CHINA CYBERSECURITY THREAT INTELLIGENCE REPORT - cyfirma

CHINA CYBERSECURITY THREAT INTELLIGENCE REPORT Published On : 2026-04-22 Share : Executive Summary: China’s cyber threat landscape during 2025–2026 is shaped by sustained inbound targeting from multiple foreign state-sponsored actors, persistent ransomware pressure across high-value sectors, and an expanding foreign intelligence collection mandate against Chinese national assets. Ransomware activity remains competitive and fragmented, with groups such as LockBit, World Leaks, and TheGentlemen leading activity against high-value sectors including telecommunications, energy, IT, and manufacturing, while legacy vulnerabilities continue to drive exploitation at scale. At the same time, China faces inbound threats targeting sensitive national assets, including alleged compromises of time synchronization infrastructure and large-scale dark-web data leak claims affecting public programs and research institutions. Overall, the environment is characterized by systemic infrastructure risk, zero-day operationalization speed, supply chain leverage, and increasing convergence between cyber espionage, strategic disruption capability, and criminal monetization. Key Findings: Fragmented but Persistent Ransomware Pressure: China faces sustained ransomware activity led by LockBit, World Leaks, and TheGentlemen, with no single actor dominating. Telecommunications, energy, IT, and manufacturing remain the most consistently targeted sectors, reflecting their operational centrality and systemic impact potential. Legacy Vulnerabilities Still Driving Exploitation: Older CVEs (2014–2019) continue to generate significant detection volume, demonstrating persistent patching gaps across exposed infrastructure. Simultaneously, rapid weaponization of newly disclosed 2024–2025 vulnerabilities indicate attackers are balancing opportunistic exploitation with zero-day capability. Supply Chain and Managed Service Provider Risk: Targeting patterns indicate deliberate positioning within SaaS providers, MSPs, and third-party technology ecosystems to achieve downstream access into multiple victim environments simultaneously. Inbound Targeting of Chinese National Infrastructure: Alleged compromises affecting national time synchronization infrastructure and other strategic systems highlight systemic, cascading risk potential where disruption could impact finance, telecommunications, energy, and defense sectors. Dark-Web Data Exposure and Criminal Activity: Multiple large-scale breach claims involving public service databases, financial institutions, and research organizations indicate ongoing data monetization activity, though several claims remain unverified. Emerging Threat Acceleration Factors: AI-assisted offensive tooling, semiconductor and advanced technology targeting, and regulatory reporting centralization collectively reshape the threat landscape, increasing both attack precision and the strategic value of incident intelligence. Ransomware Assessment Ransomware continues to be the most disruptive threat to Chinese organizations, with attacks driven by both dominant and emerging groups. Figure 1: Ransomware Groups Targeting China LockBit, World Leaks, and TheGentlemen emerge as the leading groups, each accounting for the largest share of observed activity. Their comparable percentages indicate a competitive landscape where multiple high-capability operators are active simultaneously rather than a single group dominating the environment. A secondary tier includes Warlock, followed closely by Sinobi, Crypto24, Devman, RansomHouse, and Beast. These actors contribute smaller but still notable portions of activity, suggesting either more selective targeting or lower operational volume compared to the leading cluster. Figure 2: Industry Targeted Telecommunications and Media, Energy and Utilities, Information Technology, and Manufacturing appear at the highest observed level, each showing comparable incident frequency. This suggests sustained threat actor interest in sectors that either manage core infrastructure, enable digital services, or support large-scale operational ecosystems. These industries typically present high-impact targets due to their network centrality and operational sensitivity. Materials, Consumer Goods and Services, and Automotive show lower but consistent activity. While incident counts are comparatively smaller, these sectors remain relevant due to supply chain integration, industrial systems exposure, and reliance on connected operational technologies. Ransomware Incidents On Feb 15, 2026, the ransomware group LockBit5 reportedly released various stolen materials, including identification documents, and other confidential files of an information technology service provider based in China. On Feb 15, 2026, the ransomware group LockBit5 reportedly exposed data associated with a water production and supply provider based in China. On Dec 12, 2025, the ransomware group Ransomhouse posted an alleged exposure of data of a major manufacturer based in China. Vulnerability In Focus Based on their 90-day average detection rates, CVE-2019-12780 leads the list, followed by CVE-2017-17215, CVE-2014-8361, CVE-2018-10562, and CVE-2016-10372. The data shows that older vulnerabilities from 2014–2019 continue to generate significant activity, demonstrating the long tail of unpatched systems still exposed to exploitation. At the same time, the presence of newer 2024–2025 CVEs indicates that attackers are actively incorporating recently disclosed vulnerabilities into their campaigns. CVE ID CVSS Products Affected Threat Actors Exploit Available CVE-2019-12780 9.8 Belkin Wemo Smart Plug LockBit, RansomHouse No CVE-2017-17215 9.1 NETGEAR Routers (R6400, R7000, R8000) World Leaks, TheGentlemen, Devman Link CVE-2014-8361 9.3 Realtek SDK, IoT Devices, Network Equipment Warlock, Sinobi, Beast Link CVE-2018-10562 8.9 Dasan GPON Home Routers LockBit, RansomHouse, Crypto24 Link CVE-2016-10372 9.8 Eir D1000 modem Unknown / Not attributed No Figure 3: Vulnerabilities in Focus Figure 4: Top Targeted Vendor WordPress stands out as the most frequently exploited platform, indicating continued attacker focus on vulnerable plugins, outdated installations, and exposed administrative interfaces. Its prevalence reflects both its global footprint and its common exposure to the public internet. GeoServer follows as the second most targeted technology, suggesting exploitation of unpatched vulnerabilities or misconfigured geospatial services. Netgear and Apache Software Foundation show similar levels of activity, typically linked to exposed web servers, misconfigurations, or outdated firmware in edge networking devices. A secondary tier includes Vacron, Shenzhen TVT, and TBK, indicating targeting of surveillance and video management systems. Lower but consistent exposure is observed across infrastructure products from Belkin, Huawei, and Zyxel, typically through internet-facing management interfaces or outdated firmware. Dark Web and Underground Chatter Chinese organizations and critical infrastructure remain targets for criminal monetization and intelligence collection on underground forums. Our monitoring identified sustained activity involving data exfiltration claims, ransomware negotiations, and infrastructure reconnaissance targeting Chinese government, finance, technology, and critical infrastructure sectors. Cyclical peaks in ransomware and breach claims suggest coordinated campaign activity and operational disruption events. Analysis reveals patterns of data sales, criminal discussions on exploitation techniques, and strategic intelligence collection efforts against Chinese entities. Figure 5:Dark-web Underground Chatter Data breaches and data leaks dominate throughout the timeline. September records the highest levels, with breaches at 187 and leaks at 182, followed by a gradual decline into December and January. While both categories drop substantially after November, breach activity remains comparatively stable in January and February, indicating continued compromise of sensitive data even as large-scale leak disclosures decrease. Ransomware activity peaks in November at 139 incidents, following strong activity in September and October. However, a dramatic reduction is observed from December onward, with single-digit figures recorded in January and February. This suggests either operational disruption within ransomware ecosystems, reduced public disclosures, or a shift toward quieter data-exfiltration-driven campaigns rather than encryption-heavy operations. Claimed hacks show moderate activity in October and November, disappear entirely in December and January, and reappear in February. This pattern may indicate fluctuating hacktivist or reputation-driven claim behaviour rather than consistent operational campaigns. DDoS incidents follow a declining trajectory overall, with the highest concentration in September and smaller spikes in November and January. Hacktivism mirrors a similar pattern, with limited but noticeable activity in the early months before dropping sharply. Web exploitation appears sporadic, with a brief spike in October and isolated activity in January, suggesting opportunistic rather than sustained exploitation campaigns. APT Activity Targeting China NATIONAL TIME SERVICE CENTER COMPROMISE — Unattributed Foreign Intelligence Agency A sustained cyberespionage campaign targeting China’s National Time Service Centre ran from early 2022 through 2025, identified in October 2025. The facility is responsible for broadcasting China’s standard time signal to telecommunications networks, financial markets, transportation infrastructure, and defense systems. Target Industries: Telecommunications, financial markets, transportation, defense systems, and power grid operations. Target Technologies: Time synchronization infrastructure, telecommunications switching systems, financial trading platforms, power grid relays, internet routing protocols, and staff mobile devices. Initial Access: Supply chain compromise through overseas telecommunications provider, exploiting a trusted third-party network connection to bypass perimeter defenses. Key TTPs: Deployment of 42 specialized cyber-attack tools, persistence maintenance, network configuration data extraction, staff mobile device access, and long-term access maintenance. Motivations: Intelligence collection on critical infrastructure dependencies, pre-positioning for potential disruption of financial systems and military communications, assessment of infrastructure vulnerabilities, and cascading failure potential. Strategic Impact: Compromise of national time infrastructure affects all dependent systems, financial platforms, telecommunications switching, power grid relays, and encrypted communications. A corrupted time source induces cascading failures without generating external attack alerts, creating systemic risk across multiple critical sectors simultaneously. APT33 / Elfin / Refined Kitten — Iranian Revolutionary Guard Corps (IRGC) APT33 is an Iranian state-sponsored threat actor operating under the control of the Islamic Revolutionary Guard Corps (IRGC). Active since at least 2013, the group has conducted sustained espionage and reconnaissance operations targeting critical infrastructure sectors globally, with particular focus on energy, aerospace, and petrochemical industries. The group is known for rapid vulnerability exploitation, aggressive reconnaissance activities, and targeting of organizations supporting Iran’s strategic competitors. In recent years, APT33 has expanded its operational scope to target Asian critical infrastructure, including Chinese energy sector assets, representing a strategic shift in geographic priorities toward direct competition with Chinese energy production and geopolitical influence. Target Industries: Energy sector, government agencies, chemical and petrochemical plants, telecommunications, and aerospace. Primary Technologies Targeted: Industrial control systems (SCADA), VPN appliances, email systems, web servers, and network infrastructure. Initial Access Vectors: Spear-phishing with weaponized documents, exploitation of public-facing web applications, targeting of VPN infrastructure. Key TTPs: Reconnaissance and surveillance of critical infrastructure; deployment of custom malware (DROPSHIP, TURNEDUP) for persistence; lateral movement targeting sensitive systems; dwell times averaging 6+ months for intelligence collection. Motivations: Strategic intelligence collection on the Chinese energy infrastructure and production capacity; assessment of Iranian strategic competition with Chinese energy sector; technological espionage on energy-related research; competitive intelligence supporting Iranian industrial development. Examples: Targeting of Chinese petroleum refineries and pipeline infrastructure; operations against natural gas distribution systems; surveillance of energy ministry communications and policy development; reconnaissance of advanced energy research programs. Geographic Focus: Emerging targeting of Chinese energy infrastructure represents expansion of APT33 operations beyond traditional Middle Eastern focus, indicating increased interest in Asian strategic assets and direct competition with Chinese energy sector dominance. APT34 / OilRig / IRLeaks — Iranian Ministry of Intelligence and Security (MOIS) APT34 is an Iranian state-sponsored cyber espionage group operating under the Ministry of Intelligence and Security (MOIS), active since at least 2014. The group specializes in targeted intrusions against government and private sector organizations in the Middle East, Europe, and increasingly Asia. APT34 is characterized by sophisticated social engineering, patient long-term access maintenance, and intelligence collection focused on sensitive government communications and strategic technology development. The group’s expansion into targeting the Chinese government and technology sectors reflects Iran’s strategic competition with China over regional influence, technology partnerships, and alignment with international powers. Recent operations demonstrate increasing technical sophistication and coordinated intelligence collection supporting the Iranian government decision-making. Target Industries: Government, oil and gas, telecommunications, technology companies, and financial services. Primary Technologies Targeted: Government email systems, oil and gas operational technology, web servers, and identity management systems. Initial Access Vectors: Spear-phishing campaigns with sophisticated social engineering, exploitation of web application vulnerabilities, targeting of email servers, and supply chain compromise targeting government service providers. Key TTPs: Persistent access through webshell installation; credential theft enabling lateral movement; intelligence collection on communications and decision-making; malware deployment (BONDUPDATER or TONEDEAF) for sustained access; document exfiltration targeting policy and strategic planning materials. Motivations: Strategic intelligence collection on Chinese government decision-making; assessment of Chinese technology and energy sector capabilities; political and economic competitive intelligence; understanding of Chinese foreign policy priorities; technology acquisition supporting Iranian development goals. Examples: Operations against Chinese government ministry networks; targeting of technology companies engaged in AI and semiconductor research; surveillance of energy sector planning and policy; reconnaissance of Chinese technology partnerships with third countries. Geographic Focus: Operations targeting China represent an emerging intelligence priority for MOIS, reflecting the broader Iranian strategy to understand Chinese strategic intentions, technology capabilities, and competitive positioning in Asian markets. APT43 / Kimsuky / Thallium / Velvet Chollima — Reconnaissance General Bureau (RGB) Kimsuky is a North Korean state-sponsored cyber espionage group operating under the Reconnaissance General Bureau, active since at least 2012. The group specializes in sophisticated social engineering, credential theft, and intelligence collection targeting government, defense, technology, and research sectors globally. Kimsuky is known for patient, long-term access maintenance, and high-quality intelligence analysis of compromised systems. The group has expanded its targeting to the Chinese technology and defense sectors as part of broader North Korean intelligence collection operations. Target Industries: Government agencies, technology companies, defense research, semiconductor manufacturing, AI research institutions, and cryptocurrency exchanges. Primary Technologies Targeted: Email systems, enterprise networks, VPN infrastructure, cloud collaboration platforms, and identity management systems. Initial Access Vectors: Sophisticated spear-phishing with tailored social engineering, exploitation of email vulnerabilities, targeting of researchers and government officials with fake job offers, and collaboration invitations. Key TTPs: Credential harvesting through phishing; lateral movement using compromised credentials; long-term access maintenance; intelligence collection on communications and research activities; document exfiltration; use of legitimate cloud services for C2 obfuscation. Motivations: Intelligence collection on Chinese technology development, including AI and semiconductor research; assessment of Chinese defense capabilities and research priorities; understanding of Chinese government technology strategies; acquisition of intellectual property supporting North Korean technology development. Examples: Operations against Chinese AI research institutes; targeting of semiconductor research organizations; surveillance of defense ministry communications; intelligence collection on Chinese-foreign technology partnerships. APT29 / Cozy Bear / The Dukes — Russian Foreign Intelligence Service (SVR) APT29 is a Russian state-sponsored cyber espionage group operating under the Foreign Intelligence Service (SVR). Active since at least 2008, the group conducts sophisticated, patient intelligence collection operations targeting government, technology, and research sectors globally. APT29 is known for advanced tradecraft, zero-day exploitation, and long-term persistence without detection. The group has targeted the Chinese government, technology, and research institutions as part of broader Russian intelligence collection operations. Target Industries: Government agencies, technology companies, research institutions, defense contractors, diplomatic missions. Primary Technologies Targeted: Government email systems, enterprise networks, cloud collaboration platforms, VPN infrastructure, and research computing systems. Initial Access Vectors: Zero-day exploitation, spear-phishing with sophisticated social engineering, supply chain compromise, targeting of internet-facing services. Key TTPs: Sophisticated malware development; lateral movement across government networks; long-term persistent access; credential harvesting; counter-forensics and anti-detection measures; use of legitimate services for C2. Motivations: Strategic intelligence collection on Chinese government operations and decision-making; assessment of Chinese technology and defense capabilities; competitive intelligence on technology research; understanding of Chinese foreign policy priorities. Examples: Operations targeting Chinese government ministries; surveillance of defense-related research; intelligence collection on technology development; operations against diplomatic communications infrastructure. APT28 / Fancy Bear / Sofacy — Russian General Staff Main Intelligence Directorate (GRU) APT28 is a Russian military intelligence group operating under the GRU, active since at least 2007. The group conducts aggressive cyber espionage and cyber warfare operations targeting government, defense, technology, and infrastructure sectors. APT28 is characterized by rapid vulnerability exploitation, aggressive reconnaissance, and coordinated campaigns supporting Russian strategic objectives. The group has targeted the Chinese military and technology sectors. Target Industries: Government agencies, military research, defense contractors, technology companies, telecommunications. Primary Technologies Targeted: Military communication systems, government networks, defense research infrastructure, and technology development systems. Initial Access Vectors: Spear-phishing with malicious attachments, exploitation of public-facing applications, targeting of military and defense research networks. Key TTPs: Aggressive reconnaissance of target networks; rapid malware deployment; credential theft; lateral movement across military networks; document and research exfiltration; coordinated multi-stage attacks. Motivations: Intelligence collection on Chinese military modernization and capabilities; assessment of Chinese defense doctrine; understanding of military technology development; competitive intelligence supporting Russian military planning. Examples: Operations against Chinese military research institutions; targeting of defense contractors developing military systems; intelligence collection on military modernization programs. Lazarus Group / Hidden Cobra / Zinc / Guardians of Peace Lazarus Group is a North Korean state-sponsored threat actor operating under the Reconnaissance General Bureau, active since at least 2009. The group is uniquely characterized by a dual operational mandate combining strategic cyber espionage with large-scale financially motivated cybercrime. Lazarus targets financial institutions, cryptocurrency exchanges, defence organizations, and technology companies globally. The group’s operations directly support North Korean state objectives, including sanctions evasion, intelligence collection, and revenue generation for state activities, making it one of the most versatile and consequential state-linked threat actors worldwide. Target Industries: Financial institutions, cryptocurrency exchanges, defence contractors, aerospace organizations, technology companies, government agencies. Primary Technologies Targeted: Banking systems, cryptocurrency platforms, SWIFT financial infrastructure, enterprise networks, supply-chain software, internet-facing services. Initial Access Vectors: Spear-phishing with weaponized documents or malicious links; exploitation of internet-facing services; software supply-chain compromise; manipulation of software update mechanisms. Key TTPs: Credential harvesting through phishing; lateral movement using legitimate administrative tools; persistence via backdoor implants; supply-chain compromise; cryptocurrency theft; targeting of high-value financial and strategic data repositories. Motivations: Sanctions evasion through cryptocurrency theft and financial fraud; acquisition of military and strategic intelligence; collection of defence-related technology and intellectual property; generation of revenue to fund state activities. Examples: Theft operations against cryptocurrency exchanges; intrusions into global financial institutions via SWIFT network manipulation; campaigns targeting defence contractors and aerospace organizations; high-profile destructive attacks against strategic targets. Turla / Snake / Uroburos / Venomous Bear Turla is a highly sophisticated Russian state-sponsored cyber espionage group widely attributed to the Federal Security Service (FSB), active for over a decade. The group specializes in long-term covert access to high-value networks, focusing on strategic intelligence collection related to foreign policy, defence planning, and geopolitical developments. Turla is consistently regarded as one of the most technically advanced espionage actors globally, distinguished by its use of covert communication channels, anti-detection techniques, and complex custom malware frameworks to maintain a persistent, undetected presence within targeted environments. Target Industries: Government agencies, diplomatic institutions, defence organizations, research entities, international policy organizations, strategic technology research institutions. Primary Technologies Targeted: Email and communications systems, enterprise networks, diplomatic infrastructure, satellite communications, VPN, and proxy infrastructure. Initial Access Vectors: Spear-phishing emails with malicious attachments; exploitation of software vulnerabilities; use of compromised credentials; targeting of internet-facing services. Key TTPs: Credential harvesting; lateral movement and network reconnaissance; long-term covert access maintenance; encrypted command-and-control infrastructure; system log manipulation; leveraging compromised satellite communications and proxy networks to obscure operational origin. Motivations: Strategic intelligence collection on foreign policy and diplomatic activities; surveillance of defence planning and military strategy; monitoring of geopolitical research and international negotiations; acquisition of sensitive government and institutional communications. Examples: Long-term infiltration of government and diplomatic networks across multiple regions; campaigns targeting geopolitical research organizations and international policy institutions; surveillance operations against defence ministries and research laboratories; covert monitoring of foreign policy communications over extended periods. SIDEWINDER / Rattlesnake / T-APT-04 — India-Linked State-Sponsored Sidewinder is an India-linked cyber espionage group suspected of operating under Indian state-sponsored direction (medium-high confidence attribution). Active since at least 2012, the group conducts political and military espionage supporting Indian national defense and foreign policy objectives. While the group’s primary mandate covers intelligence collection on Pakistani military and government operations, confirmed secondary targeting of China focuses on military modernization, defense technology development, and government strategic planning—reflecting India’s regional geopolitical competition with China. The group is characterized by sophisticated document-based exploits, multi-layer payload obfuscation, and geographic IP filtering on command-and-control infrastructure. Target Industries: Government agencies and ministries, military and defense organizations, maritime and naval institutions, nuclear energy organizations, aviation, telecommunications, financial institutions, legal firms, and economic policy organizations. Target Technologies: Microsoft Office document vulnerabilities (RTF and DOCX exploit chains), government email systems, Android mobile platforms, VPN infrastructure, maritime port management systems, and nuclear facility administrative networks. Initial Access: Spear-phishing delivering DOCX or RTF files exploiting Microsoft Office RCE vulnerabilities disguised as government advisories and military briefings, Android malware distributed via legitimate-appearing APKs, government website cloning for credential phishing. Key TTPs: Organization-branded decoy documents themed around government and military issues, DLL sideloading for defense evasion, multi-layer payload obfuscation with unique per-file encryption keys, anti-bot geographic IP filtering restricting payload delivery to targeted regions, living-off-the-land techniques, cloud platform abuse for C2, KernelCallBackTable injection, Pakistan Standard Time zone checks embedded in malware to confirm target geographic context. Motivations: Primary mandate covers intelligence collection on Pakistani military and government operations; secondary targeting of China reflects intelligence collection on military modernization, defense technology development, and government strategic planning supporting Indian regional geopolitical competition with China. HONG KONG / TIBETAN INDEPENDENCE-LINKED OPERATIONS Various hacktivist and state-adjacent groups with unclear attribution targeting Chinese government and surveillance infrastructure Smaller, less formally attributed operations from Hong Kong-based and Tibetan independence-linked groups conduct sporadic targeting of Chinese government networks and surveillance infrastructure. Attribution remains challenging due to deliberate false-flag operations and operational security practices, but the suspected involvement of foreign intelligence services supporting Hong Kong and Tibetan activism cannot be excluded. Target Industries: Government agencies, public security infrastructure, surveillance systems. Primary Technologies Targeted: Government networks, surveillance systems, public security databases. Initial Access Vectors: Exploitation of exposed government systems, supply chain compromise of surveillance vendors, and watering hole attacks. Key TTPs: Website defacement, data exfiltration, denial of service attacks, and infrastructure disruption. Motivations: Activism supporting Hong Kong autonomy; Tibetan independence advocacy; opposition to Chinese government surveillance; political messaging and awareness raising. Geographic Focus: Hong Kong and Tibetan autonomous regions represent primary operational focus, with secondary targeting of central government surveillance and control infrastructure. APT-C-01 / PoisonVine / “Poison Ivy Group” APT-C-01 is an unattributed cyber espionage group with a targeting profile consistent with Southeast Asian or Taiwan-linked intelligence tasking. The group conducts long-duration strategic intelligence collection against the Chinese government, military, and maritime organizations with confirmed sustained operations since at least 2007. Active resurgence in December 2024 indicates ongoing state-level resource backing. The group is characterized by sophisticated website cloning for phishing infrastructure, automatic malicious payload delivery mechanisms, and extensive use of cloud platforms for command-and-control and data exfiltration. Target Industries: Government agencies and ministries, military and defense organizations, maritime and naval institutions, scientific research institutions, and academic organizations. Target Technologies: Government email systems and web portals, phishing-cloned official government websites, and endpoint environments receiving legitimate-appearing downloads. Initial Access: Phishing operations using cloned official government and institutional websites, victims directed to convincing replicas that trigger automatic download of malicious payloads. December 2024 campaign delivered Sliver RAT via this mechanism. Earlier campaigns used legacy Poison Ivy RAT shellcode variants and ZxShell via spear-phishing and watering hole attacks. Key TTPs: Official website mimicry for phishing infrastructure, automatic payload download triggered on page visit, cloud storage abuse for C2 and exfiltration, multi-layer infrastructure for anti-attribution, long operational persistence with confirmed multi-year dwell times. Motivations: Long-duration strategic intelligence collection against the Chinese government, military, and maritime organizations, political and military intelligence acquisition, government policy data, and military documents theft. APT-C-00 / OceanLotus / APT32 / SeaLotus / Canvas Cyclone — Vietnam State-Sponsored APT-C-00 is a Vietnamese state-sponsored cyber espionage group assessed with high confidence as operating on behalf of the Vietnamese state intelligence services. Operating hours and infrastructure consistently align with Vietnamese business hours and Vietnamese-language tooling. The group conducts strategic intelligence collection explicitly aligned with Vietnam’s national security and economic development interests, with China confirmed as the primary target geography. Vietnam’s sustained geopolitical competition with China over South China Sea territorial rights, trade interests, and technology access creates a direct and ongoing intelligence collection mandate. The group’s January 2025 targeting of Chinese cybersecurity researchers using GitHub as an infection vector reflects the intent to compromise network defenders and undermine China’s defensive cyber capability. Target Industries: Cybersecurity research and technology companies, government agencies and ministries, large technology enterprises, organizations participating in China’s “Xinchuang” domestic IT self-sufficiency ecosystem, aviation and maritime sectors, manufacturing, and financial services. Target Technologies: GitHub development infrastructure poisoned Visual Studio project files and malicious repositories targeting security professionals, Chinese red team tools including Cobalt Strike plugins, Windows DLL loading mechanisms via DLL hollowing (xpsservices.dll), Microsoft 365 cloud environments, Notion cloud note-taking platform for C2, China’s Xinchuang domestic hardware and software platforms. Initial Access: GitHub supply chain poisoning, distributing backdoored security tools, Cobalt Strike plugins, and malicious Visual Studio project files targeting Chinese security professionals. Social engineering impersonation of security professionals from Chinese FinTech companies. Spear-phishing with malicious Office documents. Watering hole attacks against websites frequented by Chinese government and enterprise personnel. Key TTPs: DLL hollowing overwriting memory within legitimate xpsservices.dll system library for silent payload execution under trusted process name, Notion cloud platform as C2 channel embedding instructions within Notion pages, registry persistence and scheduled task creation, supply chain poisoning via trusted developer platforms targeting security research community, Xinchuang domestic IT ecosystem targeting for supply chain attack capability, active credential harvesting against Microsoft 365 environments. Motivations: Strategic intelligence collection supporting Vietnam’s national security and economic development interests, South China Sea competition and territorial intelligence, trade interest protection, technology access acquisition, direct targeting of China’s defensive cyber capability through security researcher compromise, and development of supply chain attack capability against China’s nationally strategic technology infrastructure. Malware and Tools: Denis backdoor, Ratsnif network trojan, Backdoor.MacOS.OCEANLOTUS (macOS variant), Cobalt Strike (backdoored plugin variant), custom Notion-C2 implant, DLL hollowing loaders, JavaScript-based backdoors, macro-enabled Office document droppers, browser credential harvesters. SinisterEye / LuoYu / CASCADE PANDA SinisterEye is an unattributed cyber espionage group with confirmed Chinese-speaking operators and analytically contested attribution. Targeting is overwhelmingly concentrated on entities within China itself foreign diplomatic organizations, foreign companies, and foreign nationals operating inside Chinese territory. The group’s confirmed ISP-level or backbone-level interception capability over ChinaNet (AS4134) raises two competing hypotheses: either a Chinese domestic intelligence operation surveilling foreign entities operating in China, or a foreign state actor with extraordinarily sophisticated China network infrastructure penetration. Neither attribution is publicly confirmed, and this analytical uncertainty should be explicitly noted in any assessment. Target Industries: Foreign diplomatic organizations and embassies operating in China, foreign companies with China-based offices (defense, technology, trade sectors), international academic community, foreign nationals in China, defense aviation sector, government bodies with China-based operational presence. Target Technologies: Windows operating system update mechanisms, specifically Windows software update traffic intercepted and manipulated via adversary-in-the-middle to deliver WinDealer, Android mobile devices via SpyDealer, C2 infrastructure utilizing a randomized pool of approximately 48,000 IP addresses drawn from legitimate Chinese domestic IP space and rotating constantly. Initial Access: Adversary-in-the-middle attacks confirmed capability to intercept network traffic at ISP-level or backbone-level within AS4134 (ChinaNet). Legitimate software update requests from victim machines are intercepted in transit, with server responses replaced by a malicious payload before reaching the victim. Requires no user action, no phishing, no clicked link, no endpoint vulnerability exploitation, one of the most passive and difficult-to-detect initial access mechanisms globally. Confirmed also via malicious mobile applications distributing SpyDealer for Android. Key TTPs: Man-on-the-side (MOTS) attack methodology, passive traffic interception with selective payload injection for specific targets only, all other traffic passing unmodified. WinDealer’s 48,000-IP randomized C2 pool selecting IPs from legitimate Chinese ISP address blocks, making C2 traffic visually and statistically indistinguishable from ordinary domestic traffic. Active Directory reconnaissance post-compromise. Credential harvesting and sensitive document exfiltration. SpyDealer Android malware for mobile device surveillance of targeted individuals. Motivations: Surveillance and intelligence collection targeting foreign entities operating within China’s foreign diplomatic missions, international companies with China-based offices, academics, and foreign nationals resident in China. Exclusive focus on foreign entities inside Chinese borders, combined with ISP-level interception capability consistent with counterintelligence mandate: monitoring what foreign governments and organizations conduct inside China’s territory. Malware and Tools: WinDealer (Windows backdoor primary implant), SpyDealer (Android surveillance malware), custom passive MOTS injection framework operating at network infrastructure level. Attribution Confidence: High confidence for targeting and TTPs; Low confidence for national attribution. Analytical uncertainty explicitly noted could represent either Chinese domestic intelligence operation or foreign state actor with sophisticated China network infrastructure penetration. Malware Activity Impacting China NetDragon Botnet NetDragon is a purpose-built botnet malware first identified in October 2024, specifically engineered to compromise Feiniu fnOS network-attached storage devices, a platform predominantly deployed by Chinese home users and small-to-medium businesses. By late January 2026, command-and-control panel telemetry confirmed over 1,143 bots simultaneously online with total infections approaching 1,500 devices, all exclusively Feiniu hardware. Geographic distribution confirms China as the primary impact zone, with secondary victims in the United States, Singapore, and Australia. Attribution is to unknown criminal actors rather than state-sponsored groups, but its confirmed impact on Chinese domestic infrastructure classifies it as a direct threat impacting China. Intelligence Toolset A suite of 42 specialized cyber-attack tools was deployed against China’s National Time Service Center in an alleged multi-year sustained operation. The scale of the toolset, 42 distinct specialized components, indicates a well-resourced, professionally organized operation with specific, pre-planned collection objectives rather than opportunistic exploitation. National time infrastructure compromise represents a systemic, cascading risk. Financial markets, telecommunications switching, power grid control systems, and military communications all depend on a trusted, accurate time reference. A compromised time service can induce failures across these dependent systems without those systems generating alerts attributable to external attack, making this one of the highest-leverage, lowest-visibility infrastructure attack categories that exists. Asian Winter Games Infrastructure Targeting The attack techniques used against the Asian Winter Games infrastructure included arbitrary file read vulnerability exploitation, SQL injection attacks, HTTP X-Forwarded-For spoofing, mass port scanning, and targeted application vulnerability exploitation, a toolkit consistent with the broad offensive techniques used by advanced persistent threat actors across all nation-state categories. Cloud-based hosting infrastructure from providers, including Digital Ocean, was used to obfuscate attack origins, with servers in Europe and Asia leveraged as intermediate nodes. Targeted Infrastructure: Event management systems, arrival and departure management, payment infrastructure, and, per Chinese authorities’ broader claims, provincial energy, transportation, water resources, and communications infrastructure. Emerging Threats Targeting China AI-Accelerated Offensive Operations Against Chinese Systems The rapid integration of generative AI tools into offensive cyber operations represents a structural acceleration of the threat that China faces from foreign actors. The use of AI for tailored phishing content generation in fluent Mandarin, accelerated vulnerability research against Chinese infrastructure, synthetic impersonation of Chinese officials and institutions, and malware development represents a capability expansion that previously required significantly greater human resources. As China’s adversaries adopt these tools, the pace, quality, and targeting precision of operations against Chinese systems will increase in proportion. This capability gap is of particular concern for smaller government agencies, regional infrastructure operators, and educational institutions, where domestic cybersecurity maturity remains uneven compared to centrally managed national systems. Semiconductor and Technology Program Targeting As China accelerates investment in indigenous semiconductor manufacturing, AI development, quantum computing, and aerospace technology in response to Western export controls, these programs become increasingly high-value intelligence collection targets for foreign actors seeking to assess China’s technological advancement pace and acquire research that reduces their own development timelines. The technology decoupling driven by semiconductor export restrictions simultaneously increases the strategic value of China’s domestic programs and increases the intelligence collection pressure they face, a compounding vulnerability where China’s most strategically important technology investments are simultaneously its most heavily targeted. Research institutions, state-owned enterprises in strategic technology sectors, and any organization involved in dual-use technology development should assess themselves as primary foreign intelligence targets. Critical Infrastructure Regulatory Compliance as an Attack Intelligence Opportunity China’s Cyberspace Administration’s new National Cybersecurity Incident Reporting Management Measures, effective November 1, 2025, require all network operators in China, including foreign entities operating domestically, to report cybersecurity incidents within four hours when they meet defined thresholds, with mandatory disclosure of ransomware details, including ransom amount, payment method, and deadline. While this framework serves as a genuine domestic security resilience measure, the centralization of real-time incident data also creates a comprehensive picture of active foreign operations against Chinese network information of significant strategic intelligence value. Foreign actors aware of this reporting framework may adapt their operations to remain below mandatory disclosure thresholds, increasing the stealth requirements for sustained collection operations against Chinese targets. Contractor Ecosystem Operational Security Risk China’s private sector contractor ecosystem operating as an intermediary layer between state intelligence agencies and offensive cyber operations represents an active targeting surface for foreign intelligence services seeking intelligence on Chinese cyber operations, personnel, and active campaigns without needing to directly penetrate state infrastructure. Adversaries have demonstrated a willingness to target contractor organizations directly as an alternative pathway into Chinese operational intelligence, exploiting the fact that private firms typically operate with weaker internal security postures than state intelligence agencies themselves. The scale of exposure through this vector was made visible by prior contractor data exposure events, which revealed specific targeting lists, operational methods, internal communications, and evidence of ongoing campaigns. Each private contractor operating within China’s cyber ecosystem represents a potential breach point, a node where internal data, operational details, and personnel information can be accessed by foreign actors who target the contractors themselves rather than attempting to penetrate Chinese state intelligence infrastructure directly. As this contractor model expands in scale and scope, the structural exposure it creates for China’s operational security expands proportionally, making contractor ecosystem security an increasing priority for national cyber defense planning. Supply Chain Compromise as Inbound Attack Vector Supply chain compromise represents a primary and escalating inbound threat vector targeting Chinese government, defense, and technology organizations. Foreign advanced persistent threat actors increasingly leverage upstream software developers, hardware manufacturers, and managed service providers as indirect pathways into hardened Chinese government networks, exploiting the inherent trust extended to vendor software and hardware to bypass perimeter defenses. Inbound Supply Chain Threats Targeting China: 1. Chinese Software Development Firms as Intelligence Targets: Compromised source code repositories enabling access to downstream government and defense clients Intelligence collection on government-sensitive software development, including encryption implementations and classified systems Target: Government agencies relying on domestic software providers; military command and control systems; classified research systems 2. Managed Service Provider and Cloud Infrastructure Compromise: Foreign actors targeting the Chinese MSPs providing IT services to the government and defense sectors Single compromised provider delivering downstream access into multiple government agencies simultaneously Target: Government agencies, state-owned enterprises, military research institutions 3. Hardware Supply Chain Infiltration: Foreign intelligence services are potentially inserting surveillance capabilities into hardware manufacturing supply chains Concerns regarding surveillance firmware in networking equipment, storage appliances, and computing systems Foreign intelligence services are also assessed to target imported hardware and software products before or during delivery into China, potentially inserting surveillance capabilities into equipment destined for sensitive Chinese government and military networks. Target: National security agencies, military infrastructure, critical infrastructure. 4. Open-Source Software and Third-Party Library Compromise: Foreign actors targeting open-source libraries used by the Chinese government for software development. Potential insertion of surveillance or backdoor capabilities into widely used Chinese open-source projects. Compromise of package repositories used by Chinese developers introducing malicious dependencies. Target: Government software development organizations; technology companies using compromised libraries. Geopolitical Context China is the largest country in East Asia and one of the central geopolitical actors shaping the security environment of the Asia-Pacific region. The region is becoming the epicenter of geopolitical competition for the remainder of the 21st century, with China’s rise to superpower status fundamentally reshaping the regional and global balance of power. China’s economic expansion, technological ambitions, and rapidly modernizing military capabilities have elevated the country to a position where it increasingly challenges the established international order and the influence of the United States and its allies. At the same time, China faces a complex security environment characterized by numerous territorial disputes, strategic rivalries, and internal economic pressures. China’s domestic economic slowdown, demographic pressures, and ongoing efforts by Western countries to diversify supply chains away from China introduce additional uncertainty into Beijing’s strategic calculations, which may incentivize China to adopt a more assertive posture abroad while simultaneously tightening political and informational control domestically. China also faces ongoing strategic competition with the United States, which has manifested in trade disputes, semiconductor supply chains, military posturing in the Indo-Pacific, and competition over emerging technologies. The United States has strengthened security partnerships with regional allies, including Japan, South Korea, Australia, and the Philippines, while promoting multilateral initiatives, such as the QUAD and AUKUS, which China perceives as attempts to counterbalance its influence. Relations between China and several neighbours remain strained, including long-standing border tensions with India, historical disputes with Japan, and complex relations with Russia that have evolved into a strategic partnership. China’s growing alignment with Russia, particularly since the outbreak of the war in Ukraine, signals the emergence of a more c