This blog post focuses on APT24, a China-linked intrusion set active since at least 2011. Despite its long operational history, publicly available technical analysis of this group remains limited. A recent Google Cloud report shed additional light on APT24’s activities; however, it provided only a brief overview of badAudio, a distinctive downloader associated with the…
Lire la suite
First post of the year — I wish you all a happy New Year. Habits die hard, so to inaugurate 2026, I have chosen to write about another (likely) China-linked APT. Lotus Blossom, also known as Red Salamander, Lotus Panda, or Billbug, is an intrusion set active since at least 2009. While several pieces of…
Lire la suite
I am often asked how long an exposed machine can remain connected before being targeted. Just the other day, I was reviewing the initial results of an honeypot I had set up only minutes earlier when I noticed the first exploitation attempts. And, of course, it was a cryptominer. First stage In this case, the…
Lire la suite
A QUICKHEAL sample (9553567e231a172c69f0ef8800a927193b9cbd49), used in a recent campaign targeting the telecom sector, was recently uploaded to VirusTotal (VT). This malware is closely associated, according to open sources, with a Chinese People’s Liberation Army (PLA)-linked intrusion set known as the Needleminer group, RedFoxtrot, or Nomad Panda Since I had never worked on QUICKHEAL before and…
Lire la suite
Checkpoint recently published a report on Sharp Panda, mentioning an extension of its victimology as well as the utilization of a new dropper to deploy the 5.t framework. To avoid confusion with other vendors naming, Checkpoint decided to rename Sharp Panda to Sharp Dragon. Associated in open sources to China, this intrusion set is mostly…
Lire la suite
A few days ago, I saw a tweet from malware C2 hunter Viriback (kudos for all your great work) mentioning the Sarwent loader. This malware appeared at least in 2018 and was notably used in a campaign reported by Talos using Amnesty International as lure in 2021. Since I had never worked on this malware…
Lire la suite
In a great blog post, Xscaler revealed a recent campaign targeting IT professionals via Google maldvertising in order to distribute a new backdoor named « MadMxShell ». In this campaign, the attackers registered domains mimicking the names of well-known IP scanners to lure their victims into downloading a zip archive containing a legitimate executable that sideloads a…
Lire la suite