Threat actors using tools of Chinese APT groups targeted multiple high-profile organizations in Southeast Asia, including government ministries in two different countries, an air traffic control organization, a telecoms company, and a media outlet.

A large U.S. organization with a significant presence in China was the subject of a targeted attack earlier this year, during which the attackers obtained a persistent presence on its network, seemingly for the purpose of intelligence gathering.

Stonefly (aka Andariel, APT45, Silent Chollima, and Onyx Sleet) initially focused on DDoS attacks but has shifted to espionage and financially motivated attacks, resulting in the indictment of an alleged member for extorting U.S. healthcare firms.

Hackers have been using a PHP vulnerability to deploy a stealthy backdoor called Msupedge. This backdoor was recently used in a cyberattack against an unnamed university in Taiwan.

The Alpha ransomware operation appears to be linked to the previously inactive NetWalker ransomware, suggesting a potential revival or acquisition of the original payload.

Seedworm (aka Muddywater) continues to use a combination of living-off-the-land and publicly available tools, but has also developed its own custom tools, such as a custom build of Venom Proxy and a custom keylogger.

The attackers made use of legitimate tools like Plink to configure port-forwarding rules, enabling remote access via the Remote Desktop Protocol (RDP), and modified Windows firewall rules to facilitate their activities.

Grayling employs a combination of custom malware and publicly available tools like Havoc, Cobalt Strike, and NetSpy to carry out its attacks, using DLL sideloading techniques and exploiting vulnerabilities like CVE-2019-0803.

The Budworm APT group continues to actively develop its toolset, as evidenced by its recent use of an updated version of its SysUpdate backdoor to target organizations in the Middle East and Asia.

The attackers behind 3AM, which is written in the Rust programming language, engage in reconnaissance, privilege escalation, and exfiltration of sensitive data before deploying the ransomware.