Getty Images

News

News brief: China-linked APTs and Russian access broker

Check out the latest security news from the Informa TechTarget team.

By
  • SearchSecurity Staff
Published: 28 Mar 2025

This news brief roundup highlights the latest developments of China-linked advanced persistent threat groups as well as the activities of a Russian cybercrime entity.

Weaver Ant: A China-nexus APT exposed

Researchers uncovered a yearslong web shell attack orchestrated by a China-nexus APT group dubbed Weaver Ant. Security service provider Sygnia released insights into the group's tactics, techniques and procedures (TTPs) after detecting it in the middle of a cyberattack against a telecom in Asia.

The report indicated that Weaver Ant has demonstrated high levels of persistence and adaptability, adjusting its TTPs to evade detection. Sygnia researchers provided recommendations for hunting and defending against Weaver Ant and similar multilayered attacks, including relevant logging and monitoring, implementing strong access control measures, and deploying threat detection and response technologies.

Read the full story by Alexander Culafi on Dark Reading.

ISoon: Unveiling a Chinese espionage hacker group

Researchers uncovered a widespread espionage campaign dubbed FishMedley, carried out by a threat group known as FishMonger for the Chinese government. FishMonger, also known as Aquatic Panda, was working for the Chinese APT contractor iSoon. The hacker-for-hire operation, posing as a cybersecurity training company, was uncovered last year as a known contractor for the Chinese government.

ESET researchers have now released details of the FishMedley campaign, which targeted government and nongovernment organizations in Taiwan, Hungary, Turkey, Thailand, the U.S., France and other countries. While not known for its sophisticated TTPs, FishMonger was noted by researchers for its efficiency in achieving its mission of stealing confidential data.

Read the full story by Becky Bracken on Dark Reading.

Russian access broker: A cybercrime conduit

Researchers revealed details about an initial access broker (IAB) known as Raspberry Robin that is facilitating attacks on behalf of the highest levels of the Russian government.

Analysts from Silent Push, a cyberintelligence company, explained in the report how the IAB evolved from its 2019 beginnings of infecting targets through infected USBs to now using advanced tactics, such as using compromised network-attached storage boxes, routers and IoT devices, as well as sophisticated malware obfuscation techniques. Raspberry Robin also expanded its targets from manufacturing and technology organizations to include government agencies in Latin America, Australia and Europe, as well as victims across oil and gas, transportation, retail and education.

Read the full story by Becky Bracken on Dark Reading.

Dig Deeper on Threats and vulnerabilities