China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking and Malware Delivery

The China-linked threat actor PlushDaemon has been hijacking software update traffic using a new implant called EdgeStepper in cyberespionage operations since 2018. The group targets individuals and organizations in the U.S., China, Taiwan, Hong Kong, South Korea, New Zealand, and Cambodia, deploying custom malware like the SlowStepper backdoor. The attackers compromise routers via known vulnerabilities or weak passwords, install EdgeStepper to redirect update traffic, and deliver the LittleDaemon malware downloader. This leads to the deployment of the SlowStepper backdoor, which enables extensive system control and data theft. EdgeStepper is a Go-based network backdoor that redirects all DNS queries to a malicious hijacking node, facilitating adversary-in-the-middle (AitM) attacks. In May 2024, PlushDaemon targeted a South Korean VPN provider named IPany. The group uses an ELF file named bioset, internally called dns_cheat_v2, to forward DNS traffic to a malicious DNS node. They deploy two downloaders, LittleDaemon and DaemonLogistics, which deliver a backdoor toolkit for cyber espionage operations.

The MuddyWater threat actor, linked to Iran and also known as Static Kitten, Mercury, and Seedworm, has conducted a global phishing campaign targeting over 100 organizations, including government entities, embassies, diplomatic missions, foreign affairs ministries, consulates, international organizations, and telecommunications firms in the Middle East and North Africa (MENA) region. The campaign used compromised email accounts to send phishing emails with malicious Microsoft Word documents containing macros that dropped and launched the Phoenix backdoor, version 4. This backdoor provided remote control over infected systems. The campaign was active starting August 19, 2025, and used a command-and-control (C2) server registered under the domain screenai[.]online. The attackers employed three remote monitoring and management (RMM) tools and a custom browser credential stealer, Chromium_Stealer. The malware and tools were hosted on a temporary Python-based HTTP service linked to NameCheap's servers. The campaign highlights the ongoing use of trusted communication channels by state-backed threat actors to evade defenses and infiltrate high-value targets. The server and server-side command-and-control (C2) component were taken down on August 24, 2025, likely indicating a new stage of the attack. The MuddyWater threat actor has also targeted Israeli entities spanning academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors. The hacking group has delivered a previously undocumented backdoor called MuddyViper. The attacks also singled out one technology company based in Egypt. The attack chains involve spear-phishing and the exploitation of known vulnerabilities in VPN infrastructure to infiltrate networks and deploy legitimate remote management tools. The campaign uses a loader named Fooder that decrypts and executes the C/C++-based MuddyViper backdoor. The MuddyViper backdoor enables the attackers to collect system information, execute files and shell commands, transfer files, and exfiltrate Windows login credentials and browser data. Additionally, the MuddyWater threat actor has deployed a new backdoor called UDPGangster that uses the User Datagram Protocol (UDP) for command-and-control (C2) purposes. The attack chain involves using spear-phishing tactics to distribute booby-trapped Microsoft Word documents that trigger the execution of a malicious payload once macros are enabled. The phishing messages impersonate the Turkish Republic of Northern Cyprus Ministry of Foreign Affairs and purport to invite recipients to an online seminar titled "Presidential Elections and Results." The VBA script in the dropper file is equipped to conceal any sign of malicious activity by displaying a Hebrew-language decoy image from Israeli telecommunications provider Bezeq about supposed disconnection periods in the first week of November 2025 across various cities in the country. UDPGangster establishes persistence through Windows Registry modifications and boasts of various anti-analysis checks to resist efforts made by security researchers to take it apart. UDPGangster connects to an external server ("157.20.182[.]75") over UDP port 1269 to exfiltrate collected data, run commands using "cmd.exe," transmit files, update C2 server, and drop and execute additional payloads. The MuddyWater threat actor has launched a new campaign targeting diplomatic, maritime, financial, and telecom entities in the Middle East with a Rust-based implant codenamed RustyWater. The campaign uses icon spoofing and malicious Word documents to deliver Rust-based implants capable of asynchronous C2, anti-analysis, registry persistence, and modular post-compromise capability expansion. The RustyWater implant gathers victim machine information, detects installed security software, sets up persistence by means of a Windows Registry key, and establishes contact with a command-and-control (C2) server (nomercys.it[.]com) to facilitate file operations and command execution. The RustyWater implant is also referred to as Archer RAT and RUSTRIC. The use of RUSTRIC was previously flagged by Seqrite Labs as part of attacks targeting IT, MSPs, human resources, and software development companies in Israel. Historically, MuddyWater has relied on PowerShell and VBS loaders for initial access and post-compromise operations, but the introduction of Rust-based implants represents a notable tooling evolution toward more structured, modular, and low noise RAT capabilities.

A threat cluster dubbed ArcaneDoor has been exploiting two zero-day vulnerabilities in Cisco firewalls to deliver previously undocumented malware families, RayInitiator and LINE VIPER. These vulnerabilities, CVE-2025-20362 and CVE-2025-20333, allow attackers to bypass authentication and execute malicious code on susceptible appliances. The campaign is linked to a suspected China-linked hacking group known as UAT4356 (aka Storm-1849). The malware families represent a significant evolution in sophistication and evasion capabilities compared to previous campaigns. The attacks have been ongoing since at least September 2025, targeting organizations in various sectors. The exploitation of these vulnerabilities underscores the need for immediate patching and enhanced security measures for Cisco firewalls.

Chinese-speaking users are targeted by a malware campaign using SEO poisoning and fake software sites to distribute HiddenGh0st, Winos, and kkRAT. The campaign manipulates search rankings and uses trojanized installers to deliver the malware. The attacks exploit vulnerabilities in popular software and use various techniques to evade detection and maintain persistence. The malware is designed to establish command-and-control communication, monitor user activity, and steal sensitive information. The threat actor Dragon Breath, also known as APT-Q-27 and Golden Eye, uses RONINGLOADER to deliver a modified variant of Gh0st RAT. The campaign employs trojanized NSIS installers masquerading as legitimate software like Google Chrome and Microsoft Teams. The malware targets specific antivirus programs, including Microsoft Defender Antivirus, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security. The malware uses a Bring Your Own Vulnerable Driver (BYOVD) technique to disarm antivirus software. The final malware deployed is a modified version of Gh0st RAT, designed to communicate with a remote server to fetch additional instructions. The campaign was discovered in August 2025 and involves multiple malware families, including HiddenGh0st and Winos, which are variants of Gh0st RAT. The attacks use fake software sites and GitHub Pages to distribute the malware, exploiting the trust associated with legitimate platforms. The malware employs sophisticated techniques to evade detection and maintain persistence, including anti-analysis checks and TypeLib COM hijacking. Two interconnected malware campaigns, Campaign Trio and Campaign Chorus, have employed large-scale brand impersonation to deliver Gh0st RAT to Chinese-speaking users. Additionally, a new sample of the ToneShell backdoor, typically seen in Chinese cyberespionage campaigns, has been delivered through a kernel-mode loader in attacks against government organizations. The backdoor has been attributed to the Mustang Panda group, also known as HoneyMyte or Bronze President, that usually targets government agencies, NGOs, think tanks, and other high-profile organizations worldwide. The new variant of the ToneShell backdoor features changes and stealth enhancements, including a new host identification scheme and network traffic obfuscation with fake TLS headers. The driver file is signed with an old, stolen, or leaked digital certificate from Guangzhou Kingteller Technology Co., Ltd, valid from August 2012 to 2015. The driver registers as a minifilter driver on infected machines, injecting a backdoor trojan into system processes and providing protection for malicious files, user-mode processes, and registry keys. The driver resolves required kernel APIs dynamically at runtime by using a hashing algorithm to match the required API addresses. The driver monitors file-delete and file-rename operations to prevent itself from being removed or renamed. The driver denies attempts to create or open Registry keys that match against a protected list by setting up a RegistryCallback routine and ensuring that it operates at an altitude of 330024 or higher. The driver interferes with the altitude assigned to WdFilter.sys, a Microsoft Defender driver, changing it to zero, thereby preventing it from being loaded into the I/O stack. The driver intercepts process-related operations and denies access if the action targets any process that's on a list of protected process IDs when they are running. The driver removes rootkit protection for those processes once execution completes. The driver drops two user-mode payloads, one of which spawns an "svchost.exe" process and injects a small delay-inducing shellcode. The second payload is the TONESHELL backdoor that's injected into that same "svchost.exe" process. Once launched, the backdoor establishes contact with a C2 server ("avocadomechanism[.]com" or "potherbreference[.]com") over TCP on port 443, using the communication channel to receive commands. The backdoor commands include creating temporary files for incoming data, downloading files, canceling downloads, establishing a remote shell via pipe, receiving operator commands, terminating the shell, uploading files, canceling uploads, and closing the connection. The use of TONESHELL has been attributed to Mustang Panda since at least late 2022. As recently as September 2025, the threat actor was linked to attacks targeting Thai entities with TONESHELL and a USB worm named TONEDISK (aka WispRider) that uses removable devices as a distribution vector for a backdoor referred to as Yokai. The C2 infrastructure used for TONESHELL was erected in September 2024, although there are indications that the campaign itself did not commence until February 2025. The exact initial access pathway used in the attack is not clear, but it's suspected that the attackers abused previously compromised machines to deploy the malicious driver. Memory forensics is key to analyzing the new TONESHELL infections, as the shellcode executes entirely in memory. HoneyMyte's 2025 operations show a noticeable evolution toward using kernel-mode injectors to deploy ToneShell, improving both stealth and resilience. The Chinese espionage threat group Mustang Panda has updated its CoolClient backdoor to a new variant that can steal login data from browsers and monitor the clipboard. CoolClient has been associated with Mustang Panda since 2022, deployed as a secondary backdoor alongside PlugX and LuminousMoth. The updated malware version has been observed in attacks targeting government entities in Myanmar, Mongolia, Malaysia, Russia, and Pakistan and were deployed via legitimate software from Sangfor, a Chinese company specialized in cybersecurity, cloud computing, and IT infrastructure products. CoolClient uses encrypted .DAT files in a multi-stage execution and achieves persistence via Registry modifications, the addition of new Windows services, and scheduled tasks. It also supports UAC bypassing and privilege escalation. CoolClient's core features are integrated in a DLL embedded in a file called main.dat. When launched, it first checks whether the keylogger, clipboard stealer, and HTTP proxy credential sniffer are enabled. New CoolClient capabilities include a clipboard monitoring module, the ability to perform active window title tracking, and HTTP proxy credential sniffing that relies on raw packet inspection and headers extraction. The plugin ecosystem has been expanded with a dedicated remote shell plugin, a service management plugin, and a more capable file management plugin. The service management plugin allows the operators to enumerate, create, start, stop, delete, and modify the startup configuration of Windows services. The file management plugin provides extended file operations, including drive enumeration, file search, ZIP compression, network drive mapping, and file execution. Remote shell functionality is implemented via a separate plugin that spawns a hidden cmd.exe process and redirects its standard input and output through pipes, enabling interactive command execution over the command-and-control (C2) channel. A novelty in CoolClient’s operation is the deployment of infostealers to collect login data from browsers. Kaspersky documented three distinct families targeting Chrome (variant A), Edge (variant B), and a more versatile variant C that targets any Chromium-based browser. Another notable operational shift is that browser data theft and document exfiltration now leverage hardcoded API tokens for legitimate public services like Google Drive or Pixeldrain to evade detection.

The GhostRedirector threat cluster, also known as Operation Rewrite and CL-UNK-1037, has compromised at least 65 Windows servers in Brazil, Thailand, and Vietnam, deploying the Rungan backdoor and Gamshen IIS module. The campaign, active since at least March 2025, targets various sectors and uses SEO fraud to manipulate search engine results, particularly to boost the rankings of gambling websites. The threat actor, believed to be China-aligned, employs BadIIS, a malicious native IIS module, to intercept and modify HTTP traffic, serving malicious content to site visitors. The campaign also deploys other tools for remote access, privilege escalation, and information gathering. The UAT-8099 group, similar to GhostRedirector, hijacks IIS servers to funnel mobile search engine traffic to spam advertisements and illegal gambling websites. The group targets servers in Brazil, Canada, India, Thailand, and Vietnam, using open-source web shells for initial access and privilege escalation. UAT-8099 installs the BadIIS module to intercept and manipulate HTTP traffic for SEO poisoning and malicious redirects. The attackers use BadIIS to serve SEO terms to search engine crawlers and redirect human visitors to scam websites. UAT-8099 deploys a Cobalt Strike backdoor to maintain persistent access and exfiltrate sensitive data. The group's activities are often undetected by the targeted organizations due to the stealthy nature of the attacks. Cisco Talos has detailed the full attack chain and additional findings relating to the UAT-8099 campaign, identifying several new BadIIS malware samples with altered code structures to evade detection. The group uses SoftEther VPN, EasyTier, and the FRP reverse proxy tool for persistence and deploys defense mechanisms to secure their foothold. The UAT-8099 group was first discovered in April 2025 and primarily targets mobile users, including both Android and Apple iPhone devices. The group uses the Everything tool to search for valuable data within compromised hosts. BadIIS operates in three modes: Proxy, Injector, and SEO fraud. BadIIS uses backlinking to boost website visibility and rankings. The latest campaign by UAT-8099, discovered by Cisco Talos, targets IIS servers in India, Pakistan, Thailand, Vietnam, and Japan, with a focus on Thailand and Vietnam. The group uses web shells and PowerShell to deploy the GotoHTTP tool for remote access. The campaign involves deploying tools like Sharp4RemoveLog, CnCrypt Protect, OpenArk64, and GotoHTTP. UAT-8099 creates hidden user accounts named 'admin$' and 'mysql$' to maintain access. BadIIS malware variants include BadIIS IISHijack and BadIIS asdSearchEngine, targeting specific regions. BadIIS asdSearchEngine has three variants: Exclusive multiple extensions, Load HTML templates, and Dynamic page extension/directory index. UAT-8099 is refining its Linux version of BadIIS, targeting Google, Microsoft Bing, and Yahoo! crawlers.