Risky Bulletin: Chinese APT Member Arrested in Italy
Episode Release Date: July 9, 2025
Host: Claire Aird
Prepared by: Catalyn Kim Panu
Source: Risky Business Team

1. Arrest of Chinese APT Member in Italy

In the episode's lead story, Claire Aird reports on the arrest of a suspected member of a Chinese Advanced Persistent Threat (APT) group:

“Italian authorities have arrested a suspected member of a Chinese Apt Group. 33-year-old Xu Zhi Wei was arrested at an airport in Milan on Monday.” [00:04]

Xu Zhi Wei was detained based on a U.S. arrest warrant for allegedly hacking the University of Texas in 2020, where he allegedly stole information related to the development of a COVID-19 vaccine. He is believed to be a member of the Hafnium APT, also known as Silk Typhoon. While his exact role in recent Hafnium attacks on U.S. critical infrastructure remains unclear, the U.S. Department of Justice confirmed that Xu operated under the Chinese company Shanghai PowerRock Network during the vaccine-related cyber intrusions.

2. U.S. Treasury Sanctions on North Korean and Russian Entities

The U.S. Treasury Department has extended its sanctions to include members and affiliates of the Andariel APT:

“Sanctions were levied against Songkum Hyeok for managing groups of IT workers and providing them with stolen US identities.” [00:04]

Songkum Hyeok has been targeted for his involvement in orchestrating North Korean remote IT worker schemes. Additionally, the sanctions encompass two North Korean companies that employed these workers and a Russian national along with two Russian companies that provided hosting services.

3. Impersonation of U.S. Secretary of State Marco Rubio

A concerning case of identity theft involves an individual impersonating the U.S. Secretary of State, Marco Rubio:

“An unknown individual is impersonating the US Secretary of State Marco Rubio... leaving audio messages using a deep fake of Rubio's voice.” [00:04]

This impersonator has reached out to both American and foreign officials through text messages and Signal chats. Notably, in at least two instances, they used deep fake audio to mimic Rubio's voice. The Washington Post has reported that targets include three foreign ministries, a U.S. governor, and a member of Congress.

4. Hacking of Russian Drone Firmware Group

The Russian Hackers for the Front, a volunteer group providing customized drone firmware to the Russian army, has fallen victim to a sophisticated cyberattack:

“The hackers wiped the group's servers and defaced laptops used by soldiers to reflash civilian drones.” [00:04]

In response, the group instructed its installers to halt operations while they conduct an investigation. Importantly, they found no evidence that the attackers had tampered with the actual drone firmware.

5. Sale of Chinese Hacker-for-Hire Documents on Dark Forums

Sensitive documents related to China's hacker-for-hire industry have surfaced on underground platforms:

“Private documents from China's hacker for hire industry have been offered for sale on an underground forum.” [00:04]

Analysis by Spy Cloud revealed two separate posts on the Dark Forums platform in May. The first set comprises documents from the Chinese network security firm Venustech, while the second set includes details about several companies linked to the Salt Typhoon APT and its government clients.

6. Browser Extensions Exploited for Web Scraping Botnet

A significant cybersecurity threat involves over 1 million users unwittingly participating in a web scraping botnet through malicious browser extensions:

“More than 1 million users have installed extensions that turn their browsers into proxies for a web scraping botnet.” [00:04]

These extensions incorporate a library named Melotel, which loads websites within a hidden iframe. Secure Annex identified this library in 245 extensions across Chrome, Edge, and Firefox, linking them to the backend operations of the web scraping service Olistopol.

7. Compromise of VS Code Extension Targeting Cryptocurrency Developers

The Ethcode VS Code extension, widely used by Ethereum smart contract developers, has been compromised:

“A threat actor has compromised a VS code extension used by nearly 6,000 cryptocurrency developers.” [00:04]

Last month, a malicious GitHub commit introduced a new dependency, enabling the execution of harmful code. This breach poses significant risks to the integrity of Ethereum smart contracts developed using the compromised extension.

8. Proliferation of Malicious Browser Extensions

Over 2.3 million Chrome and Edge users have installed malicious extensions masquerading as entertainment and productivity tools:

“More than 2.3 million Chrome and Edge users have installed malicious extensions that track their activity and could hijack their browsers.” [00:04]

These extensions initially appeared legitimate but have gradually incorporated backdoor functionalities. While the hijack capabilities remain inactive, the potential for future exploitation is high.

9. Massive Impersonation Network Leading to Scam Sites

A network exceeding 17,000 websites is actively impersonating reputable media organizations to funnel visitors into scam sites:

“The bait trap network lures victims through social media posts, YouTube videos and Google and Meta ads.” [00:04]

The fraudulent sites aim to harvest personal information and attempt to seize control of cryptocurrency accounts, posing a significant threat to online security and financial assets.

10. Arrests of Dutch Phishing Gang Members

Dutch authorities have successfully dismantled a phishing operation by arresting five suspects, including four teenagers:

“Dutch authorities have arrested five members of a phishing gang. Four of the suspects are teenagers and the youngest is 14.” [00:04]

Operating from Lelystadt, the group employed QR codes sent via email to obtain login credentials for local banks, highlighting the increasing involvement of youth in cybercrime.

11. Revival of Iranian Ransomware Group Pay2Key

The Iranian hacking group Pay2Key has relaunched its ransomware-as-a-service platform:

“Iranian hacking group Pay2Key has returned with a revamped ransomware as a service platform.” [00:04]

Since its relaunch in February, Pay2Key has reportedly amassed over $4 million in ransoms. According to Morphasec, the group is now recruiting members from Russian and Chinese ransomware ecosystems to target Iran's adversaries.

12. Shutdown of Satan Lock Ransomware Operations

The Satan Lock ransomware group has ceased its activities:

“The Satan Lock ransomware group has shut down operations and said it will publish all its stolen data.” [00:04]

Having launched in April, Satan Lock listed over 70 victims on its Dark Web leak site. The group did not disclose the reasons behind its abrupt shutdown.

13. Vulnerability in Sailpoint Identity Platform

A critical vulnerability has been identified in the Sailpoint identity platform:

“Default installations of the Sailpoint identity platform have a hard coded encryption key that can be used to run malicious code.” [00:04]

Netspy discovered that the hard-coded key resides in the component integrating with Windows environments. Sailpoint addressed this issue in its May security updates, urging users to apply patches promptly.

14. Batavia Spyware Targets Russian Industrial Organizations

More than 100 users within Russian industrial sectors have been infected with Batavia spyware:

“Spyware has infected more than 100 users at Russian industrial organisations.” [00:04]

Since July of the previous year, Batavia has been deployed in campaigns against Windows systems in Russia, primarily aiming to exfiltrate sensitive documents, as reported by Kaspersky.

15. New Tap Trap Attack on Android Smartphones

A novel attack, termed Tap Trap, poses a new threat to Android device users:

“A new attack can hijack user interactions on Android smartphones.” [00:04]

Developed by academic researchers, Tap Trap deceives users into interacting with an invisible application by displaying a benign interface, such as a game. Consequently, users inadvertently execute the attacker's commands, potentially compromising sensitive applications like system settings or cryptocurrency wallets.

16. Discovery of the Oposum Attack on TTL Connections

Academics have unveiled the oposum attack, targeting TTL (Time-To-Live) connections:

“A team of academics has published details on a new attack against TTLs connections.” [00:04]

This attack requires the adversary to position themselves between the communicating parties. While it can facilitate session fixation, resource confusion, and cookie leaks, researchers note that the necessary conditions for this attack are seldom met, limiting its practical applicability.

Conclusion

The Risky Bulletin episode dated July 9, 2025, provides a comprehensive overview of significant cybersecurity developments, including arrests of APT members, sophisticated phishing schemes, ransomware advancements, and emerging threats targeting both individuals and organizations. With threats evolving rapidly, this episode underscores the imperative for continuous vigilance and proactive security measures within the digital landscape.

Audio and content credits belong to Risky Business Team. For more updates, subscribe to Risky Bulletin on your preferred podcast platform.