The Rise of Collaborative Tactics Among China-aligned Cyber Espionage Campaigns

Type A – Shared infection vector (Loose coordination)

This type involves the deployment of backdoors through web shells, exploitation of vulnerable public facing servers, and similar initial access techniques. In such cases, any observed coordination between intrusion sets is likely incidental rather than intentional.

Recently, Cisco Talos researchers have also reported on similar activity, reinforcing the prevalence of this technique. However, due to the loose operational structure, we assess that it remains difficult to determine whether any genuine collaboration or intentional access sharing has occurred in cases involving compromised public-facing servers.

Type B – Coordinated supply chain attack (Strict coordination)

This type involves collaboration through supply chain attacks. As highlighted in ESET’s report, we assess that it is unlikely for unrelated intrusion sets to independently distribute backdoors via the same compromised supply chain vendor without some level of prior collaboration or shared intent.

Type C – Deployment of a payload attributed to a different intrusion set (Strict coordination)

Group X actively assists Group Y in deploying its backdoors within an internal network. To our knowledge, this is an unprecedented event in China-aligned APT groups. The case we detailed at the beginning of this report belongs to this category. In September 2025, ESET published a report discussing some collaboration between Gamaredon and Turla, two Russia-aligned intrusion sets. Based on the public reporting, it seems that PteroOdd and PteroPaste, two custom malware families attributed to Gamaredon, deployed Kazuar, a malware attributed to Turla. We cannot confirm those statements, but if they prove to be true, this would be categorized in this Type C category.

Type D – Provision of an operational box (Strict coordination)

An evolution of Type C, Group X sets up an “operational box” for Group Y and abuses cloud services for C&C network communications. That way, it is not possible to base on network indicators for attribution. An example of this is the usage of VSCode remote tunnel feature as a RAT. We believe this type represents the most advanced collaboration model observed to date. This level of access sharing makes it very difficult to determine the identity of the actor behind the “operation box” if threat actor shared access with others.

The above summarizes the types of collaborative attacks we have observed so far. In the first section of this report, we presented real-world cases related to the Type C category. 

Read More HERE