Showboat is a China-linked Linux post-exploitation framework aimed at telecom providers. The lesson for defenders: treat Linux server persistence, dynamic linker abuse, and low-noise C2 as first-class monitoring priorities.
Velvet Ant’s Operation Highland shows why PAM, OpenSSH, jump hosts, and proxy paths deserve the same defensive priority as identity providers and domain controllers.
Proofpoint’s TA4922 reporting shows how localized HR, payroll, tax, and invoice lures can become full initial-access infrastructure through DLL sideloading, loaders, RATs, RMM tools, and browser credential theft.
Mustang Panda’s fake browser updater chain shows why defenders still need to hunt LNK-to-PowerShell execution, DLL sideloading, user-context persistence, and suspicious HTTPS beaconing.
Lumen and PwC reporting on Showboat, Red Lamassu, and JFMBackdoor shows how China-linked telecom intrusions combine Linux footholds, proxying, and Windows backdoors. Here is what SMBs and government contractors should harden now.
Unit 42 researchers have uncovered a sophisticated Chinese espionage campaign, designated CL-STA-1087, that has been systematically targeting military organizations across Southeast Asia since at least 2020. The state-sponsored operation demonstrates exceptional operational patience and deploys previously undocumented malware tools designed for long-term intelligence collection against regional defense forces. Executive Summary The investigation reveals a methodical…
A critical zero-day vulnerability in the TrueConf video conferencing platform is being actively exploited in a sophisticated espionage campaign targeting government entities across Southeast Asia. Check Point Research has uncovered Operation TrueChaos, a targeted attack campaign weaponizing CVE-2026-3502 (CVSS 7.8) to compromise dozens of government agencies through a single compromised TrueConf server. The campaign deploys…
A months-long investigation by Rapid7 Labs has exposed a sophisticated state-sponsored espionage campaign by the China-nexus threat actor Red Menshen, which has embedded some of the most covert digital sleeper cells ever documented inside global telecommunications infrastructure. Why It Matters Telecommunications networks carry government communications, authenticate subscriber identities, coordinate critical industries, and process signaling flows…
A comprehensive investigation by Rapid7 Labs has exposed a sophisticated, state-sponsored espionage campaign by the China-nexus threat actor Red Menshen, revealing one of the most covert digital sleeper cell operations ever documented within global telecommunications infrastructure. The campaign represents a deliberate shift from opportunistic hacking to long-term pre-positioning within the very backbone networks that underpin…
Google Threat Intelligence Group (GTIG) has disrupted a massive global cyber espionage campaign targeting telecommunications and government organizations across 42 countries. The threat actor, tracked as UNC2814, is a suspected People’s Republic of China (PRC)-nexus cyber espionage group that GTIG has monitored since 2017. The attacker deployed a novel backdoor called GRIDTIDE that abuses Google…
