SoftEther VPN
-
China-linked Salt Typhoon exploited Citrix to target European telecom, Darktrace says
Security firm Darktrace reported that a European telecommunications organisation was targeted in July 2025 by a China-linked group known as Salt Typhoon, which exploited a Citrix NetScaler Gateway to gain access and deployed Snappybee via DLL side-loading; the activity was detected and remediated and the victim was not named.
-
ReliaQuest: Chinese-linked group converted ArcGIS server into long-term backdoor
ReliaQuest reported that a state-linked group known as Flax Typhoon modified an ArcGIS Java extension into a web shell, implanted it in backups and used it to run discovery, deploy a SoftEther-based VPN bridge and maintain access for over a year.
-
Researchers say Chinese-speaking group UAT-8099 uses IIS servers for global SEO fraud
Researchers say a Chinese-speaking group dubbed UAT-8099 has been exploiting Microsoft IIS servers to run SEO fraud and steal credentials and certificate data, using web shells, Cobalt Strike and a modified BadIIS backdoor across targets in Asia and the Americas.
-
Taiwan Web Infrastructure Targeted by UAT-7237, Cisco Talos Says
Cisco Talos links a China-aligned APT cluster, UAT-7237, to attacks on Taiwan’s web infrastructure, using customized open-source tooling and a SoundBill shellcode loader to deploy backdoors and credentials-stealing utilities. The operation, active since 2022 and considered a sub-group of UAT-5918, also employs VPN persistence and RDP access, with updates to embed Mimikatz and broader lateral…
