CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Espionage Campaign Targeting Eastern Asia via Sogou Zhuyin Update Server Hijacking

First reported
Last updated
1 unique sources, 2 articles

Summary

Hide ▲

The TAOTH espionage campaign continues to target Eastern Asia via hijacked Sogou Zhuyin update servers, distributing malware families such as C6DOOR, GTELAM, DESFY, and TOSHIS to dissidents, journalists, and business leaders. The campaign, linked to infrastructure overlap with the ITOCHU threat actor, primarily impacts Taiwan (49% of targets), Cambodia, and the U.S. Additional distribution methods include phishing websites and fake cloud storage pages. Concurrently, Chinese state-aligned hackers have expanded the use of the Linux post-exploitation framework Showboat, now confirmed to operate as a SOCKS5 proxy backdoor with rootkit-like capabilities. Showboat has been deployed against telecommunications providers in the Middle East since at least mid-2022, with victims identified in Afghanistan, Azerbaijan, and possible compromises in the U.S. and Ukraine. Its modular design enables remote shell access, file transfers, and LAN device infection, often leveraging infrastructure geolocated to Chengdu, Sichuan. The malware retrieves obfuscation code from a Pastebin snippet created in January 2022, highlighting long-term development and reuse across Chinese APT groups including Calypso, which also deploys the JFMBackdoor Windows backdoor.

Timeline

  1. 21.05.2026 17:17 1 articles · 23h ago

    Showboat Linux Malware Expanded as SOCKS5 Proxy Backdoor in Middle East Telecom Attacks

    Showboat, a modular Linux post-exploitation framework, has been used as a SOCKS5 proxy backdoor with rootkit-like capabilities against a telecommunications provider in the Middle East since at least mid-2022. Affiliated with China-nexus threat clusters, Showboat’s C2 infrastructure is geolocated to Chengdu, Sichuan. The malware retrieves obfuscation code from a Pastebin snippet created January 11, 2022, and can scan and infect LAN devices via its SOCKS5 proxy, enabling access to non-internet-exposed systems. Victimology includes an Afghanistan ISP, an entity in Azerbaijan, and possible compromises in the U.S. and Ukraine based on secondary C2 clusters.

    Show sources
    Open in new tab
  2. 29.08.2025 16:12 2 articles · 8mo ago

    Sogou Zhuyin Update Server Hijacked for Espionage Campaign

    An abandoned update server for the Sogou Zhuyin input method editor (IME) software was hijacked in October 2024. The hijacking was used to distribute malware in an espionage campaign codenamed TAOTH, targeting users in Eastern Asia. The campaign was identified in June 2025, with the malware families first detected between December 2024 and May 2025. The primary targets are in Taiwan, accounting for 49% of all targets, followed by Cambodia and the U.S. The malware families deployed include C6DOOR, GTELAM, DESFY, and TOSHIS, which enable remote access, information theft, and backdoor functionality. The attack chain involves a compromised update process that fetches malicious payloads from a hijacked domain. The campaign also uses phishing websites and fake cloud storage pages to distribute TOSHIS.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Silver Fox APT expands ABCDoor backdoor operations with RustSL loader and tax-themed phishing targeting India, Russia, and additional regions

Silver Fox continues tax-themed phishing operations targeting Indian and Russian organizations, with a newly detailed payload set that includes the ABCDoor backdoor and refined persistence and command-and-control techniques. The campaign began in December 2025 with emails impersonating Indian tax authorities, expanding in January 2026 to target Russian entities using identical tax-audit lures. Kaspersky observed over 1,600 malicious emails across industrial, consulting, retail, and transportation sectors between January and February 2026. Payloads delivered via RustSL loaders include the ValleyRAT backdoor and the previously undocumented ABCDoor Python-based backdoor, which has been active in real-world attacks since Q1 2025. ABCDoor leverages Windows Registry Run keys and scheduled tasks for persistence, communicates over HTTPS using Socket.IO, and supports covert remote control features such as multi-monitor screen streaming and clipboard theft. The backdoor also supports self-updating, self-removal, and extensive host metadata collection, leaving detectable forensic artifacts in the registry and %LOCALAPPDATA%. The campaign’s geographic scope continues to expand, with RustSL configurations now including Japan alongside India, Russia, Indonesia, South Africa, and Cambodia. Silver Fox’s targeting now spans China, Taiwan, Japan, India, Russia, Indonesia, South Africa, and Cambodia, reflecting a broadening operational footprint beyond its historical focus.

Open in new tab

APT28 DNS hijacking campaigns via compromised SOHO routers observed in 2025–2026 targeting credential theft

APT28 (GRU GTsSS Military Unit 26165) has conducted opportunistic DNS hijacking campaigns since at least August 2025 by compromising small office/home office (SOHO) routers—primarily TP-Link models such as WR841N—to redirect victim traffic through attacker-controlled DNS servers and steal credentials. The campaign peaked in December 2025, compromising over 18,000 networks, including 200 organizations and 5,000 consumer devices, and specifically targeted government agencies such as ministries of foreign affairs, law enforcement, and third-party email providers. TP-Link routers were likely exploited via CVE-2023-50224 to retrieve credentials, which were used in adversary-in-the-middle attacks against browser sessions and desktop applications to harvest credentials for web and email services. APT28 operates a persistent infrastructure of VPSs repurposed as malicious DNS servers, receiving DNS requests from exploited routers and enabling opportunistic triage to identify high-value targets. Microsoft reported this is the first time APT28 has used DNS hijacking at scale to support post-compromise adversary-in-the-middle (AiTM) attacks on TLS connections against Microsoft Outlook on the web domains, intercepting OAuth authentication tokens after successful MFA authentication without requiring additional malware on compromised routers. On April 7, 2026, US authorities dismantled APT28’s US-based DNS hijacking network as part of ‘Operation Masquerade,’ neutralizing compromised routers across 23 states. The operation, led by the FBI and authorized by a court, reset DNS settings on affected TP-Link routers to restore legitimate DNS resolvers from ISPs without impacting functionality or collecting user content. The FBI is working with ISPs to notify affected users and urges router owners to replace outdated devices, update firmware, and verify DNS settings to prevent further exploitation.

Open in new tab

Bizarre Bazaar Campaign Exploits Exposed LLM Endpoints

A cybercrime operation named 'Bizarre Bazaar' is actively targeting exposed or poorly authenticated LLM (Large Language Model) service endpoints. Over 35,000 attack sessions were recorded in 40 days, involving unauthorized access to steal computing resources, resell API access, exfiltrate data, and pivot into internal systems. The campaign highlights the emerging threat of 'LLMjacking' attacks, where attackers exploit misconfigurations in LLM infrastructure to monetize access through cryptocurrency mining and darknet markets. The SilverInc service, marketed on Telegram and Discord, resells access to more than 50 AI models in exchange for cryptocurrency or PayPal payments. A recent investigation by SentinelOne SentinelLABS and Censys revealed 175,000 unique Ollama hosts across 130 countries, many of which are configured with tool-calling capabilities, increasing the risk of LLMjacking attacks.

Open in new tab

China-Linked UAT-9244 Targets Telecoms with New Malware and ORB Nodes

China-nexus threat actor UAT-9244 has been targeting telecommunications providers in South America since at least 2024. The group conducts extensive reconnaissance before deploying malware families like TernDoor, PeerTime, and BruteEntry. UAT-9244 also establishes Operational Relay Box (ORB) nodes, which other China-nexus actors may use, indicating a dual role in espionage and initial access provision. The group uses a mix of open-source malware, custom tooling, and 1-day vulnerabilities in edge networking products. Recent activity shows overlaps with FamousSparrow and Tropic Trooper, suggesting a broader China-linked operation. UAT-9244 has been active since at least November 2024, deploying TernDoor through DLL side-loading, PeerTime using BitTorrent for C2 communications, and BruteEntry to build proxy infrastructure (ORBs).

Open in new tab

US Charges 87 in ATM Jackpotting Conspiracy Linked to Venezuelan Crime Syndicate

The US has charged 87 individuals in a conspiracy involving ATM jackpotting fraud, linked to the Venezuelan crime syndicate Tren de Aragua. The defendants allegedly used Ploutus malware to hack ATMs, causing $40.73 million in losses by August 2025. The conspiracy involved surveillance, malware deployment, and money laundering to fund further criminal activities. In July 2025, the U.S. government sanctioned key members of Tren de Aragua, including Hector Rusthenford Guerrero Flores, for their involvement in various criminal activities. Two Venezuelan nationals, Luz Granados and Johan Gonzalez-Jimenez, were convicted of stealing hundreds of thousands of dollars from U.S. banks using ATM jackpotting and will be deported after serving their sentences. The FBI reported 1,900 ATM jackpotting incidents since 2020, with 700 occurring in 2025, and losses of more than $20 million in 2025 due to these incidents. Threat actors exploit the eXtensions for Financial Services (XFS) API to bypass bank authorization and control ATMs. Ploutus malware interacts directly with ATM hardware, bypassing the original ATM software's security. The FBI recommends physical security measures, hardware security, logging, auditing, IP whitelisting, endpoint detection and response, threat intelligence sharing, and updated security awareness training to mitigate jackpotting risks.

Open in new tab