Threat Research

In March 2026, the team identified activity by a China-nexus threat actor targeting countries in the Persian Gulf region. The campaign used a multi-stage attack chain to deploy a PlugX backdoor variant on compromised systems. Both the shellcode and PlugX backdoor employed obfuscation techniques to hinder reverse engineering....

Team has disclosed UAT-9244, assessed with high confidence as a China-nexus APT actor linked to Famous Sparrow. Since 2024, the group has targeted critical telecommunications infrastructure in South America. Its attacks impact Windows and Linux endpoints as well as network edge devices....

Knife Cutting the Edge details DKnife, a China-nexus, Linux-based adversary-in-the-middle (AitM) gateway framework active since at least 2019 that compromises routers and edge devices to inspect and manipulate network traffic and deliver malware....

UAT-8837 is a China-nexus threat actor assessed with medium confidence to specialize in gaining initial access to high-value organizations, with a clear focus on critical infrastructure targets in North America since at least 2025....

UAT-9686, a suspected Chinese-nexus APT actor, is actively targeting Cisco Secure Email Gateway (AsyncOS/ESA) and Cisco Secure Email and Web Manager (SMA). The group exploits non-standard appliance configurations to deploy a custom persistence tool called AquaShell, along with reverse tunneling and log-cleaning utilities to maintain stealthy, long-term access....

WARP PANDA is a newly identified, highly advanced China-nexus threat actor targeting VMware vCenter and ESXi environments across U.S. organizations in 2025. The group demonstrates strong technical skill, exceptional OPSEC, and deep expertise in cloud and virtualized systems....

Since early 2025, China’s presence in the Indo-Pacific has become increasingly assertive. Activities have ranged from heightened maritime tensions to acting as a peacebroker for Myanmar’s junta. More recently, espionage efforts have targeted joint Philippine naval exercises with the US, Australia, Canada, and New Zealand....

A recent intrusion beginning in August 2025 revealed China-nexus threat actors using a technique called log poisoning to deploy a China Chopper web shell on vulnerable web servers. The attackers used AntSword for control and introduced a lesser-known tool, Nezha, to run commands and later deploy Ghost RAT. This marks the first known use of Nezha in web compromises....

We are tracking BRICKSTORM malware, used to maintain long-term access to U.S. organizations. Since March 2025, Team Consulting has responded to intrusions in sectors like legal, SaaS, BPOs, and tech. The targets likely support zero-day development and serve as pivot points to broader victims....

In June 2025, two cyberattack campaigns—Operation GhostChat and Operation PhantomPrayers—targeted the Tibetan community, exploiting increased online activity surrounding the Dalai Lama's 90th birthday. Threat actors linked to a China-nexus APT group compromised a legitimate website to redirect users via malicious links....