Risky Bulletin: Chinese APT member arrested in Italy - Risky Bulletin

Summary6 min read

Risky Bulletin: Chinese APT Member Arrested in Italy
Episode Release Date: July 9, 2025
Host: Claire Aird
Prepared by: Catalyn Kim Panu
Source: Risky Business Team

1. Arrest of Chinese APT Member in Italy

In the episode's lead story, Claire Aird reports on the arrest of a suspected member of a Chinese Advanced Persistent Threat (APT) group:

“Italian authorities have arrested a suspected member of a Chinese Apt Group. 33-year-old Xu Zhi Wei was arrested at an airport in Milan on Monday.” [00:04]

Xu Zhi Wei was detained based on a U.S. arrest warrant for allegedly hacking the University of Texas in 2020, where he allegedly stole information related to the development of a COVID-19 vaccine. He is believed to be a member of the Hafnium APT, also known as Silk Typhoon. While his exact role in recent Hafnium attacks on U.S. critical infrastructure remains unclear, the U.S. Department of Justice confirmed that Xu operated under the Chinese company Shanghai PowerRock Network during the vaccine-related cyber intrusions.

2. U.S. Treasury Sanctions on North Korean and Russian Entities

The U.S. Treasury Department has extended its sanctions to include members and affiliates of the Andariel APT:

“Sanctions were levied against Songkum Hyeok for managing groups of IT workers and providing them with stolen US identities.” [00:04]

Songkum Hyeok has been targeted for his involvement in orchestrating North Korean remote IT worker schemes. Additionally, the sanctions encompass two North Korean companies that employed these workers and a Russian national along with two Russian companies that provided hosting services.

3. Impersonation of U.S. Secretary of State Marco Rubio

A concerning case of identity theft involves an individual impersonating the U.S. Secretary of State, Marco Rubio:

“An unknown individual is impersonating the US Secretary of State Marco Rubio... leaving audio messages using a deep fake of Rubio's voice.” [00:04]

This impersonator has reached out to both American and foreign officials through text messages and Signal chats. Notably, in at least two instances, they used deep fake audio to mimic Rubio's voice. The Washington Post has reported that targets include three foreign ministries, a U.S. governor, and a member of Congress.

4. Hacking of Russian Drone Firmware Group

The Russian Hackers for the Front, a volunteer group providing customized drone firmware to the Russian army, has fallen victim to a sophisticated cyberattack:

“The hackers wiped the group's servers and defaced laptops used by soldiers to reflash civilian drones.” [00:04]

In response, the group instructed its installers to halt operations while they conduct an investigation. Importantly, they found no evidence that the attackers had tampered with the actual drone firmware.

5. Sale of Chinese Hacker-for-Hire Documents on Dark Forums

Sensitive documents related to China's hacker-for-hire industry have surfaced on underground platforms:

“Private documents from China's hacker for hire industry have been offered for sale on an underground forum.” [00:04]

Analysis by Spy Cloud revealed two separate posts on the Dark Forums platform in May. The first set comprises documents from the Chinese network security firm Venustech, while the second set includes details about several companies linked to the Salt Typhoon APT and its government clients.

6. Browser Extensions Exploited for Web Scraping Botnet

A significant cybersecurity threat involves over 1 million users unwittingly participating in a web scraping botnet through malicious browser extensions:

“More than 1 million users have installed extensions that turn their browsers into proxies for a web scraping botnet.” [00:04]

These extensions incorporate a library named Melotel, which loads websites within a hidden iframe. Secure Annex identified this library in 245 extensions across Chrome, Edge, and Firefox, linking them to the backend operations of the web scraping service Olistopol.

7. Compromise of VS Code Extension Targeting Cryptocurrency Developers

The Ethcode VS Code extension, widely used by Ethereum smart contract developers, has been compromised:

“A threat actor has compromised a VS code extension used by nearly 6,000 cryptocurrency developers.” [00:04]

Last month, a malicious GitHub commit introduced a new dependency, enabling the execution of harmful code. This breach poses significant risks to the integrity of Ethereum smart contracts developed using the compromised extension.

8. Proliferation of Malicious Browser Extensions

Over 2.3 million Chrome and Edge users have installed malicious extensions masquerading as entertainment and productivity tools:

“More than 2.3 million Chrome and Edge users have installed malicious extensions that track their activity and could hijack their browsers.” [00:04]

These extensions initially appeared legitimate but have gradually incorporated backdoor functionalities. While the hijack capabilities remain inactive, the potential for future exploitation is high.

9. Massive Impersonation Network Leading to Scam Sites

A network exceeding 17,000 websites is actively impersonating reputable media organizations to funnel visitors into scam sites:

“The bait trap network lures victims through social media posts, YouTube videos and Google and Meta ads.” [00:04]

The fraudulent sites aim to harvest personal information and attempt to seize control of cryptocurrency accounts, posing a significant threat to online security and financial assets.

10. Arrests of Dutch Phishing Gang Members

Dutch authorities have successfully dismantled a phishing operation by arresting five suspects, including four teenagers:

“Dutch authorities have arrested five members of a phishing gang. Four of the suspects are teenagers and the youngest is 14.” [00:04]

Operating from Lelystadt, the group employed QR codes sent via email to obtain login credentials for local banks, highlighting the increasing involvement of youth in cybercrime.

11. Revival of Iranian Ransomware Group Pay2Key

The Iranian hacking group Pay2Key has relaunched its ransomware-as-a-service platform:

“Iranian hacking group Pay2Key has returned with a revamped ransomware as a service platform.” [00:04]

Since its relaunch in February, Pay2Key has reportedly amassed over $4 million in ransoms. According to Morphasec, the group is now recruiting members from Russian and Chinese ransomware ecosystems to target Iran's adversaries.

12. Shutdown of Satan Lock Ransomware Operations

The Satan Lock ransomware group has ceased its activities:

“The Satan Lock ransomware group has shut down operations and said it will publish all its stolen data.” [00:04]

Having launched in April, Satan Lock listed over 70 victims on its Dark Web leak site. The group did not disclose the reasons behind its abrupt shutdown.

13. Vulnerability in Sailpoint Identity Platform

A critical vulnerability has been identified in the Sailpoint identity platform:

“Default installations of the Sailpoint identity platform have a hard coded encryption key that can be used to run malicious code.” [00:04]

Netspy discovered that the hard-coded key resides in the component integrating with Windows environments. Sailpoint addressed this issue in its May security updates, urging users to apply patches promptly.

14. Batavia Spyware Targets Russian Industrial Organizations

More than 100 users within Russian industrial sectors have been infected with Batavia spyware:

“Spyware has infected more than 100 users at Russian industrial organisations.” [00:04]

Since July of the previous year, Batavia has been deployed in campaigns against Windows systems in Russia, primarily aiming to exfiltrate sensitive documents, as reported by Kaspersky.

15. New Tap Trap Attack on Android Smartphones

A novel attack, termed Tap Trap, poses a new threat to Android device users:

“A new attack can hijack user interactions on Android smartphones.” [00:04]

Developed by academic researchers, Tap Trap deceives users into interacting with an invisible application by displaying a benign interface, such as a game. Consequently, users inadvertently execute the attacker's commands, potentially compromising sensitive applications like system settings or cryptocurrency wallets.

16. Discovery of the Oposum Attack on TTL Connections

Academics have unveiled the oposum attack, targeting TTL (Time-To-Live) connections:

“A team of academics has published details on a new attack against TTLs connections.” [00:04]

This attack requires the adversary to position themselves between the communicating parties. While it can facilitate session fixation, resource confusion, and cookie leaks, researchers note that the necessary conditions for this attack are seldom met, limiting its practical applicability.

Conclusion

The Risky Bulletin episode dated July 9, 2025, provides a comprehensive overview of significant cybersecurity developments, including arrests of APT members, sophisticated phishing schemes, ransomware advancements, and emerging threats targeting both individuals and organizations. With threats evolving rapidly, this episode underscores the imperative for continuous vigilance and proactive security measures within the digital landscape.

Audio and content credits belong to Risky Business Team. For more updates, subscribe to Risky Bulletin on your preferred podcast platform.

Loading summary

Transcript1 lines

[00:04]
Claire Aird
Italy arrests a Chinese APT hacker A Russian drone software group gets wiped, the Satan Lock ransomware operation shuts down and browser extensions power a web scraping botnet. This is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire aird. Today is the 9th of July and this podcast episode is brought to you by Knock Knock. In today's top story, Italian authorities have arrested a suspected member of a Chinese Apt Group. 33 year old Xu Zhi Wei was arrested at an airport in Milan on Monday. He was detained on a U.S. arrest warrant for allegedly hacking the University of Texas in 2020. He stole information about a COVID vaccine that was being developed there. He's a suspected member of the Hafnium apt. The group is also known as Silk Typhoon, but it's unclear if Xu was invol involved in the group's recent hacks of U.S. critical infrastructure. The U.S. department of justice says Xu worked for the Chinese company Shanghai PowerRock Network when he conducted the vaccine hacks. In other news, the U.S. treasury Department has sanctioned a member of the Andariel APT for his role in North Korean remote IT worker schemes. Sanctions were levied against Songkum Hyeok for managing groups of IT workers and providing them with stolen US identities. Sanctions were also levied against two North Korean companies that hired the workers and a Russian national and two Russian companies that hosted them. An unknown individual is impersonating the US Secretary of State Marco Rubio. They contacted American and foreign officials via text messages and signal chats. In at least two cases, the imposter left audio messages using a deep fake of Rubio's voice. According to the Washington Post, targets have included three foreign ministries, a US Governor and a member of Congress. A volunteer group that provides the Russian army with customised drone firmware has been hacked. The hackers wiped the group's servers and defaced laptops used by soldiers to reflash civilian drones. The group, known as Russian Hackers for the Front confirmed the hack and told installers to cease operations while they investigate. The group said it found no evidence that the attackers tampered with the actual drone firmware. Private documents from China's hacker for hire industry have been offered for sale on an underground forum. Two separate posts on the Dark Forums platform offered samples of the data in May, according to Spy Cloud's analysis of those samples. The first set of documents is from Chinese network security firm venustech. The second set reportedly contains details about several companies behind the Salt Typhoon Apt and its government customers. More than 1 million users have installed extensions that turn their browsers into proxies for a web scraping botnet. The extensions contain a library named Melotel that loads websites inside a hidden iframe. Security firm Secure Annex has found the library in 245 extensions for Chrome, Edge and Firefox. The firm believes the extensions provide the back end for the web scraping service Olistopol. A threat actor has compromised a VS code extension used by nearly 6,000 cryptocurrency developers. The Ethcode extension was modified last month in a malicious GitHub commit. Reversing labs says the attacker added a new dependency that would allow them to run malicious code. The ETH code extension is typically used for Ethereum smart contract development. More than 2.3 million Chrome and Edge users have installed malicious extensions that track their activity and could hijack their browsers. The extensions pose as entertainment and productivity tools and are still available through both official browser stores. The extensions were once legitimate but have been updated over time to include backdoor features. The attackers behind the campaign have not yet activated the hijack capability. A network of more than 17,000 websites is impersonating trusted media organisations to send visitors to scam sites. The bait trap network lures victims through social media posts, YouTube videos and Google and Meta ads. The bogus sites collect personal information and attempt to hijack crypto accounts. Dutch authorities have arrested five members of a phishing gang. Four of the suspects are teenagers and the youngest is 14. The group operated out of the city of Lelystadt. They used QR codes sent via email to collect login credentials for local banks. Iranian hacking group Pay2Key has returned with a revamped ransomware as a service platform. The group relaunched in February this year and is believed to have already collected more than $4 million in ransoms. Pay2Key said it's upgraded its software since 2020, when it launched data wiping attacks against Israeli organisations. According to security firm Morphasec. The group is recruiting members of the Russian and Chinese ransomware ecosystems to attack enemies of Iran. The Satan Lock ransomware group has shut down operations and said it will publish all its stolen data. The group launched in April and listed more than 70 victims on its Dark Web leak site. Satan Lock did not say why it shut down Default installations of the Sailpoint identity platform have a hard coded encryption key that can be used to run malicious code, according to security firm Netspy. The key is in the component that integrates with Windows environments. Sailpoint addressed the issue in its May security updates. Spyware has infected more than 100 users at Russian industrial organisations. The Batavia spyware has been used in campaigns against Windows systems in Russia since last July. Kaspersky says the malware is used to steal sensitive documents from infected organisations. A new attack can hijack user interactions on Android smartphones. The Tap Trap attack was developed by a team of academics. It tricks users into interacting with an invisible application, such as system settings or a crypto wallet. It does this by displaying a game or other interactive feature beneath the invisible app. While the victim believes they're clicking on the game, they're actually doing the attacker's bidding. And finally, a team of academics has published details on a new attack against TTLs connections. The oposum attack requires an attacker in the middle position. It could be leveraged for session fixation, resource confusion and cookie leaks. Researchers say that while the attack is reliable, its prerequisites are rarely met. And that is all for this podcast edition. Today's show was brought to you by Knock Knock. Find them at Knock Knock IO. Thanks for your company.