities of Chinese cyber-actors targeting the Czech Republic, including a recent APT31 campaign targeting the Czech Ministry of Foreign Affairs. The advisory highlights concerns over the transfer of system and user data to China, potentially misused by state, military, or political interests. The Czech government previously accused China of targeting its critical infrastructure through APT 31, an allegation denied by the PRC but condemned by the US, EU, and NATO. The advisory suggests that individuals and organizations consider restricting or prohibiting the use of products and services that transfer data to China. The campaign has targeted at least 600 organizations across 80 countries, including 200 in the U.S. The threat actors have exploited vulnerabilities in Cisco, Ivanti, and Palo Alto Networks devices to gain initial access and have modified routers to maintain persistent access and pivot into other networks. The advisory also notes that the APT actors may target other devices such as Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, Sonicwall firewalls, etc. RedNovember has targeted perimeter appliances of high-profile organizations globally, including defense and aerospace organizations, space organizations, and law firms. The group has breached at least two U.S. defense contractors, a European engine manufacturer, and a trade-focused intergovernmental cooperation body in Southeast Asia. RedNovember has used the Go-based backdoor Pantegana and Cobalt Strike as part of its intrusions, along with the Spark RAT and LESLIELOADER. The group has also used VPN services like ExpressVPN and Warp VPN to administer and connect to servers used for exploitation and communication.
Timeline
-
24.09.2025 04:00 2 articles · 6d ago
RedNovember Targets Global Infrastructure Using Public Exploits
RedNovember has targeted perimeter appliances of high-profile organizations globally, including defense and aerospace organizations, space organizations, and law firms. The group has breached at least two U.S. defense contractors, a European engine manufacturer, and a trade-focused intergovernmental cooperation body in Southeast Asia. RedNovember has used the Go-based backdoor Pantegana and Cobalt Strike as part of its intrusions, along with the Spark RAT and LESLIELOADER. The group has also used VPN services like ExpressVPN and Warp VPN to administer and connect to servers used for exploitation and communication.
Show sources
- Chinese APT Uses OSS & PoCs to Spy on Other Countries — www.darkreading.com — 24.09.2025 04:00
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
07.09.2025 17:09 3 articles · 22d ago
Czech Republic's NUKIB Issues High Risk Warning on Chinese Technology
The Czech Republic's National Cyber and Information Security Agency (NUKIB) has issued a warning instructing critical infrastructure organizations to avoid using Chinese technology or transferring user data to servers located in China. The agency has re-evaluated its risk estimate of significant disruptions caused by China, now assessing it at a 'High' level. The NUKIB has confirmed malicious activities of Chinese cyber-actors targeting the Czech Republic, including a recent APT31 campaign targeting the Czech Ministry of Foreign Affairs. The warning includes consumer devices such as smartphones, IP cameras, electric cars, large language models, medical devices, and photovoltaic converters manufactured by Chinese firms as risky devices. All entities subject to the Czech Cybersecurity Act must adopt security measures to mitigate risks associated with Chinese technology.
Show sources
- Czech cyber agency warns against Chinese tech in critical infrastructure — www.bleepingcomputer.com — 07.09.2025 17:09
- Chinese APT Uses OSS & PoCs to Spy on Other Countries — www.darkreading.com — 24.09.2025 04:00
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
04.09.2025 23:04 3 articles · 25d ago
Czech Republic Issues Advisory on PRC Data Theft
The Czech Republic's National Cyber and Information Security Agency (NUKIB) issued an advisory warning about data transfers to the People's Republic of China (PRC). The advisory highlights concerns over the transfer of system and user data to China, potentially misused by state, military, or political interests. The Czech government previously accused China of targeting its critical infrastructure through APT 31, an allegation denied by the PRC but condemned by the US, EU, and NATO. The advisory suggests that individuals and organizations consider restricting or prohibiting the use of products and services that transfer data to China.
Show sources
- Czech Warning Highlights China Stealing User Data — www.darkreading.com — 04.09.2025 23:04
- Chinese APT Uses OSS & PoCs to Spy on Other Countries — www.darkreading.com — 24.09.2025 04:00
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
28.08.2025 17:04 3 articles · 1mo ago
Salt Typhoon Exploits Edge Devices to Breach 600 Organizations
The Salt Typhoon group has targeted at least 600 organizations across 80 countries, including 200 in the U.S. The actors have exploited vulnerabilities in Cisco, Ivanti, and Palo Alto Networks devices to gain initial access and have modified routers to maintain persistent access and pivot into other networks. The compromised devices are used to capture TACACS+ traffic for lateral movement and deeper network infiltration. The actors have enabled sshd_operns service on Cisco IOS XR devices to gain root access. The campaign is supported by an ecosystem of contractors, academics, and facilitators aiding in tool development and intrusion operations.
Show sources
- Salt Typhoon Exploits Flaws in Edge Network Devices to Breach 600 Organizations Worldwide — thehackernews.com — 28.08.2025 17:04
- Chinese APT Uses OSS & PoCs to Spy on Other Countries — www.darkreading.com — 24.09.2025 04:00
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
27.08.2025 15:00 7 articles · 1mo ago
Joint Advisory on Chinese State-Sponsored Actors Targeting Global Infrastructure
The advisory includes previously unknown insights into People's Republic of China (PRC) cyber operations. The advisory notes that the APT actors may target other devices such as Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, Sonicwall firewalls, etc. The advisory highlights a critical shift from Chinese state-sponsored activity from being purely espionage to something more invasive, aiming for long-term access for potential disruption.
Show sources
- CISA and Partners Release Joint Advisory on Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage Systems — www.cisa.gov — 27.08.2025 15:00
- Salt Typhoon Exploits Flaws in Edge Network Devices to Breach 600 Organizations Worldwide — thehackernews.com — 28.08.2025 17:04
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' — www.darkreading.com — 28.08.2025 23:10
- Czech Warning Highlights China Stealing User Data — www.darkreading.com — 04.09.2025 23:04
- Czech cyber agency warns against Chinese tech in critical infrastructure — www.bleepingcomputer.com — 07.09.2025 17:09
- Chinese APT Uses OSS & PoCs to Spy on Other Countries — www.darkreading.com — 24.09.2025 04:00
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
Information Snippets
-
Chinese state-sponsored actors are exploiting vulnerabilities in routers used by telecommunications providers and other infrastructure operators.
First reported: 27.08.2025 15:003 sources, 4 articlesShow sources
- CISA and Partners Release Joint Advisory on Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage Systems — www.cisa.gov — 27.08.2025 15:00
- Salt Typhoon Exploits Flaws in Edge Network Devices to Breach 600 Organizations Worldwide — thehackernews.com — 28.08.2025 17:04
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' — www.darkreading.com — 28.08.2025 23:10
- Chinese APT Uses OSS & PoCs to Spy on Other Countries — www.darkreading.com — 24.09.2025 04:00
-
These actors often take steps to evade detection and maintain persistent access across multiple sectors.
First reported: 27.08.2025 15:003 sources, 4 articlesShow sources
- CISA and Partners Release Joint Advisory on Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage Systems — www.cisa.gov — 27.08.2025 15:00
- Salt Typhoon Exploits Flaws in Edge Network Devices to Breach 600 Organizations Worldwide — thehackernews.com — 28.08.2025 17:04
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' — www.darkreading.com — 28.08.2025 23:10
- Chinese APT Uses OSS & PoCs to Spy on Other Countries — www.darkreading.com — 24.09.2025 04:00
-
The advisory includes updated threat intelligence from investigations conducted through July 2025.
First reported: 27.08.2025 15:002 sources, 3 articlesShow sources
- CISA and Partners Release Joint Advisory on Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage Systems — www.cisa.gov — 27.08.2025 15:00
- Salt Typhoon Exploits Flaws in Edge Network Devices to Breach 600 Organizations Worldwide — thehackernews.com — 28.08.2025 17:04
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
The advisory reflects indicators from industry reporting on multiple Chinese state-sponsored threat groups.
First reported: 27.08.2025 15:002 sources, 3 articlesShow sources
- CISA and Partners Release Joint Advisory on Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage Systems — www.cisa.gov — 27.08.2025 15:00
- Salt Typhoon Exploits Flaws in Edge Network Devices to Breach 600 Organizations Worldwide — thehackernews.com — 28.08.2025 17:04
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
Recommended mitigations include patching known exploited vulnerabilities, enabling centralized logging, and securing edge infrastructure.
First reported: 27.08.2025 15:002 sources, 2 articlesShow sources
- CISA and Partners Release Joint Advisory on Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage Systems — www.cisa.gov — 27.08.2025 15:00
- Salt Typhoon Exploits Flaws in Edge Network Devices to Breach 600 Organizations Worldwide — thehackernews.com — 28.08.2025 17:04
-
Salt Typhoon has exploited vulnerabilities in Cisco, Ivanti, and Palo Alto Networks devices to gain initial access.
First reported: 28.08.2025 17:042 sources, 3 articlesShow sources
- Salt Typhoon Exploits Flaws in Edge Network Devices to Breach 600 Organizations Worldwide — thehackernews.com — 28.08.2025 17:04
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' — www.darkreading.com — 28.08.2025 23:10
- Chinese APT Uses OSS & PoCs to Spy on Other Countries — www.darkreading.com — 24.09.2025 04:00
-
The campaign has targeted at least 600 organizations across 80 countries, including 200 in the U.S.
First reported: 28.08.2025 17:042 sources, 2 articlesShow sources
- Salt Typhoon Exploits Flaws in Edge Network Devices to Breach 600 Organizations Worldwide — thehackernews.com — 28.08.2025 17:04
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' — www.darkreading.com — 28.08.2025 23:10
-
The threat actors have modified routers to maintain persistent access and pivot into other networks.
First reported: 28.08.2025 17:042 sources, 2 articlesShow sources
- Salt Typhoon Exploits Flaws in Edge Network Devices to Breach 600 Organizations Worldwide — thehackernews.com — 28.08.2025 17:04
- Chinese APT Uses OSS & PoCs to Spy on Other Countries — www.darkreading.com — 24.09.2025 04:00
-
The compromised devices are used to capture TACACS+ traffic for lateral movement and deeper network infiltration.
First reported: 28.08.2025 17:042 sources, 2 articlesShow sources
- Salt Typhoon Exploits Flaws in Edge Network Devices to Breach 600 Organizations Worldwide — thehackernews.com — 28.08.2025 17:04
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' — www.darkreading.com — 28.08.2025 23:10
-
The actors have enabled sshd_operns service on Cisco IOS XR devices to gain root access.
First reported: 28.08.2025 17:042 sources, 4 articlesShow sources
- Salt Typhoon Exploits Flaws in Edge Network Devices to Breach 600 Organizations Worldwide — thehackernews.com — 28.08.2025 17:04
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' — www.darkreading.com — 28.08.2025 23:10
- Chinese APT Uses OSS & PoCs to Spy on Other Countries — www.darkreading.com — 24.09.2025 04:00
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
The campaign is supported by an ecosystem of contractors, academics, and facilitators aiding in tool development and intrusion operations.
First reported: 28.08.2025 17:042 sources, 3 articlesShow sources
- Salt Typhoon Exploits Flaws in Edge Network Devices to Breach 600 Organizations Worldwide — thehackernews.com — 28.08.2025 17:04
- Chinese APT Uses OSS & PoCs to Spy on Other Countries — www.darkreading.com — 24.09.2025 04:00
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
The threat actors have targeted telecommunications, government, transportation, lodging, and military infrastructure sectors.
First reported: 28.08.2025 17:042 sources, 4 articlesShow sources
- Salt Typhoon Exploits Flaws in Edge Network Devices to Breach 600 Organizations Worldwide — thehackernews.com — 28.08.2025 17:04
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' — www.darkreading.com — 28.08.2025 23:10
- Chinese APT Uses OSS & PoCs to Spy on Other Countries — www.darkreading.com — 24.09.2025 04:00
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
The actors have leveraged compromised devices and trusted connections to pivot into other networks.
First reported: 28.08.2025 17:042 sources, 3 articlesShow sources
- Salt Typhoon Exploits Flaws in Edge Network Devices to Breach 600 Organizations Worldwide — thehackernews.com — 28.08.2025 17:04
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' — www.darkreading.com — 28.08.2025 23:10
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
The actors have modified routers to maintain persistent, long-term access to networks.
First reported: 28.08.2025 17:042 sources, 3 articlesShow sources
- Salt Typhoon Exploits Flaws in Edge Network Devices to Breach 600 Organizations Worldwide — thehackernews.com — 28.08.2025 17:04
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' — www.darkreading.com — 28.08.2025 23:10
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
The advisory was co-signed by nations including Canada, Australia, New Zealand, the UK, Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland, and Spain.
First reported: 28.08.2025 23:101 source, 2 articlesShow sources
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' — www.darkreading.com — 28.08.2025 23:10
- Czech Warning Highlights China Stealing User Data — www.darkreading.com — 04.09.2025 23:04
-
The advisory tracks this cluster of activity to multiple advanced persistent threats (APTs), though it partially overlaps with Salt Typhoon.
First reported: 28.08.2025 23:101 source, 2 articlesShow sources
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' — www.darkreading.com — 28.08.2025 23:10
- Czech Warning Highlights China Stealing User Data — www.darkreading.com — 04.09.2025 23:04
-
The advisory includes previously unknown insights into People's Republic of China (PRC) cyber operations.
First reported: 28.08.2025 23:101 source, 2 articlesShow sources
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' — www.darkreading.com — 28.08.2025 23:10
- Czech Warning Highlights China Stealing User Data — www.darkreading.com — 04.09.2025 23:04
-
The advisory notes that the APT actors may target other devices such as Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, Sonicwall firewalls, etc.
First reported: 28.08.2025 23:102 sources, 3 articlesShow sources
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' — www.darkreading.com — 28.08.2025 23:10
- Chinese APT Uses OSS & PoCs to Spy on Other Countries — www.darkreading.com — 24.09.2025 04:00
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
The advisory recommends monitoring network device configuration changes, virtualized containers, network services and tunnels, protocol patterns, logs, and firmware and software integrity.
First reported: 28.08.2025 23:102 sources, 2 articlesShow sources
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' — www.darkreading.com — 28.08.2025 23:10
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
The advisory contains indicators of compromise.
First reported: 28.08.2025 23:102 sources, 2 articlesShow sources
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' — www.darkreading.com — 28.08.2025 23:10
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
The advisory highlights a critical shift from Chinese state-sponsored activity from being purely espionage to something more invasive, aiming for long-term access for potential disruption.
First reported: 28.08.2025 23:102 sources, 3 articlesShow sources
- CISA, FBI, NSA Warn of Chinese 'Global Espionage System' — www.darkreading.com — 28.08.2025 23:10
- Czech Warning Highlights China Stealing User Data — www.darkreading.com — 04.09.2025 23:04
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
The Czech Republic's National Cyber and Information Security Agency (NÚKIB) issued an advisory warning about data transfers to the People's Republic of China (PRC).
First reported: 04.09.2025 23:043 sources, 3 articlesShow sources
- Czech Warning Highlights China Stealing User Data — www.darkreading.com — 04.09.2025 23:04
- Czech cyber agency warns against Chinese tech in critical infrastructure — www.bleepingcomputer.com — 07.09.2025 17:09
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
The advisory highlights concerns over the transfer of system and user data to China, potentially misused by state, military, or political interests.
First reported: 04.09.2025 23:043 sources, 3 articlesShow sources
- Czech Warning Highlights China Stealing User Data — www.darkreading.com — 04.09.2025 23:04
- Czech cyber agency warns against Chinese tech in critical infrastructure — www.bleepingcomputer.com — 07.09.2025 17:09
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
The Czech government previously accused China of targeting its critical infrastructure through APT 31, an allegation denied by the PRC but condemned by the US, EU, and NATO.
First reported: 04.09.2025 23:043 sources, 3 articlesShow sources
- Czech Warning Highlights China Stealing User Data — www.darkreading.com — 04.09.2025 23:04
- Czech cyber agency warns against Chinese tech in critical infrastructure — www.bleepingcomputer.com — 07.09.2025 17:09
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
China has been conducting large-scale telco attacks across the US and the world, positioning itself for potential destructive cyberattacks.
First reported: 04.09.2025 23:042 sources, 2 articlesShow sources
- Czech Warning Highlights China Stealing User Data — www.darkreading.com — 04.09.2025 23:04
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
CrowdStrike's reports indicate a significant increase in Chinese intrusion activity, with a 150% year-over-year increase and a 40% jump in cloud-targeting operations.
First reported: 04.09.2025 23:041 source, 1 articleShow sources
- Czech Warning Highlights China Stealing User Data — www.darkreading.com — 04.09.2025 23:04
-
The Czech report emphasizes the legal regulations in China that allow government authorities to access data, highlighting the risks of using products and services that send data to China.
First reported: 04.09.2025 23:043 sources, 3 articlesShow sources
- Czech Warning Highlights China Stealing User Data — www.darkreading.com — 04.09.2025 23:04
- Czech cyber agency warns against Chinese tech in critical infrastructure — www.bleepingcomputer.com — 07.09.2025 17:09
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
The advisory suggests that individuals and organizations consider restricting or prohibiting the use of products and services that transfer data to China.
First reported: 04.09.2025 23:043 sources, 3 articlesShow sources
- Czech Warning Highlights China Stealing User Data — www.darkreading.com — 04.09.2025 23:04
- Czech cyber agency warns against Chinese tech in critical infrastructure — www.bleepingcomputer.com — 07.09.2025 17:09
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
The Czech Republic's National Cyber and Information Security Agency (NUKIB) has re-evaluated its risk estimate of significant disruptions caused by China, now assessing it at a 'High' level.
First reported: 07.09.2025 17:092 sources, 2 articlesShow sources
- Czech cyber agency warns against Chinese tech in critical infrastructure — www.bleepingcomputer.com — 07.09.2025 17:09
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
The NUKIB has confirmed malicious activities of Chinese cyber-actors targeting the Czech Republic, including a recent APT31 campaign targeting the Czech Ministry of Foreign Affairs.
First reported: 07.09.2025 17:092 sources, 2 articlesShow sources
- Czech cyber agency warns against Chinese tech in critical infrastructure — www.bleepingcomputer.com — 07.09.2025 17:09
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
The Chinese government has access to data stored by private cloud service providers within the Czech Republic, ensuring that sensitive data is always within its reach.
First reported: 07.09.2025 17:092 sources, 2 articlesShow sources
- Czech cyber agency warns against Chinese tech in critical infrastructure — www.bleepingcomputer.com — 07.09.2025 17:09
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
The NUKIB warning includes consumer devices such as smartphones, IP cameras, electric cars, large language models, medical devices, and photovoltaic converters manufactured by Chinese firms as risky devices.
First reported: 07.09.2025 17:092 sources, 2 articlesShow sources
- Czech cyber agency warns against Chinese tech in critical infrastructure — www.bleepingcomputer.com — 07.09.2025 17:09
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
All entities subject to the Czech Cybersecurity Act must adopt security measures to mitigate risks associated with Chinese technology.
First reported: 07.09.2025 17:092 sources, 2 articlesShow sources
- Czech cyber agency warns against Chinese tech in critical infrastructure — www.bleepingcomputer.com — 07.09.2025 17:09
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
The NUKIB's warning does not impose a ban on transferring data to the PRC or allowing remote administration from it, but organizations must include the threat in their risk analysis and decide on mitigation measures.
First reported: 07.09.2025 17:092 sources, 2 articlesShow sources
- Czech cyber agency warns against Chinese tech in critical infrastructure — www.bleepingcomputer.com — 07.09.2025 17:09
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
RedNovember, an advanced persistent threat (APT) tied to Chinese state interests, exploits publicly available vulnerability exploits to infiltrate high-value corporations and government agencies.
First reported: 24.09.2025 04:002 sources, 2 articlesShow sources
- Chinese APT Uses OSS & PoCs to Spy on Other Countries — www.darkreading.com — 24.09.2025 04:00
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
RedNovember targets Check Point security gateways, Palo Alto's GlobalProtect, SonicWall products, Cisco Adaptive Security Appliance, F5 Network's BIG-IP, Sophos SSL VPN, and Fortinet FortiGate instances, and Ivanti Connect Secure VPN appliances.
First reported: 24.09.2025 04:002 sources, 2 articlesShow sources
- Chinese APT Uses OSS & PoCs to Spy on Other Countries — www.darkreading.com — 24.09.2025 04:00
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
RedNovember uses commercial tools such as LeslieLoader, SparkRAT, Pantegana, Cobalt Strike, and commercial VPNs like ExpressVPN.
First reported: 24.09.2025 04:002 sources, 2 articlesShow sources
- Chinese APT Uses OSS & PoCs to Spy on Other Countries — www.darkreading.com — 24.09.2025 04:00
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
RedNovember's activities are aligned with Chinese state interests, targeting defense and aerospace organizations in the West, foreign affairs ministries in Asia, and other geopolitically significant entities.
First reported: 24.09.2025 04:002 sources, 2 articlesShow sources
- Chinese APT Uses OSS & PoCs to Spy on Other Countries — www.darkreading.com — 24.09.2025 04:00
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
RedNovember conducted cyber reconnaissance on Panamanian organizations in finance, transportation, international relations, land and economic development, and emergency services following geopolitical shifts.
First reported: 24.09.2025 04:002 sources, 2 articlesShow sources
- Chinese APT Uses OSS & PoCs to Spy on Other Countries — www.darkreading.com — 24.09.2025 04:00
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
RedNovember performed cyber reconnaissance on a location in Taiwan that is home to semiconductor research and development and a Taiwanese military airbase during a Chinese military exercise near Taiwan.
First reported: 24.09.2025 04:002 sources, 2 articlesShow sources
- Chinese APT Uses OSS & PoCs to Spy on Other Countries — www.darkreading.com — 24.09.2025 04:00
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
RedNovember has targeted perimeter appliances of high-profile organizations globally, including defense and aerospace organizations, space organizations, and law firms.
First reported: 24.09.2025 19:361 source, 1 articleShow sources
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
RedNovember has breached at least two U.S. defense contractors, a European engine manufacturer, and a trade-focused intergovernmental cooperation body in Southeast Asia.
First reported: 24.09.2025 19:361 source, 1 articleShow sources
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
RedNovember has targeted a ministry of foreign affairs in central Asia, a state security organization in Africa, a European government directorate, and a Southeast Asian government.
First reported: 24.09.2025 19:361 source, 1 articleShow sources
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
RedNovember has targeted Ivanti Connect Secure appliances associated with a newspaper and an engineering and military contractor, both based in the U.S.
First reported: 24.09.2025 19:361 source, 1 articleShow sources
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
RedNovember has targeted the Microsoft Outlook Web Access (OWA) portals belonging to a South American country before that country's state visit to China.
First reported: 24.09.2025 19:361 source, 1 articleShow sources
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
RedNovember has used the Go-based backdoor Pantegana and Cobalt Strike as part of its intrusions.
First reported: 24.09.2025 19:361 source, 1 articleShow sources
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
RedNovember has used the Spark RAT and LESLIELOADER to launch its attacks.
First reported: 24.09.2025 19:361 source, 1 articleShow sources
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
-
RedNovember has used VPN services like ExpressVPN and Warp VPN to administer and connect to servers used for exploitation and communication.
First reported: 24.09.2025 19:361 source, 1 articleShow sources
- Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike — thehackernews.com — 24.09.2025 19:36
Similar Happenings
CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities
The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03, mandating federal agencies to identify and mitigate zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) exploited by an advanced threat actor. The directive requires agencies to account for all affected devices, collect forensic data, and upgrade or disconnect end-of-support devices by September 26, 2025. The vulnerabilities allow threat actors to maintain persistence and gain network access. Cisco identified multiple zero-day vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363, and CVE-2025-20352) in Cisco ASA, Firewall Threat Defense (FTD) software, and Cisco IOS software. These vulnerabilities enable unauthenticated remote code execution, unauthorized access, and denial of service (DoS) attacks. GreyNoise detected large-scale campaigns targeting ASA login portals and Cisco IOS Telnet/SSH services, indicating potential exploitation of these vulnerabilities. The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. CISA and Cisco linked these ongoing attacks to the ArcaneDoor campaign, which exploited two other ASA and FTD zero-days (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide since November 2023. CISA ordered agencies to identify all Cisco ASA and Firepower appliances on their networks, disconnect all compromised devices from the network, and patch those that show no signs of malicious activity by 12 PM EDT on September 26. CISA also ordered that agencies must permanently disconnect ASA devices that are reaching the end of support by September 30 from their networks. The U.K. National Cyber Security Centre (NCSC) confirmed that threat actors exploited the recently disclosed security flaws in Cisco firewalls to deliver previously undocumented malware families like RayInitiator and LINE VIPER. Cisco began investigating attacks on multiple government agencies in May 2025, linked to the state-sponsored ArcaneDoor campaign. The attacks targeted Cisco ASA 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data. The threat actor modified ROMMON to facilitate persistence across reboots and software upgrades. The compromised devices include ASA 5500-X Series models running specific software releases with VPN web services enabled. The Canadian Centre for Cyber Security urged organizations to update to a fixed version of Cisco ASA and FTD products to counter the threat.
Brickstorm Malware Used in Long-Term Espionage Against U.S. Organizations
The UNC5221 activity cluster, attributed to suspected Chinese hackers, has been using the BRICKSTORM malware in long-term espionage operations against U.S. organizations in the technology, legal, SaaS, and BPO sectors. The malware, a Go-based backdoor, has been active for over a year, with an average dwell time of 393 days. It has been used to steal data from various sectors, including SaaS providers and BPOs. The attackers exploit vulnerabilities in edge devices and use anti-forensics techniques to avoid detection. The malware serves multiple functions, including web server, file manipulation, dropper, SOCKS relay, and shell command execution. It targets appliances without EDR support, such as VMware vCenter/ESXi, and uses legitimate traffic to mask its C2 communications. The attackers aim to exfiltrate emails and maintain stealth through various tactics, including removing the malware post-operation to hinder forensic investigations. The attackers use a malicious Java Servlet Filter (BRICKSTEAL) on vCenter to capture credentials, and clone Windows Server VMs to extract secrets. The stolen credentials are used for lateral movement and persistence, including enabling SSH on ESXi and modifying startup scripts. The malware exfiltrates emails via Microsoft Entra ID Enterprise Apps, utilizing its SOCKS proxy to tunnel into internal systems and code repositories. UNC5221 focuses on developers, administrators, and individuals tied to China's economic and security interests. Mandiant has released a free scanner script to help defenders detect BRICKSTORM. The BRICKSTORM backdoor is under active development, with a variant featuring a delay timer for C2 communication. The attackers have exploited Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) for initial access. The attackers have used a custom dropper to install a malicious Java Servlet filter (BRICKSTEAL) in memory, avoiding detection. The attackers have modified init.d, rc.local, or systemd files to ensure persistence on appliances. The attackers have targeted Windows environments in Europe since at least November 2022. The attackers have been linked to other related Chinese threat actors besides UNC5221. The campaign has been monitored by Mandiant since March 2025. The attackers have targeted downstream customers of compromised SaaS providers. The attackers are believed to be analyzing stolen source code to identify zero-day vulnerabilities in enterprise technologies. The attackers use a delay timer to lie dormant on infected systems until a hard-coded date. The malware employs Garble, an open-source tool, for code obfuscation to hide function names, structures, and logic. Brickstorm has been found on VMware vCenter and ESXi hosts, often deployed prior to pivoting to these systems. The attackers use legitimate cloud services like Cloudflare Workers or Heroku for C2 communications. The attackers use dynamic domains like sslip.io or nip.io that point directly to the C2 server’s IP. The attackers favor appliance and management-plane compromise, per-victim obfuscated Go binaries, delayed-start implants, and Web/DoH C2 to preserve stealth. The attackers harvest and use valid high-privilege credentials to appear as routine administrator tasks. The attackers deploy in-memory servlet filters, remove installer artifacts, and embed delayed-start logic to limit forensic traces. The attackers abuse virtualization management capabilities, such as cloning VMs to extract credential stores offline. The attackers deploy an in-memory Java Servlet filter on vCenter to intercept and decode web authentication to harvest high-privilege credentials. The attackers use a SOCKS proxy on compromised appliances to tunnel into internal networks for interactive access and file retrieval.
GeoServer RCE Exploit Used in Federal Agency Breach
A U.S. federal civilian executive branch (FCEB) agency was breached in July 2024 after attackers exploited an unpatched GeoServer instance. The attackers gained initial access through a critical remote code execution (RCE) vulnerability (CVE-2024-36401) and moved laterally within the network, deploying web shells and scripts for persistence and privilege escalation. The breach remained undetected for three weeks until the agency's Endpoint Detection and Response (EDR) tool alerted the Security Operations Center (SOC). The attackers exploited the vulnerability in GeoServer, which was patched in June 2024 but remained unpatched in the agency's environment. They used brute force techniques for lateral movement and privilege escalation, accessing service accounts and deploying web shells like China Chopper. The breach highlights the importance of timely patching, continuous monitoring of EDR alerts, and comprehensive incident response plans. The attackers discovered the vulnerable GeoServer instances by conducting network scanning with Burp Suite. They exploited the vulnerability to gain access to a public-facing GeoServer instance and downloaded open-source scripts and tools for lateral movement. On July 24, 2024, the attackers exploited the same vulnerability to gain access to a second GeoServer instance and moved laterally to a Web server and SQL server, where they dropped web shells, including China Chopper. The attackers also used Stowaway for command-and-control (C2) traffic and attempted to exploit CVE-2016-5195 for privilege escalation. The agency's incident response plan was inadequate, and some public-facing resources lacked endpoint protection, allowing the breach to remain undetected for three weeks.
Gamaredon and Turla Collaboration to Deploy Kazuar Backdoor in Ukraine
Russian hacking groups Gamaredon and Turla have been collaborating to target Ukrainian entities. The groups used Gamaredon tools to deploy Turla's Kazuar backdoor on multiple endpoints in Ukraine. The collaboration likely began in early 2025, with evidence of coordinated activities in February, April, and June. The attacks primarily focused on the Ukrainian defense sector. The collaboration involves Gamaredon using tools like PteroGraphin and PteroOdd to execute the Kazuar backdoor. The Kazuar backdoor is a .NET-based malware that has been in use since at least 2016 and has undergone multiple updates, with the latest version (Kazuar v3) introduced in February 2025. The initial access vector used by Gamaredon is not clear, but the group has a history of using spear-phishing and malicious LNK files. The collaboration between Gamaredon and Turla is assessed to be driven by Russia's full-scale invasion of Ukraine in 2022.
TA558 Uses AI-Generated Scripts to Deliver Venom RAT in Brazil Hotel Attacks
TA558, tracked as RevengeHotels, has launched new attacks targeting hotels in Brazil and Spanish-speaking markets. The group uses AI-generated scripts to deploy Venom RAT via phishing emails. The campaign aims to capture credit card data from guests and travelers. The threat actor has been active since 2015, focusing on hospitality and travel sectors. They have historically used various RATs and custom malware to achieve their goals. The latest campaign involves phishing emails with Portuguese and Spanish lures, leading to the download of malicious scripts and payloads. Venom RAT, based on Quasar RAT, includes features like data exfiltration, reverse proxy, and anti-kill mechanisms. It spreads via USB drives and disables Microsoft Defender Antivirus.