During recent daily operations, the QiAnXin Threat Intelligence Center discovered that the new OceanLotus group, which we have been continuously tracking since mid-2022, has begun to re-activate and is using a new tactic of MSI file misuse.
Even though the MSI TRANSFORMS technique was theoretically disclosed in 2022, this is the first time that QiAnXin researchers have ever captured an APT campaign targeting a domestic governmental enterprise. The researchers currently divide the APT-Q-31 (OceanLotus) group into two attack sets, after they have observed for a long time that the old and new OceanLotus carry out espionage activities against the country alternately every year through rounds of warfare, and that the two attack sets have completely different TTPs, but share attack resources. The last time the new OceanLotus group was active was at the end of 2023, so far it has been exactly one year.
Read more…
Source: QiAnXin Threat Intelligence Center
Related:
- Password manager Dashlane says hackers stole some customers’ password vaults
June 2, 2026
Password manager maker Dashlane says hackers have obtained at least a dozen encrypted vaults used for storing customer passwords during a weekend cyberattack. The company said on its website that hackers brute-forced the company’s two-factor authentication system, granting the hackers access to about 20 customer accounts. By defeating its two-factor mechanism, the hackers were able to download a copy of ...
- Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor
June 2, 2026
Palo Alto Unit 42 are tracking an increasingly widespread malvertising campaign targeting macOS. This campaign appears to be the next stage of a previous campaign known as JSCoreRunner, which was first identified in August 2025. In recent months, the financially-motivated attackers behind these campaigns transitioned from delivering standard adware, to delivering adware with full backdoor ...
- Russian spy agency says foreign spies turned officials’ smartphones into surveillance devices
June 2, 2026
Russia’s domestic spy agency says it has uncovered a sprawling foreign espionage operation that allegedly turned the smartphones of senior Russian officials into pocket-sized surveillance devices, though it has so far offered little in the way of evidence. In a statement Tuesday, the Federal Security Service (FSB) claimed foreign intelligence agencies implanted malware on the mobile devices ...
- Fake virus alerts are invading mobile games
June 2, 2026
Sometimes it happens. You’re happily playing a game on your phone or laptop when suddenly alarms pop up out of nowhere: “Your device is infected!” “Your iCloud is full!” “Your account is restricted for watching porn!” Some games can be played for free if you agree to watch ads, and in others you can get extra lives, perks, or ...
- Palo Alto VPN bug graduates from advisory to active exploitation
June 1, 2026
Palo Alto customers are being been told to patch yet another internet-facing security flaw after researchers caught attackers bypassing GlobalProtect authentication and gaining unauthorized VPN access. The flaw, tracked as CVE-2026-0257, affects PAN-OS deployments using GlobalProtect authentication override cookies under specific configurations. Read more… Source: The Register Sign up for the Cyber Security Review Newsletter The latest cyber security news and ...
- Grand Theft Auto V cheat service gets hacked, exposing thousands of gamers
June 1, 2026
Atlas Menu, a cheat service for popular online video game Grand Theft Auto V, has been hacked, according to data breach notification website Have I Been Pwned. The stolen data included users’ email addresses, usernames, scrambled passwords, IP addresses, and support tickets, according to Have I Been Pwned, which said almost 64,000 accounts were part of the ...