Lifeboat Foundation: Safeguarding Humanity
Toggle light / dark theme

Blog

Category: cybercrime/malcode

New China-linked hackers breach telcos using edge device exploits

A sophisticated threat actor that uses Linux-based malware to target telecommunications providers has recently broadened its operations to include organizations in Southeastern Europe.

Tracked internally by Cisco Talos as UAT-7290, the actor shows strong China nexus indicators and typically focuses on telcos in South Asia in cyber-espionage operations.

Active since at least 2022, the UAT-7290 group also serves as an initial access group by establishing an Operational Relay Box (ORB) infrastructure during the attacks, which is then utilized by other China-aligned threat actors.

China-Linked UAT-7290 Targets Telecoms with Linux Malware and ORB Nodes

A China-nexus threat actor known as UAT-7290 has been attributed to espionage-focused intrusions against entities in South Asia and Southeastern Europe.

The activity cluster, which has been active since at least 2022, primarily focuses on extensive technical reconnaissance of target organizations before initiating attacks, ultimately leading to the deployment of malware families such as RushDrop, DriveSwitch, and SilentRaid, according to a Cisco Talos report published today.

“In addition to conducting espionage-focused attacks where UAT-7290 burrows deep inside a victim enterprise’s network infrastructure, their tactics, techniques, and procedures (TTPs) and tooling suggest that this actor also establishes Operational Relay Box (ORBs) nodes,” researchers Asheer Malhotra, Vitor Ventura, and Brandon White said.

Black Cat Behind SEO Poisoning Malware Campaign Targeting Popular Software Searches

The malware establishes contact with a hard-coded remote server (“sbido[.]com:2869”), allowing it to steal web browser data, log keystrokes, extract clipboard contents, and other valuable information from the compromised host.

CNCERT/CC and ThreatBook noted that the Black Cat cybercrime syndicate has compromised about 277,800 hosts across China between December 7 and 20, 2025, with the highest daily number of compromised machines within the country scaling a high of 62,167.

To mitigate the risk, users are advised to refrain from clicking on links from unknown sources and stick to trusted sources for downloading software.

New GoBruteforcer attack wave targets crypto, blockchain projects

A new wave of GoBruteforcer botnet malware attacks is targeting databases of cryptocurrency and blockchain projects on exposed servers believed to be configured using AI-generated examples.

GoBrutforcer is also known as GoBrut. It is a Golang-based botnet that typically targets exposed FTP, MySQL, PostgreSQL, and phpMyAdmin services.

The malware often relies on compromised Linux servers to scan random public IPs and carry out brute-force login attacks.

Solving quantum computing’s longstanding ‘no cloning’ problem with an encryption workaround

A team of researchers at the University of Waterloo have made a breakthrough in quantum computing that elegantly bypasses the fundamental “no cloning” problem. The research, “Encrypted Qubits can be Cloned,” appears in Physical Review Letters.

Quantum computing is an exciting technological frontier, where information is stored and processed in tiny units—called qubits. Qubits can be stored, for example, in individual electrons, photons (particles of light), atoms, ions or tiny currents.

Universities, industry, and governments around the world are spending billions of dollars to perfect the technology for controlling these qubits so that they can be combined into large, reliable quantum computers. This technology will have powerful applications, including in cybersecurity, materials science, medical research and optimization.

Kimwolf Android botnet abuses residential proxies to infect internal devices

The Kimwolf botnet, an Android variant of the Aisuru malware, has grown to more than two million hosts, most of them infected by exploiting vulnerabilities in residential proxy networks to target devices on internal networks.

Researchers observed increased activity for the malware since last August. Over the past month, Kimwolf has intensified its scanning of proxy networks, searching for devices with exposed Android Debug Bridge (ADB) services.

Common targets are Android-based TV boxes and streaming devices that allow unauthenticated access over ADB. Compromised devices are primarily used in distributed denial-of-service (DDoS) attacks, proxy resale, and monetizing app installations via third-party SDKs like Plainproxies Byteconnect.

Cloud file-sharing sites targeted for corporate data theft attacks

A threat actor known as Zestix has been offering to sell corporate data stolen from dozens of companies likely after breaching their ShareFile, Nextcloud, and OwnCloud instances.

According to cybercrime intelligence company Hudson Rock, initial access may have been obtained through credentials collected by info-stealing malware such as RedLine, Lumma, and Vidar deployed on employee devices.

The three infostealers are usually distributed through malvertising campaigns or ClickFix attacks. This type of malware commonly targets data stored by web browsers (credentials, credit cards, personal info), messaging apps, and cryptocurrency wallets.

/* */