// #apt
9 articles
Velvet Ant's Operation Highland: China-Nexus APT Spent a Decade Inside an Air-Gapped Network via Auth Stack Hijack
Sygnia researchers disclosed Operation Highland, a China-nexus espionage campaign in which the Velvet Ant threat group maintained persistent, undetected access to an air-gapped enterprise network from 2016 to 2026 by hijacking authentication infrastructure and bridging the isolation via a modified Nginx binary and GS-Netcat reverse shell. The case fundamentally challenges the security model of air-gapping as an isolation control.
VerdantBamboo Deploys BSD Variant of BRICKSTORM Backdoor Against Linux and BSD Network Appliances
China-nexus threat cluster VerdantBamboo has deployed a BSD-compatible variant of the BRICKSTORM backdoor, extending its implant capability beyond Linux ESXi hosts to commercial network appliances running FreeBSD-derived operating systems. The implant uses HTTPS command and control via legitimate TLS certificates, survives reboots, and operates below enterprise EDR visibility.
China-Nexus Threat Groups and the Shift to Linux and BSD Appliance Targeting
A pattern documented across multiple China-nexus threat actors in 2025–2026 shows a deliberate move from Windows endpoint compromise toward Linux-based network appliances and BSD-running security devices. Network devices running proprietary Linux/BSD derivatives sit at the network edge with high-privilege routing access — and typically outside the enterprise's EDR coverage.
MuddyWater Spent a Week Undetected Inside South Korean Electronics Giant's Network — Nine Organisations Compromised
Iranian state-sponsored threat group MuddyWater (Seedworm) conducted a sustained intrusion campaign against a major South Korean electronics manufacturer, maintaining persistence for over a week before detection. Nine connected organisations were compromised through the electronics firm's supplier and partner network. Lateral movement used living-off-the-land techniques to evade endpoint detection.
China-Linked SHADOW-EARTH-053 Targets Asian Governments and NATO Member With ShadowPad Implants
Security researchers have attributed a sustained intrusion campaign against at least seven government ministries across Southeast and Central Asia — and one NATO member state's foreign affairs ministry — to the China-nexus cluster SHADOW-EARTH-053, operating the ShadowPad remote access trojan. The campaign exploits legacy Microsoft Exchange vulnerabilities for initial access and uses living-off-the-land techniques to evade detection.
Silk Typhoon Operator Xu Zewei Extradited to US — First MSS Shanghai Bureau Hacker Held Accountable
Xu Zewei, a hacker attributed to the MSS Shanghai Bureau and the Silk Typhoon (formerly Hafnium) APT group, has been extradited from Italy to face US federal charges relating to the theft of COVID-19 vaccine research, defence contractor IP, and financial sector data via Exchange Server zero-days. The extradition marks the first successful prosecution of a Silk Typhoon operator and sends a direct signal to MSS-affiliated cyber operators.
Tropic Trooper APT Delivers AdaptixC2 via Trojanised SumatraPDF Installer and GitHub C2 Relay
The Chinese APT group Tropic Trooper has been observed deploying the AdaptixC2 post-exploitation framework through a malicious SumatraPDF installer distributed from a convincing lookalike site. Command-and-control communications are routed through GitHub's REST API, blending malicious traffic with the high-volume legitimate developer activity that most enterprises whitelist.
Iranian-Affiliated Hackers Target US Water, Energy and Government Facilities via Internet-Exposed PLCs
A joint advisory from CISA, FBI, NSA, and the Department of Energy warns that Iranian-affiliated APT actors have been compromising internet-facing programmable logic controllers at water utilities, energy facilities and local government sites since at least March 2026. Operators should treat any internet-exposed OT device as potentially compromised and implement immediate network isolation.
China-Nexus UNC6201 Exploits Dell RecoverPoint CVSS 10.0 Flaw to Deploy BRICKSTORM Backdoors
A hardcoded credentials vulnerability in Dell RecoverPoint data replication appliances (CVE-2026-22769, CVSS 10.0) has been exploited since mid-2024 by the China-nexus threat cluster UNC6201, who use access to deploy BRICKSTORM and GRIMBOLT backdoors via a SLAYSTYLE web shell. CISA added the vulnerability to the KEV catalogue in February. Organisations running Dell RecoverPoint should patch immediately and hunt for indicators of compromise.
Commentary tagged #apt
Air-Gapping Is Not a Security Strategy — Operation Highland Proves It Never Has Been
Velvet Ant's ten-year persistence inside an air-gapped network is being reported as an extraordinary technical achievement. It isn't. It is a predictable consequence of substituting physical isolation for security architecture, and the organisations still treating air gaps as a primary control are making the same mistake that left a critical infrastructure network exposed for a decade.
CipherWatch Editorial
Security Intelligence Platform
Why China-Nexus Actors Are Targeting Network Appliances — and Why Your EDR Won't Tell You
The BRICKSTORM BSD variant developed by VerdantBamboo is not a technical curiosity. It is evidence of a deliberate strategic investment by China-nexus threat actors in precisely the attack surface that most enterprise security programmes cannot see. Appliance-targeting is not the path of least resistance — it is the path of least detection.
CipherWatch Editorial
Security Intelligence Platform