espionage campaign Archives

Winsage

November 1, 2025

New Warning As Microsoft Windows Attacks Confirmed

Microsoft has rolled out an emergency security update for Windows users, but a new vulnerability, CVE-2025-9491, is being exploited by attackers and remains unpatched. This vulnerability is being actively exploited by threat actors associated with China, primarily targeting European diplomatic entities in Hungary, Belgium, and other nations. The attacks involve phishing emails with embedded URLs that deliver malicious LNK files, allowing attackers to execute obfuscated PowerShell commands and deploy a multi-stage malware chain, culminating in the PlugX remote access trojan. Users are advised to block .lnk files from untrusted sources to mitigate risks.

Winsage

October 31, 2025

Windows LNK UI Spoofing Vulnerability Weaponized for Remote Code Execution

A cyber espionage campaign targeting European diplomatic institutions has been attributed to the Chinese-affiliated threat actor UNC6384, which exploits the ZDI-CAN-25373 vulnerability in Windows shortcut files. The campaign, noted for its use of social engineering tactics that mimic legitimate diplomatic events, has specifically targeted entities in Hungary, Belgium, and surrounding European nations between September and October 2025. The attack utilizes spearphishing emails with malicious LNK files related to European Commission and NATO meetings, leading to the deployment of PlugX, a remote access trojan. The attack chain involves a weaponized LNK file that executes PowerShell commands to unpack a tar archive containing a malicious DLL and an encrypted payload. UNC6384 employs advanced techniques to evade detection, including dynamic loading of Windows API functions and anti-analysis measures. The malware allows extensive espionage activities and creates hidden directories for persistent access. Recommendations for organizations include disabling automatic LNK file resolution, blocking known command and control domains, and enhancing user training to defend against such threats.

Winsage

October 31, 2025

Windows LNK UI Spoofing Vulnerability Weaponized for Remote Code Execution

A cyber espionage campaign has been launched by the Chinese-affiliated threat actor UNC6384, targeting European diplomatic institutions using a vulnerability in the Windows shortcut (LNK) user interface, identified as ZDI-CAN-25373. This vulnerability was disclosed in March 2025. Between September and October 2025, entities in Hungary, Belgium, and neighboring European nations were specifically targeted. The attack utilizes spearphishing emails with conference-themed LNK files that exploit the Windows vulnerability to execute PowerShell commands, leading to the deployment of the PlugX remote access trojan (RAT). The attack sequence involves a weaponized LNK file that unpacks a tar archive containing a legitimate Canon printer assistant executable, a malicious DLL, and an encrypted payload. The Canon binary, despite being digitally signed, loads the malicious DLL which injects the PlugX payload into memory. The malware employs anti-analysis techniques and creates a hidden directory for persistent access. Recommendations for organizations include disabling automatic LNK file resolution, blocking known command and control domains, and monitoring for DLL side-loading attacks.

Winsage

October 31, 2025

Windows zero-day actively exploited to spy on European diplomats

A China-linked hacking group, identified as UNC6384 or Mustang Panda, is exploiting a Windows zero-day vulnerability (CVE-2025-9491) to target European diplomats, particularly in Hungary, Belgium, Serbia, Italy, and the Netherlands. The attacks are initiated through spearphishing emails that disguise malicious LNK files as legitimate invitations to NATO and European Commission events. Once activated, these files allow the deployment of the PlugX remote access trojan (RAT), enabling persistent access to compromised systems for surveillance and data extraction. The vulnerability requires user interaction to exploit and resides in the handling of .LNK files, allowing attackers to execute arbitrary code remotely. As of March 2025, the vulnerability is being exploited by multiple state-sponsored groups and cybercrime organizations, but Microsoft has not yet released a patch for it. Network defenders are advised to restrict the use of .LNK files and block connections from identified command-and-control infrastructure.

Winsage

June 18, 2025

XDSpy Threat Actors Leverages Windows LNKs Zero-Day Vulnerability to Attack Windows System Users

A cyber espionage campaign attributed to the XDSpy threat actor has been discovered, exploiting a zero-day vulnerability in Windows shortcut files identified as “ZDI-CAN-25373.” This vulnerability allows attackers to conceal executed commands within specially crafted shortcut files. XDSpy has primarily targeted government entities in Eastern Europe and Russia since its activities became known in 2020. Researchers from HarfangLab found malicious LNK files exploiting this vulnerability in mid-March, revealing issues with how Windows parses LNK files. The infection begins with a ZIP archive containing a malicious LNK file, which triggers a complex Windows shell command to execute malicious components while displaying a decoy document. This command extracts and executes a first-stage malware called “ETDownloader,” which establishes persistence and downloads a second-stage payload known as “XDigo.” The XDigo implant, written in Go, collects sensitive information and employs encryption for data exfiltration. This campaign represents an evolution in XDSpy's tactics, combining zero-day exploitation with advanced multi-stage payloads.

Winsage

June 18, 2025

XDSpy Threat Actors Exploit Windows LNK Zero-Day Vulnerability to Target Windows System Users

The XDSpy threat actor is exploiting a Windows LNK zero-day vulnerability (ZDI-CAN-25373) to target governmental entities in Eastern Europe and Russia since March 2025. This campaign involves a multi-stage infection chain deploying the XDigo implant, developed in Go. Attackers use spearphishing emails with ZIP archives containing crafted LNK files that exploit the vulnerability. Upon execution, these files sideload a malicious C# .NET DLL named ETDownloader, which establishes persistence and retrieves the XDigo payload from specific domains. XDigo is a data collection implant capable of file scanning, clipboard capture, and screenshot acquisition, communicating with command-and-control servers. The campaign targets Belarusian governmental entities and employs advanced tactics, including anti-analysis checks and encryption for data exfiltration. Indicators of compromise include specific SHA-256 hashes for ZIP archives, LNK files, the ETDownloader, and XDigo malware, along with associated distribution and command-and-control domains.

AppWizard

March 12, 2025

Spyware in bogus Android apps is attributed to North Korean group

Researchers from Lookout have identified a malware strain named KoSpy, linked to North Korean state-sponsored hackers, specifically the advanced persistent threat group ScarCruft (APT37). KoSpy targets Android devices to surveil Korean and English-speaking users and has been found on the Google Play Store and third-party app stores, disguised as utility applications. The malware can harvest sensitive information, including call logs, text messages, files, audio recordings, screenshots, and user location data. Google has removed all infected applications from its platform, confirming that the latest version was taken down before installations occurred. KoSpy first emerged in March 2022, with new samples appearing as recently as last year. The applications associated with KoSpy often have Korean titles and support both English and Korean languages. KoSpy shares infrastructure with another North Korean hacking group, Kimsuky (APT43), which has conducted spearphishing attacks. ScarCruft has targeted South Korean users and expanded its reach to countries including Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and several Middle Eastern nations. In January, ScarCruft was linked to an espionage campaign against media organizations and academics, and in October, it was connected to a malware operation in Southeast Asia.

AppWizard

March 12, 2025

North Korean government hackers snuck spyware on Android app store

A report from cybersecurity firm Lookout reveals that North Korean hackers have uploaded Android spyware, named KoSpy, onto the Google Play app store, which has been downloaded over ten times. The spyware masquerades as a file manager and is designed for surveillance, collecting data such as SMS messages, call logs, device location, files, keystrokes, Wi-Fi details, installed apps, audio recordings, images, and screenshots. Google has removed the identified apps from the Play Store and deactivated associated Firebase projects. Lookout also found instances of KoSpy on the third-party app store APKPure. The campaign appears targeted at individuals in South Korea who speak English or Korean, with links to North Korean hacking groups APT37 and APT43.

AppWizard

December 7, 2024

FBI warns users to encrypt text messages for cybersecurity. Here’s how to do it

The FBI has advised smartphone users to encrypt text messages, especially when communicating between Apple and Android devices, due to a cyber espionage campaign linked to hackers from the People's Republic of China. These hackers have targeted telecommunications infrastructure and stolen sensitive customer call records. Standard text messages between Apple and Android devices lack encryption, while messages between two devices of the same platform are secure. Users are encouraged to use secure messaging apps like WhatsApp and Signal, which provide end-to-end encryption. To use WhatsApp, users must download the app, accept terms, verify their phone number, and set up their profile. For Signal, users follow a similar process of downloading the app, verifying their phone number, creating a PIN, and setting up their profile. Both apps require Wi-Fi or cellular data for operation.

AppWizard

December 5, 2024

Warning: These 12 Android Apps Could Be Listening to Your Conversations

Smartphones have become essential tools for communication and financial management, but they also expose users to privacy risks. Cybersecurity investigations have found that certain Android applications may secretly record conversations and steal personal information. A report by cybersecurity firm ESET identified malicious apps distributed via Google Play and third-party channels that masquerade as legitimate tools. One tactic used by hackers involves initiating romantic dialogues on platforms like Facebook Messenger or WhatsApp to gain victims' trust before persuading them to install infected apps, such as those containing the VajraSpy Trojan. Malicious applications fall into three groups: 1. Standard Messaging Apps with Hidden Trojans: Apps like Hello Chat, MeetMe, and Chit Chat request access to contacts and phone numbers while secretly gathering sensitive data. 2. Apps Exploiting Accessibility Features: Apps like Wave Chat use Android’s accessibility features to intercept communications from secure applications, eavesdropping on conversations and capturing notifications. 3. The Single Non-Messaging App: Nidus, a news application, requests sensitive information despite lacking messaging capabilities. A list of 12 identified malicious apps includes Rafaqat, Privee Talk, MeetMe, Let’s Chat, Quick Chat, Chit Chat, YohooTalk, TikTalk, Hello Chat, Nidus, GlowChat, and Wave Chat. Six of these were available on the Google Play Store and had over 1,400 downloads before removal. To protect privacy, users should uninstall suspicious apps, change passwords, enable two-factor authentication, run security scans, and exercise caution when downloading apps.