{"id":56993,"date":"2024-09-02T03:06:24","date_gmt":"2024-09-02T03:06:24","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/novel-attack-on-windows-spotted-in-phishing-campaign-run-from-and-targeting-china\/"},"modified":"2024-09-02T03:06:24","modified_gmt":"2024-09-02T03:06:24","slug":"novel-attack-on-windows-spotted-in-phishing-campaign-run-from-and-targeting-china","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/novel-attack-on-windows-spotted-in-phishing-campaign-run-from-and-targeting-china\/","title":{"rendered":"Novel attack on Windows spotted in phishing campaign run from and targeting China"},"content":{"rendered":"<p>Chinese web champ Tencent&#8217;s cloud is being used by unknown attackers as part of a phishing campaign that aims to achieve persistent network access at Chinese entities.<\/p>\n<p>US-based threat detection, investigation and response tools vendor Securonix last week <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.securonix.com\/blog\/from-cobalt-strike-to-mimikatz-slowtempest\/\">claimed<\/a> to have &#8220;uncovered a covert campaign targeting Chinese-speaking users with Cobalt Strike payloads likely delivered through phishing emails. The attackers managed to move laterally, establish persistence and remain undetected within the systems for more than two weeks.&#8221;<\/p>\n<p>Securonix threat researchers Den Iuzvyk and Tim Peck wrote that they could not determine the origin of the attack, nor the attack vector. But the pair were able to conclude that it starts with phishing mails that carry compressed Zip files titled &#8220;20240739\u4eba\u5458\u540d\u5355\u4fe1\u606f.zip&#8221; \u2013 which translates to &#8220;Personnel list information.&#8221;<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"condor\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZtWGWmzPE14ZSc-pcbu3qQAAAoY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZtWGWmzPE14ZSc-pcbu3qQAAAoY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>Clicking on that file unpacks an archive that includes a file link titled &#8220;\u8fdd\u89c4\u8fdc\u7a0b\u63a7\u5236\u8f6f\u4ef6\u4eba\u5458\u540d\u5355.docx.lnk&#8221; \u2013 &#8220;List of people who violated the remote control software regulations&#8221;.&#8221;<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xmd=\",fluid,mpu,leaderboard,\" data-lg=\",fluid,mpu,leaderboard,\" data-xlg=\",fluid,billboard,superleaderboard,mpu,leaderboard,\" data-xxlg=\",fluid,billboard,superleaderboard,brandwidth,brandimpact,leaderboard,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ZtWGWmzPE14ZSc-pcbu3qQAAAoY&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ZtWGWmzPE14ZSc-pcbu3qQAAAoY&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<div class=\"adun_eagle_desktop_story_wrapper\">\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"mid\" data-raptor=\"eagle\" data-xxlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ZtWGWmzPE14ZSc-pcbu3qQAAAoY&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ZtWGWmzPE14ZSc-pcbu3qQAAAoY&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<\/p><\/div>\n<p>Iuzvyk and Peck suggested that the filenames mean the campaign likely targets &#8220;specific Chinese related business or government sectors \u2026 as they would both employ individuals who follow &#8216;remote control software regulations&#8217;.&#8221;<\/p>\n<p>Whatever the motive, clicking on that link leads to execution of code that runs from within nested directories with names that reference &#8220;MACOS.&#8221;<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ZtWGWmzPE14ZSc-pcbu3qQAAAoY&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ZtWGWmzPE14ZSc-pcbu3qQAAAoY&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>Several directories down lurk pair of files named dui70.dll and UI.exe.<\/p>\n<p>The latter is a re-named version of a legit Windows executable named LicensingUI.exe \u2013 the tool that informs users about software licensing and activation.<\/p>\n<p>&#8220;The legitimate file is designed to import several legitimate DLL files, one of which is dui70.dll and should normally reside in C:\\Windows\\System32. However, thanks to a DLL path traversal vulnerability, any DLL containing the same name can be sideloaded upon the execution of the renamed UI.exe by the LNK file,&#8221; Securonix&#8217;s researchers wrote.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" id=\"story_eagle_xsm_sm_md_xmd_lg_xlg\" data-pos=\"mid\" data-raptor=\"eagle\" data-xsm=\",mpu,dmpu,\" data-sm=\",mpu,dmpu,\" data-md=\",mpu,dmpu,\" data-xmd=\",mpu,dmpu,\" data-lg=\",mpu,dmpu,\" data-xlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ZtWGWmzPE14ZSc-pcbu3qQAAAoY&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ZtWGWmzPE14ZSc-pcbu3qQAAAoY&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>The pair could not find reports of a DLL sideloading or hijacking technique involving LicensingUI.exe, so perhaps this is a new tactic.<\/p>\n<p>Once the UI.exe runs, a malicious DLL that is actually an implant for the <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2024\/07\/04\/europol_cobalt_strike_crackdown\/\" rel=\"noopener\">notorious Cobalt Strike attack toolkit<\/a> gets to work and injects itself into the Windows binary &#8220;runonce.exe.&#8221; That executable gives the attackers total control over a host.<\/p>\n<p>Whoever runs this campaign then deploys several other pieces of nastyware, namely:<\/p>\n<ul>\n<li><strong>fpr.exe<\/strong> \u2013 Unknown executable;<\/li>\n<li><strong>iox.exe<\/strong> \u2013 A tool for port forwarding and setting up proxied connections;<\/li>\n<li><strong>fscan.exe<\/strong> \u2013 A well-known scanner in red teaming for identifying live hosts and open ports. The output file is &#8220;result.txt&#8221;;<\/li>\n<li><strong>netspy.exe<\/strong> \u2013 A network reconnaissance tool used for capturing network traffic or scanning for network vulnerabilities. The log files are &#8220;netspy.log&#8221; and &#8220;alive.txt&#8221;;<\/li>\n<li><strong>lld.exe<\/strong> \u2013 A shellcode loader binary which in our case loaded and executed raw shellcode saved in C:\/Windows\/Temp\/tmp\/tmp.log;<\/li>\n<li><strong>xxx.txt<\/strong> \u2013 Same as tmp.log before it was renamed;<\/li>\n<li><strong>tmp.log<\/strong> \u2013 A file containing shellcode to be executed by lld.exe;<\/li>\n<li><strong>sharpdecryptpwd.exe<\/strong> \u2013 A command-line based utility that collects and dumps cached credentials from installed applications such as Navicat, TeamViewer, FileZilla, WinSCP and Xmanager;<\/li>\n<li><strong>pvefindaduser.exe<\/strong> \u2013 Used for Windows Active Directory (AD) user enumeration;<\/li>\n<li><strong>new text document.txt<\/strong> \u2013 the researchers were not able to capture this file and its action is unknown;<\/li>\n<li><strong>gogo_windows_amd64.exe<\/strong> \u2013 Seems related to an open source project &#8220;<a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/github.com\/hanc00l\/nemo_go\">Nemo<\/a>&#8221; which automates enumeration tools such as Nmap, Massscan and many others. Outputs &#8220;.sock.lock&#8221; and &#8220;output.txt&#8221; files.<\/li>\n<\/ul>\n<p>The above were executed in sequence and produced plenty of info the attackers exfiltrated \u2013 presumably to inform other attacks.<\/p>\n<p>Securonix observed the attackers establishing persistent access in victim networks, and moving laterally using remote desktop protocol.<\/p>\n<p>Lifting information on Active Directory configuration is one target, public IP addresses is another.<\/p>\n<p>Securonix&#8217;s researchers wrote that all the IP addresses they observed as having been used in this attack were hosted at Tencent \u2013 including in its cloud object storage service. It&#8217;s not unusual for public clouds to find they have nasty customers, but China&#8217;s government does not look kindly upon its tech giants when they fail to safeguard the local internet.<\/p>\n<p>The security vendor has named the campaign it spotted SLOW#TEMPEST because whoever runs it is willing to lurk for a week or two in pursuit of their goals.<\/p>\n<p>Threat researchers Iuzvyk and Peck labelled the attacker &#8220;highly organized and sophisticated [and] likely orchestrated by a seasoned threat actor who had experience using advanced exploitation frameworks such as CobaltStrike and a wide range of other post-exploitation tools.&#8221;<\/p>\n<p>&#8220;The campaign&#8217;s complexity is evident in its methodical approach to initial compromise, persistence, privilege escalation and lateral movement across the network.&#8221;<\/p>\n<p>But Securonix could not find solid evidence linking this attack to any known APT groups.<\/p>\n<p>Most such groups are thought to be affiliated either with China itself, or Russia, or North Korea.<\/p>\n<p>The latter two nations are among Beijng&#8217;s closest friends. But of course those who count China as a foe could also be very interested in the kind of info this attack targets. \u00ae<\/p>\n<p> READ MORE <a href=\"https:\/\/go.theregister.com\/feed\/www.theregister.com\/2024\/09\/02\/securonix_china_slowtempest_campaign\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Resources hosted at Tencent Cloud involved in Cobalt Strike campaign Chinese web champ Tencent&#8217;s cloud is being used by unknown attackers as part of a phishing campaign that aims to achieve persistent network access at Chinese entities.\u2026 READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[63],"tags":[],"class_list":["post-56993","post","type-post","status-publish","format-standard","hentry","category-the-register"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Novel attack on Windows spotted in phishing campaign run from and targeting China 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/novel-attack-on-windows-spotted-in-phishing-campaign-run-from-and-targeting-china\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Novel attack on Windows spotted in phishing campaign run from and targeting China 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/novel-attack-on-windows-spotted-in-phishing-campaign-run-from-and-targeting-china\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-09-02T03:06:24+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZtWGWmzPE14ZSc-pcbu3qQAAAoY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/novel-attack-on-windows-spotted-in-phishing-campaign-run-from-and-targeting-china\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/novel-attack-on-windows-spotted-in-phishing-campaign-run-from-and-targeting-china\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Novel attack on Windows spotted in phishing campaign run from and targeting China\",\"datePublished\":\"2024-09-02T03:06:24+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/novel-attack-on-windows-spotted-in-phishing-campaign-run-from-and-targeting-china\\\/\"},\"wordCount\":847,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/novel-attack-on-windows-spotted-in-phishing-campaign-run-from-and-targeting-china\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZtWGWmzPE14ZSc-pcbu3qQAAAoY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"articleSection\":[\"The Register\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/novel-attack-on-windows-spotted-in-phishing-campaign-run-from-and-targeting-china\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/novel-attack-on-windows-spotted-in-phishing-campaign-run-from-and-targeting-china\\\/\",\"name\":\"Novel attack on Windows spotted in phishing campaign run from and targeting China 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/novel-attack-on-windows-spotted-in-phishing-campaign-run-from-and-targeting-china\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/novel-attack-on-windows-spotted-in-phishing-campaign-run-from-and-targeting-china\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZtWGWmzPE14ZSc-pcbu3qQAAAoY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"datePublished\":\"2024-09-02T03:06:24+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/novel-attack-on-windows-spotted-in-phishing-campaign-run-from-and-targeting-china\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/novel-attack-on-windows-spotted-in-phishing-campaign-run-from-and-targeting-china\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/novel-attack-on-windows-spotted-in-phishing-campaign-run-from-and-targeting-china\\\/#primaryimage\",\"url\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZtWGWmzPE14ZSc-pcbu3qQAAAoY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"contentUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZtWGWmzPE14ZSc-pcbu3qQAAAoY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/novel-attack-on-windows-spotted-in-phishing-campaign-run-from-and-targeting-china\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Novel attack on Windows spotted in phishing campaign run from and targeting China\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Novel attack on Windows spotted in phishing campaign run from and targeting China 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/novel-attack-on-windows-spotted-in-phishing-campaign-run-from-and-targeting-china\/","og_locale":"en_US","og_type":"article","og_title":"Novel attack on Windows spotted in phishing campaign run from and targeting China 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/novel-attack-on-windows-spotted-in-phishing-campaign-run-from-and-targeting-china\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-09-02T03:06:24+00:00","og_image":[{"url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZtWGWmzPE14ZSc-pcbu3qQAAAoY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/novel-attack-on-windows-spotted-in-phishing-campaign-run-from-and-targeting-china\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/novel-attack-on-windows-spotted-in-phishing-campaign-run-from-and-targeting-china\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Novel attack on Windows spotted in phishing campaign run from and targeting China","datePublished":"2024-09-02T03:06:24+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/novel-attack-on-windows-spotted-in-phishing-campaign-run-from-and-targeting-china\/"},"wordCount":847,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/novel-attack-on-windows-spotted-in-phishing-campaign-run-from-and-targeting-china\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZtWGWmzPE14ZSc-pcbu3qQAAAoY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","articleSection":["The Register"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/novel-attack-on-windows-spotted-in-phishing-campaign-run-from-and-targeting-china\/","url":"https:\/\/www.threatshub.org\/blog\/novel-attack-on-windows-spotted-in-phishing-campaign-run-from-and-targeting-china\/","name":"Novel attack on Windows spotted in phishing campaign run from and targeting China 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/novel-attack-on-windows-spotted-in-phishing-campaign-run-from-and-targeting-china\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/novel-attack-on-windows-spotted-in-phishing-campaign-run-from-and-targeting-china\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZtWGWmzPE14ZSc-pcbu3qQAAAoY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","datePublished":"2024-09-02T03:06:24+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/novel-attack-on-windows-spotted-in-phishing-campaign-run-from-and-targeting-china\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/novel-attack-on-windows-spotted-in-phishing-campaign-run-from-and-targeting-china\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/novel-attack-on-windows-spotted-in-phishing-campaign-run-from-and-targeting-china\/#primaryimage","url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZtWGWmzPE14ZSc-pcbu3qQAAAoY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","contentUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZtWGWmzPE14ZSc-pcbu3qQAAAoY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/novel-attack-on-windows-spotted-in-phishing-campaign-run-from-and-targeting-china\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Novel attack on Windows spotted in phishing campaign run from and targeting China"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/56993","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=56993"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/56993\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=56993"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=56993"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=56993"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}