Volexity, a cutting-edge cybersecurity firm based in Virginia, has uncovered a Chinese hacking group known as StormBamboo, which is injecting malware into software updates distributed through an Internet Service Provider (ISP). The name of the ISP has been kept confidential. According to reports, StormBamboo—also identified as Evasive Panda, Daggerfly, or Storm Cloud—has been active since 2012. This espionage group is targeting organizations across China, Hong Kong, India, Pakistan, Singapore, Macao, Nigeria, and parts of Southeast Asia.
The group exploits inadequately secured HTTP software update mechanisms lacking valid digital signatures. This vulnerability allows the hackers to replace legitimate updates with malware on both Windows and macOS devices. Essentially, DNS requests are being corrupted by MACMA and MgBOT malware, redirecting them to malicious IP addresses.
In addition, another threat group called “Bloody Wolf” has been targeting businesses in Kazakhstan with the intent to gather intelligence and deploy destructive malware capable of erasing data from infected devices. Notably, this group is also selling malware solutions for just $40. However, to avoid suspicion from Western law enforcement, potential buyers must make their requests from IP addresses in Asia. This tactic reassures the threat actors that the request is genuine and not a sting operation.
Following high-profile criminal crackdowns such as Operation Cronos by Europol and the FBI, cybercriminals have become increasingly cautious. When a request for malware or ransomware is received, they now verify the legitimacy of the requester by contacting them through messaging platforms before proceeding with the transaction, which is conducted using digital currencies.
Ad