// #espionage
4 articles
Velvet Ant's Operation Highland: China-Nexus APT Spent a Decade Inside an Air-Gapped Network via Auth Stack Hijack
Sygnia researchers disclosed Operation Highland, a China-nexus espionage campaign in which the Velvet Ant threat group maintained persistent, undetected access to an air-gapped enterprise network from 2016 to 2026 by hijacking authentication infrastructure and bridging the isolation via a modified Nginx binary and GS-Netcat reverse shell. The case fundamentally challenges the security model of air-gapping as an isolation control.
PAN-OS CVE-2026-0300 — Unauthenticated RCE Zero-Day Actively Exploited in Firewall Espionage Attacks
A critical unauthenticated remote code execution vulnerability in Palo Alto Networks PAN-OS has been under active exploitation since at least early April 2026, linked to espionage-motivated threat actors targeting government and critical infrastructure networks. CVE-2026-0300 affects the User-ID authentication portal on VM-Series and hardware firewalls; CISA added it to the KEV catalogue on 6 May 2026. Patches are available — apply immediately.
China-Linked SHADOW-EARTH-053 Targets Asian Governments and NATO Member With ShadowPad Implants
Security researchers have attributed a sustained intrusion campaign against at least seven government ministries across Southeast and Central Asia — and one NATO member state's foreign affairs ministry — to the China-nexus cluster SHADOW-EARTH-053, operating the ShadowPad remote access trojan. The campaign exploits legacy Microsoft Exchange vulnerabilities for initial access and uses living-off-the-land techniques to evade detection.
China-Nexus UNC6201 Exploits Dell RecoverPoint CVSS 10.0 Flaw to Deploy BRICKSTORM Backdoors
A hardcoded credentials vulnerability in Dell RecoverPoint data replication appliances (CVE-2026-22769, CVSS 10.0) has been exploited since mid-2024 by the China-nexus threat cluster UNC6201, who use access to deploy BRICKSTORM and GRIMBOLT backdoors via a SLAYSTYLE web shell. CISA added the vulnerability to the KEV catalogue in February. Organisations running Dell RecoverPoint should patch immediately and hunt for indicators of compromise.