Chinese State-Backed Espionage Campaign Breached Global Service Providers and Customer Networks
Australia’s ACSC and CISA warned that Chinese state-sponsored actors compromised networks worldwide as part of a broad espionage operation that targeted IT service providers and then leveraged that access to reach downstream customer environments. U.S. government reporting tied the activity to Chinese cyber actors associated with the Ministry of State Security, describing a long-running campaign that stole intellectual property and sensitive data from organizations across at least 12 countries and sectors including information technology, energy, healthcare, communications, and critical manufacturing.
The intrusions relied on stolen administrative credentials, abuse of digital certificates, and post-compromise tooling including PowerShell, PowerSploit, REDLEAVES, and PLUGX to maintain persistence and move laterally. Authorities said the malware used techniques such as DLL side-loading, in-memory execution, and RC4-encrypted command-and-control over port 443, including spoofed domains masquerading as Windows update infrastructure, and urged defenders to strengthen privileged account protections, network segmentation, logging, and monitoring for suspicious administrative share activity and protocol mismatches.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
ACSC and partners issue advisory on Chinese state-sponsored network compromises
The Australian Cyber Security Centre published a joint advisory warning about Chinese state-sponsored actors compromising networks worldwide to support a global espionage system. The advisory reflects coordinated government disclosure and response to the campaign.
U.S. government attributes long-running espionage campaign to Chinese MSS-linked actors
The alert was later updated to reflect U.S. government attribution of the long-running cyber-espionage campaign to Chinese cyber actors associated with the Chinese Ministry of State Security. This attribution tied the previously documented intrusions to Chinese state-sponsored operators.
US-CERT publishes alert on multi-sector intrusions
US-CERT published alert TA17-117A describing intrusions affecting multiple victims across multiple sectors. The alert documented tactics including stolen administrative credentials, PowerShell and PowerSploit use, DLL side-loading, and malware such as REDLEAVES and PLUGX, along with indicators of compromise and mitigation guidance.
Chinese cyber actors begin broad intrusions via IT service providers
Since at least May 2016, Chinese state-linked cyber actors began compromising global and U.S. IT service providers and then accessing their customers' networks to steal intellectual property and sensitive data. The campaign affected organizations across at least 12 countries and multiple sectors, including IT, energy, healthcare, communications, and critical manufacturing.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System | Cyber.gov.au
cyber.gov.au
Open sourceIntrusions Affecting Multiple Victims Across Multiple Sectors | CISA
cisa.gov
Open sourceIntrusions Affecting Multiple Victims Across Multiple Sectors | CISA
us-cert.gov
Open sourceCisa
cisa.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Chinese Espionage Campaign Breached Middle East Telcos via Exchange Servers
Chinese state-linked attackers infiltrated telecommunications providers in the Middle East after compromising internet-facing Microsoft Exchange servers, according to SentinelLABS and QGroup. The intrusions, first observed in early 2023, used webshell-based command execution to establish access and then expanded into reconnaissance, credential theft, lateral movement, and staging for data exfiltration. Researchers assessed the activity as highly likely tied to a Chinese cyberespionage actor associated with **Operation Soft Cell**, with **Gallium** judged a likely participant and possible links to **APT41** or shared tooling among Chinese state-sponsored groups. A key element of the campaign was **`mim221`**, a custom credential-theft framework derived from **Mimikatz** and built to steal credentials from **LSASS** while reducing detection opportunities. SentinelLABS said the malware chain used reflective loading, abuse of LSASS security packages, and selective termination of Windows Event Log service threads to limit forensic visibility, underscoring continued Chinese intelligence interest in regional telecom networks and a broader shift toward stealthier post-compromise tooling.
Apr 11, 2025
State-Backed Intrusions Exploit RDP, VPN, SSH, and Supply Chains for Initial Access
Russian and China-linked threat activity has relied on common but effective entry points to penetrate government, telecom, defense, energy, and other critical-sector networks. Ukrainian officials said CERT-UA recorded **5,927 cyber incidents** in 2025, a **37.4% increase** over the prior year, with Russian groups including **UAC-0002 (Sandworm)**, **UAC-0001 (APT28)**, **UAC-0010 (Gamaredon)**, and **UAC-0190 (Void Blizzard)** using exposed **RDP** services, vulnerable **VPN** appliances, supply-chain compromise, phishing, and stolen credentials to gain access. Separately, telecom intrusions tied to the China-linked cluster **UAT-9244** used exposed web applications, **ProxyLogon**, exposed **SSH** services, weak credentials, and unpatched server software to establish footholds in Linux-heavy environments. Once inside, the actors deployed a broad toolset for espionage, persistence, and disruption, including RATs, stealers, ransomware, wipers, and Linux malware such as **PeerTime**, which supports multiple architectures and uses peer-to-peer, BitTorrent-like communications to avoid reliance on centralized command-and-control. The reporting highlights exploitation of products including **Cisco ASA/AnyConnect**, **Roundcube**, **Fortinet**, **WinRAR**, **7-Zip**, and legacy Microsoft Office components, alongside social-engineering tactics such as **ClickFix**, device-code phishing, OAuth phishing, and QR-code hijacking. The campaigns also abused legitimate services and native system tools, while under-monitored embedded Linux devices, routers, edge systems, and container hosts were described as especially attractive for long-term persistence, lateral movement, scanning, and covert communications.
May 25, 2026
China-Linked Espionage Intrusion at U.S. Policy Non-Profit
A China-linked advanced persistent threat (APT) group infiltrated a U.S. non-profit organization focused on influencing U.S. government policy on international issues, maintaining access for several weeks in April 2025. The attackers initiated their campaign with mass scanning on April 5, targeting a server using multiple public exploits, including those for Log4j, Atlassian OGNL, Apache Struts, and GoAhead Web Server. After a brief pause, activity resumed on April 16 with connectivity tests and network reconnaissance, followed by the establishment of persistence through a scheduled task that executed `msbuild.exe` as SYSTEM every hour. This task likely injected code into `csc.exe`, which then communicated with a command-and-control server at `38.180.83[.]166`. The attackers also used DLL sideloading via the legitimate VipreAV component `vetysafe.exe` to load a malicious DLL (`sbamres.dll`), a technique previously associated with other Chinese APT groups. The intrusion demonstrated a focus on stealth and long-term access, with the use of legitimate binaries and scheduled tasks to evade detection. The attackers' tactics, including the use of `Imjpuexc` (a Microsoft file for East Asian input) to mask activity and the deployment of a custom loader to execute an encrypted payload (likely a remote access trojan) in memory, align with methods seen in other campaigns attributed to Chinese state-sponsored actors. The operation is part of a broader pattern of Chinese cyber-espionage targeting U.S. organizations involved in policy matters, leveraging both legacy and recent vulnerabilities to gain initial access and maintain persistence within high-value networks.
Mar 21, 2026