CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Chinese Malware Campaigns Exploit SEO and GitHub Pages to Distribute HiddenGh0st, Winos, and kkRAT

First reported
Last updated
2 unique sources, 6 articles

Summary

Hide ▲

Chinese-speaking users are targeted by a malware campaign using SEO poisoning and fake software sites to distribute HiddenGh0st, Winos, and kkRAT. The campaign manipulates search rankings and uses trojanized installers to deliver the malware. The attacks exploit vulnerabilities in popular software and use various techniques to evade detection and maintain persistence. The malware is designed to establish command-and-control communication, monitor user activity, and steal sensitive information. The threat actor Dragon Breath, also known as APT-Q-27 and Golden Eye, uses RONINGLOADER to deliver a modified variant of Gh0st RAT. The campaign employs trojanized NSIS installers masquerading as legitimate software like Google Chrome and Microsoft Teams. The malware targets specific antivirus programs, including Microsoft Defender Antivirus, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security. The malware uses a Bring Your Own Vulnerable Driver (BYOVD) technique to disarm antivirus software. The final malware deployed is a modified version of Gh0st RAT, designed to communicate with a remote server to fetch additional instructions. The campaign was discovered in August 2025 and involves multiple malware families, including HiddenGh0st and Winos, which are variants of Gh0st RAT. The attacks use fake software sites and GitHub Pages to distribute the malware, exploiting the trust associated with legitimate platforms. The malware employs sophisticated techniques to evade detection and maintain persistence, including anti-analysis checks and TypeLib COM hijacking. Two interconnected malware campaigns, Campaign Trio and Campaign Chorus, have employed large-scale brand impersonation to deliver Gh0st RAT to Chinese-speaking users. Additionally, a new sample of the ToneShell backdoor, typically seen in Chinese cyberespionage campaigns, has been delivered through a kernel-mode loader in attacks against government organizations. The backdoor has been attributed to the Mustang Panda group, also known as HoneyMyte or Bronze President, that usually targets government agencies, NGOs, think tanks, and other high-profile organizations worldwide. The new variant of the ToneShell backdoor features changes and stealth enhancements, including a new host identification scheme and network traffic obfuscation with fake TLS headers. The driver file is signed with an old, stolen, or leaked digital certificate from Guangzhou Kingteller Technology Co., Ltd, valid from August 2012 to 2015. The driver registers as a minifilter driver on infected machines, injecting a backdoor trojan into system processes and providing protection for malicious files, user-mode processes, and registry keys. The driver resolves required kernel APIs dynamically at runtime by using a hashing algorithm to match the required API addresses. The driver monitors file-delete and file-rename operations to prevent itself from being removed or renamed. The driver denies attempts to create or open Registry keys that match against a protected list by setting up a RegistryCallback routine and ensuring that it operates at an altitude of 330024 or higher. The driver interferes with the altitude assigned to WdFilter.sys, a Microsoft Defender driver, changing it to zero, thereby preventing it from being loaded into the I/O stack. The driver intercepts process-related operations and denies access if the action targets any process that's on a list of protected process IDs when they are running. The driver removes rootkit protection for those processes once execution completes. The driver drops two user-mode payloads, one of which spawns an "svchost.exe" process and injects a small delay-inducing shellcode. The second payload is the TONESHELL backdoor that's injected into that same "svchost.exe" process. Once launched, the backdoor establishes contact with a C2 server ("avocadomechanism[.]com" or "potherbreference[.]com") over TCP on port 443, using the communication channel to receive commands. The backdoor commands include creating temporary files for incoming data, downloading files, canceling downloads, establishing a remote shell via pipe, receiving operator commands, terminating the shell, uploading files, canceling uploads, and closing the connection. The use of TONESHELL has been attributed to Mustang Panda since at least late 2022. As recently as September 2025, the threat actor was linked to attacks targeting Thai entities with TONESHELL and a USB worm named TONEDISK (aka WispRider) that uses removable devices as a distribution vector for a backdoor referred to as Yokai. The C2 infrastructure used for TONESHELL was erected in September 2024, although there are indications that the campaign itself did not commence until February 2025. The exact initial access pathway used in the attack is not clear, but it's suspected that the attackers abused previously compromised machines to deploy the malicious driver. Memory forensics is key to analyzing the new TONESHELL infections, as the shellcode executes entirely in memory. HoneyMyte's 2025 operations show a noticeable evolution toward using kernel-mode injectors to deploy ToneShell, improving both stealth and resilience. The Chinese espionage threat group Mustang Panda has updated its CoolClient backdoor to a new variant that can steal login data from browsers and monitor the clipboard. CoolClient has been associated with Mustang Panda since 2022, deployed as a secondary backdoor alongside PlugX and LuminousMoth. The updated malware version has been observed in attacks targeting government entities in Myanmar, Mongolia, Malaysia, Russia, and Pakistan and were deployed via legitimate software from Sangfor, a Chinese company specialized in cybersecurity, cloud computing, and IT infrastructure products. CoolClient uses encrypted .DAT files in a multi-stage execution and achieves persistence via Registry modifications, the addition of new Windows services, and scheduled tasks. It also supports UAC bypassing and privilege escalation. CoolClient's core features are integrated in a DLL embedded in a file called main.dat. When launched, it first checks whether the keylogger, clipboard stealer, and HTTP proxy credential sniffer are enabled. New CoolClient capabilities include a clipboard monitoring module, the ability to perform active window title tracking, and HTTP proxy credential sniffing that relies on raw packet inspection and headers extraction. The plugin ecosystem has been expanded with a dedicated remote shell plugin, a service management plugin, and a more capable file management plugin. The service management plugin allows the operators to enumerate, create, start, stop, delete, and modify the startup configuration of Windows services. The file management plugin provides extended file operations, including drive enumeration, file search, ZIP compression, network drive mapping, and file execution. Remote shell functionality is implemented via a separate plugin that spawns a hidden cmd.exe process and redirects its standard input and output through pipes, enabling interactive command execution over the command-and-control (C2) channel. A novelty in CoolClient’s operation is the deployment of infostealers to collect login data from browsers. Kaspersky documented three distinct families targeting Chrome (variant A), Edge (variant B), and a more versatile variant C that targets any Chromium-based browser. Another notable operational shift is that browser data theft and document exfiltration now leverage hardcoded API tokens for legitimate public services like Google Drive or Pixeldrain to evade detection.

Timeline

  1. 28.01.2026 00:26 1 articles · 1d ago

    Mustang Panda Updates CoolClient Backdoor with New Capabilities

    The Chinese espionage threat group Mustang Panda has updated its CoolClient backdoor to a new variant that can steal login data from browsers and monitor the clipboard. CoolClient has been associated with Mustang Panda since 2022, deployed as a secondary backdoor alongside PlugX and LuminousMoth. The updated malware version has been observed in attacks targeting government entities in Myanmar, Mongolia, Malaysia, Russia, and Pakistan and were deployed via legitimate software from Sangfor, a Chinese company specialized in cybersecurity, cloud computing, and IT infrastructure products. CoolClient uses encrypted .DAT files in a multi-stage execution and achieves persistence via Registry modifications, the addition of new Windows services, and scheduled tasks. It also supports UAC bypassing and privilege escalation. CoolClient's core features are integrated in a DLL embedded in a file called main.dat. When launched, it first checks whether the keylogger, clipboard stealer, and HTTP proxy credential sniffer are enabled. New CoolClient capabilities include a clipboard monitoring module, the ability to perform active window title tracking, and HTTP proxy credential sniffing that relies on raw packet inspection and headers extraction. The plugin ecosystem has been expanded with a dedicated remote shell plugin, a service management plugin, and a more capable file management plugin. The service management plugin allows the operators to enumerate, create, start, stop, delete, and modify the startup configuration of Windows services. The file management plugin provides extended file operations, including drive enumeration, file search, ZIP compression, network drive mapping, and file execution. Remote shell functionality is implemented via a separate plugin that spawns a hidden cmd.exe process and redirects its standard input and output through pipes, enabling interactive command execution over the command-and-control (C2) channel. A novelty in CoolClient’s operation is the deployment of infostealers to collect login data from browsers. Kaspersky documented three distinct families targeting Chrome (variant A), Edge (variant B), and a more versatile variant C that targets any Chromium-based browser. Another notable operational shift is that browser data theft and document exfiltration now leverage hardcoded API tokens for legitimate public services like Google Drive or Pixeldrain to evade detection.

    Show sources
    Open in new tab
  2. 30.12.2025 02:08 4 articles · 1mo ago

    ToneShell Backdoor Delivered Through Kernel-Mode Loader by Mustang Panda

    The article confirms the use of the CoolClient backdoor by Mustang Panda, which has been updated to include new capabilities such as browser login data theft, clipboard monitoring, and the deployment of infostealers. The backdoor has been observed targeting government entities in Myanmar, Mongolia, Malaysia, Russia, and Pakistan, and leveraging legitimate software from Sangfor for deployment. The article also reiterates the group's use of a new kernel-mode loader for deploying the ToneShell backdoor, as previously reported. Additionally, the article details the deployment of three different stealer programs to extract saved login credentials from Google Chrome, Microsoft Edge, and other Chromium-based browsers. Mustang Panda has also been observed using TONESHELL (aka TOnePipeShell) to establish persistence and drop additional payloads like QReverse, a remote access trojan with remote shell, file management, screenshot capture, and information gathering features, and a USB worm codenamed TONEDISK.

    Show sources
    Open in new tab
  3. 17.11.2025 13:20 2 articles · 2mo ago

    Dragon Breath Uses RONINGLOADER to Disable Security Tools and Deploy Gh0st RAT

    The threat actor Dragon Breath, also known as APT-Q-27 and Golden Eye, uses RONINGLOADER to deliver a modified variant of Gh0st RAT. The campaign employs trojanized NSIS installers masquerading as legitimate software like Google Chrome and Microsoft Teams. The malware uses a multi-stage delivery mechanism with various evasion techniques, including bringing a legitimately signed driver, deploying custom WDAC policies, and tampering with the Microsoft Defender binary through PPL abuse. The malware targets specific antivirus programs, including Microsoft Defender Antivirus, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security. The malware uses a Bring Your Own Vulnerable Driver (BYOVD) technique to disarm antivirus software. The malware employs techniques to abuse PPL and the Windows Error Reporting system to disable Microsoft Defender Antivirus. The malware targets Windows Defender Application Control (WDAC) by writing a malicious policy that explicitly blocks Chinese security vendors Qihoo 360 Total Security and Huorong Security. The final malware deployed is a modified version of Gh0st RAT, designed to communicate with a remote server to fetch additional instructions. The Gh0st RAT variant implements a module that captures keystrokes, clipboard contents, and foreground window titles.

    Show sources
    Open in new tab
  4. 15.09.2025 08:47 3 articles · 4mo ago

    HiddenGh0st, Winos, and kkRAT Malware Campaign Targeting Chinese-Speaking Users Discovered

    In August 2025, a malware campaign targeting Chinese-speaking users was discovered. The campaign uses SEO poisoning and fake software sites to distribute HiddenGh0st, Winos, and kkRAT malware families. The attacks exploit vulnerabilities in popular software and use trojanized installers to deliver the malware. The malware employs sophisticated techniques to evade detection and maintain persistence, including anti-analysis checks and TypeLib COM hijacking. The campaign also involves the use of GitHub Pages to host fake installer pages, exploiting the trust associated with a legitimate platform. The threat actor Dragon Breath, also known as APT-Q-27 and Golden Eye, uses RONINGLOADER to deliver a modified variant of Gh0st RAT. The campaign employs trojanized NSIS installers masquerading as legitimate software like Google Chrome and Microsoft Teams. The malware targets specific antivirus programs, including Microsoft Defender Antivirus, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security. The malware uses a Bring Your Own Vulnerable Driver (BYOVD) technique to disarm antivirus software. The final malware deployed is a modified version of Gh0st RAT, designed to communicate with a remote server to fetch additional instructions. Two interconnected malware campaigns, Campaign Trio and Campaign Chorus, have employed large-scale brand impersonation to deliver Gh0st RAT to Chinese-speaking users.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

China-Linked APTs Deploy PeckBirdy JScript C2 Framework Since 2023

China-aligned APT actors have been using the PeckBirdy JScript-based command-and-control (C2) framework since 2023 to target Chinese gambling industries, Asian government entities, and private organizations. The framework leverages living-off-the-land binaries (LOLBins) for execution across various environments. Two campaigns, SHADOW-VOID-044 and SHADOW-EARTH-045, have been identified, each employing different tactics, including credential harvesting and malware delivery. The framework's flexibility allows it to operate across web browsers, MSHTA, WScript, Classic ASP, Node JS, and .NET, using multiple communication methods like WebSocket and Adobe Flash ActiveX objects. Additional scripts for exploitation, social engineering, and backdoor delivery have been observed, along with links to known backdoors like HOLODONUT and MKDOOR. HOLODONUT disables security features such as AMSI before executing payloads in memory, while MKDOOR disguises its network traffic as legitimate Microsoft support or activation pages and attempts to evade Microsoft Defender by altering exclusion settings. Infrastructure overlaps and shared tooling suggest SHADOW-VOID-044 is linked with UNC3569, a China-aligned group previously associated with the GRAYRABBIT backdoor. Some samples used stolen code-signing certificates to legitimize malicious Cobalt Strike payloads, and SHADOW-EARTH-045 showed weaker but notable ties to activity previously attributed to Earth Baxia. The Shadow-Void-044 campaign used stolen code-signing certificates, Cobalt Strike payloads, and exploits, including CVE-2020-16040, to maintain persistent access. The Shadow-Earth-045 campaign targeted a Philippine educational institution in July 2024, using the GrayRabbit backdoor and the HoloDonut backdoor. The threat actor behind the Shadow-Earth campaign developed a .NET executable to launch PeckBirdy with ScriptControl.

Open in new tab

China-Linked UAT-7290 Targets Telecoms with Linux Malware and ORB Nodes

China-nexus threat actor UAT-7290 has been targeting telecommunications providers in South Asia and Southeastern Europe since at least 2022. The group conducts extensive reconnaissance before deploying malware families like RushDrop, DriveSwitch, SilentRaid, and Bulbature. UAT-7290 also establishes Operational Relay Box (ORB) nodes, which other China-nexus actors may use, indicating a dual role in espionage and initial access provision. The group uses a mix of open-source malware, custom tooling, and 1-day vulnerabilities in edge networking products. Recent activity shows overlaps with RedLeaves, ShadowPad, and RedFoxtrot, suggesting a broader China-linked operation.

Open in new tab

APT24 Utilizes BadAudio Malware in Multi-Year Espionage Campaign

APT24, a China-linked threat group, has been using previously undocumented BadAudio malware in a nearly three-year espionage campaign targeting Windows systems. The campaign, active since November 2022, employed various attack methods including spearphishing, supply-chain compromise, and watering hole attacks. The malware is heavily obfuscated and uses sophisticated techniques to evade detection and hinder analysis. From November 2022 to at least September 2025, APT24 compromised over 20 legitimate websites to inject malicious JavaScript code, targeting specific visitors. Starting July 2024, the group compromised a Taiwanese digital marketing company, injecting malicious JavaScript into widely used libraries, affecting over 1,000 domains. Additionally, APT24 launched spearphishing operations using emails impersonating animal rescue organizations and leveraging cloud services for malware distribution. The BadAudio malware collects system details, communicates with a hard-coded C2 server, and executes payloads in memory using DLL sideloading. Despite its prolonged use, the malware remained largely undetected, with only a few samples flagged by antivirus engines. APT24 has been active since at least 2008, targeting various sectors including government, healthcare, construction, and telecommunications. The group is closely related to the Earth Aughisky group, which has also deployed Taidoor and Specas malware.

Open in new tab

Sturnus Android Malware Targets Encrypted Messaging Apps and Banking Credentials

Sturnus, a new Android banking trojan, steals messages from encrypted apps like Signal, WhatsApp, and Telegram by capturing screen content post-decryption. It performs full device takeover via VNC and overlays to steal banking credentials. The malware is under development but fully functional, targeting European financial institutions with region-specific overlays. It uses a mix of encryption methods for C2 communication and abuses Accessibility services for extensive control. The malware is disguised as legitimate apps like Google Chrome or Preemix Box, but distribution methods remain unknown. It establishes encrypted channels for commands and data exfiltration, and gains Device Administrator privileges to prevent removal. ThreatFabric reports low-volume attacks in Southern and Central Europe, suggesting testing for larger campaigns. New details reveal Sturnus uses WebSocket and HTTP channels for communication, displays full-screen overlays mimicking OS updates, and collects extensive device data for continuous feedback.

Open in new tab

PlushDaemon Hijacks Software Updates in Supply-Chain Attacks

The China-linked threat actor PlushDaemon has been hijacking software update traffic using a new implant called EdgeStepper in cyberespionage operations since 2018. The group targets individuals and organizations in the U.S., China, Taiwan, Hong Kong, South Korea, New Zealand, and Cambodia, deploying custom malware like the SlowStepper backdoor. The attackers compromise routers via known vulnerabilities or weak passwords, install EdgeStepper to redirect update traffic, and deliver the LittleDaemon malware downloader. This leads to the deployment of the SlowStepper backdoor, which enables extensive system control and data theft. EdgeStepper is a Go-based network backdoor that redirects all DNS queries to a malicious hijacking node, facilitating adversary-in-the-middle (AitM) attacks. In May 2024, PlushDaemon targeted a South Korean VPN provider named IPany. The group uses an ELF file named bioset, internally called dns_cheat_v2, to forward DNS traffic to a malicious DNS node. They deploy two downloaders, LittleDaemon and DaemonLogistics, which deliver a backdoor toolkit for cyber espionage operations.

Open in new tab