Mastodawn

📢 GTIG : Les acteurs malveillants exploitent l'IA pour la découverte de vulnérabilités et les opérations offensives
📝 ## 🌐 Contexte

Publié le 11 mai 2026 par le...
📖 cyberveille : https://cyberveille.ch/posts/2026-05-11-gtig-les-acteurs-malveillants-exploitent-l-ia-pour-la-decouverte-de-vulnerabilites-et-les-operations-offensives/
🌐 source : https://cloud.google.com/blog/topics/threat-intelligence/ai-vulnerability-exploitation-initial-access?hl=en
#APT27 #APT45 #Cyberveille

GTIG : Les acteurs malveillants exploitent l'IA pour la découverte de vulnérabilités et les opérations offensives

🌐 Contexte Publié le 11 mai 2026 par le Google Threat Intelligence Group (GTIG), ce rapport constitue une mise à jour du rapport de février 2026 sur l’activité liée à l’IA. Il s’appuie sur des engagements Mandiant, des données Gemini et des recherches proactives de GTIG. 🤖 IA comme outil offensif Découverte de vulnérabilités et exploitation Premier cas documenté d’un acteur cybercriminel ayant utilisé l’IA pour développer un exploit zero-day : un bypass de 2FA dans un outil d’administration web open-source, implémenté en Python. L’exploitation de masse a été évitée grâce à la divulgation responsable de GTIG. UNC2814 (nexus PRC) a utilisé des prompts de persona experte pour rechercher des vulnérabilités dans des firmwares TP-Link et des implémentations OFTP. APT45 (nexus DPRK) a envoyé des milliers de prompts répétitifs pour analyser des CVEs et valider des PoC exploits de manière automatisée. Des acteurs expérimentent avec le dépôt wooyun-legacy (plugin Claude intégrant +85 000 cas de vulnérabilités réelles) pour l’apprentissage en contexte. Utilisation d’outils agentiques OpenClaw et OneClaw dans des environnements de test vulnérables. Obfuscation et évasion (malwares AI-augmentés) Malware Type d’obfuscation PROMPTFLUX Modification dynamique du code HONESTCUE Génération de payload d’évasion (VBScript via Gemini API) CANFAIL Logique de leurre (decoy logic) LONGSTREAM Logique de leurre (decoy logic) APT27 (nexus PRC) a utilisé Gemini pour développer une application de gestion de flotte pour un réseau ORB (Operational Relay Box), avec paramètre maxHops=3 et support de dispositifs MOBILE_WIFI/ROUTER. CANFAIL et LONGSTREAM (nexus Russie) ciblent des organisations ukrainiennes et intègrent du code leurre généré par LLM pour masquer leur fonctionnalité malveillante. 🦠 PROMPTSPY : Orchestration autonome d’attaques PROMPTSPY est un backdoor Android qui intègre un module agent autonome nommé GeminiAutomationAgent :

CyberVeille

CyberVeille.ch Oct 24, 2025

📢 Chevauchement APT27, HAFNIUM et Silk Typhoon: attribution 2025 et TTPs clés
📝 Source: Natto Thoughts (Substack).
📖 cyberveille : https://cyberveille.ch/posts/2025-10-23-chevauchement-apt27-hafnium-et-silk-typhoon-attribution-2025-et-ttps-cles/
🌐 source : https://nattothoughts.substack.com/p/beyond-the-aliases-decoding-chinese
#APT27 #HAFNIUM #Cyberveille

Chevauchement APT27, HAFNIUM et Silk Typhoon: attribution 2025 et TTPs clés

Source: Natto Thoughts (Substack). Dans le contexte de divulgations du gouvernement américain en 2025, l’article examine les liens et chevauchements entre les groupes chinois APT27, HAFNIUM et Silk Typhoon, en soulignant les limites des taxonomies de nommage et l’intérêt de relier les activités à des individus et entreprises spécifiques. L’analyse met en avant l’attribution à des personnes nommées (Yin Kecheng, Zhou Shuai, Xu Zewei, Zhang Yu) et à leurs sociétés affiliées, illustrant que comprendre les opérateurs humains (motivations, relations, culture) complète les indicateurs purement techniques.

CyberVeille

Anonymous 🐈️🐾☕🍵🏴🇵🇸

Jul 23, 2025

{NEW} Chinese hackers are exploiting new SharePoint flaws—Microsoft links attacks to #APT27, #APT31 & Storm-2603.

They’re bypassing patches to steal MachineKeys via remote code execution.

The exploit chain is already in the wild. #CyberSecurity #CyberAttacks https://thehackernews.com/2025/07/microsoft-links-ongoing-sharepoint.html

Microsoft Links Ongoing SharePoint Exploits to Three Chinese Hacker Groups

Microsoft links SharePoint attacks to three China-based groups; flaws allow code execution and data theft on unpatched systems.

The Hacker News

Miguel Afonso Caetano Mar 6, 2025

"The Department of Justice has announced criminal charges against 12 Chinese government-linked hackers who are accused of hacking more than 100 American organizations, including the U.S. Treasury, over the course of a decade.

The charged individuals all played a “key role” in China’s hacker-for-hire ecosystem, a senior DOJ official said on a background call with reporters, including TechCrunch, on Wednesday. The official added that those charged, which includes contract hackers and Chinese law enforcement officials, targeted organizations in the U.S. and worldwide for the purposes of “suppressing free speech and religious freedoms.”

The DOJ also confirmed that two of the indicted individuals are linked to the China government-backed hacking group APT27, or Silk Typhoon."

https://techcrunch.com/2025/03/05/justice-department-charges-chinese-hackers-for-hire-linked-to-treasury-breach/

#USA #CyberSecurity #DoJ #China #StateHacking #APT27 #SilkTyphoon

Justice Department charges Chinese hackers-for-hire linked to Treasury breach | TechCrunch

The individuals are accused of hacking over 100 U.S. organizations over the course of a decade

TechCrunch

Bob Carver Mar 6, 2025

https://www.theverge.com/news/625081/doj-criminal-charges-chinese-government-hackers-treasury-silk-typhoon #cybersecurity #USTreasury #breach #China #APT27 #SilkTyphoon

12 Chinese hackers charged with US Treasury breach — and much, much more

The Department of Justice alleged cybercrimes that include hacks of over 100 US organizations.

The Verge

Hackread.com Mar 6, 2025

🚨 U.S. charges 12 in a Chinese Hacker-for-Hire Network linked to cyber attacks on governments & media. DOJ offers a $10M reward for info!

Read: https://hackread.com/us-charges-12-in-chinese-hacker-network-10m-reward/

#CyberSecurity #Hacking #APT27 #CyberCrime #China

US Charges 12 in Chinese Hacker Network, Offers $10M Reward

Hackread - Latest Cybersecurity, Tech, AI, Crypto & Hacking News

kcnickerson Feb 13, 2025

that thing, when you're "Zero Trust Access by Cisco", is strangely ironic. i'd take a PIX of all the hacks over the decades, but don't have a 360 lens ;> @wired @Cisco #apt27 #pix #hack #salttyphoon #hack https://www.wired.com/story/chinas-salt-typhoon-spies-are-still-hacking-telecoms-now-by-exploiting-cisco-routers/

China’s Salt Typhoon Spies Are Still Hacking Telecoms—Now by Exploiting Cisco Routers

Despite high-profile attention and even US sanctions, the group hasn’t stopped or even slowed its operation, including the breach of two more US telecoms.

WIRED

The Threat Codex Aug 15, 2024

EastWind campaign: new CloudSorcerer attacks on government organizations in Russia
#APT31 #PlugY #APT27
https://securelist.com/eastwind-apt-campaign/113345/

EastWind campaign: new CloudSorcerer attacks on government organizations in Russia

Kaspersky has identified a new EastWind campaign targeting Russian organizations and using CloudSorcerer as well as APT31 and APT27 tools.

Kaspersky

Daniel Lunghi May 2, 2023

The slides https://botconf.eu/wp-content/uploads/2023/04/2023_5856_LUNGHI.pdf and video https://youtube.com/watch?v=713CsmcNE3o of my #Botconf talk about #IronTiger TTPs are online. I discuss recent infection vectors (including a supply chain attack), the evolution of their malware toolkit and targeting, and explain how we attributed these campaigns to #IronTiger #APT27 #APT threat actor

Opalsec

Mar 5, 2023

Last week's reporting gave a great insight into the level of innovation going on in the cyber crime ecosystem - C2 over MQTT, cryters delivering payloads over SQL connections, and UEFI bootkits that bypass Window's Secure Boot! We've pulled it all together, just for you:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-3fd

The BlackLotus #Bootkit has been upgraded to exploit a vulnerability in Microsoft's Secure Boot Mechanism, allowing it to persist on fully patched Windows 11 systems. This is enabled in no small part by the failure to update the UEFI revocation list, which allowed the bootkit author to simply load and exploit the vulnerable UEFI components on target systems.

Australia's cyber security laws were "bloody useless" in helping mitigate the Optus and Medibank breaches of 2022, according to the government's Home Affairs Minister. A new "national cyber office", reforms to Critical Infrastructure security laws, and a new Cyber Security Act are all on the table for discussion.

zScaler analysts have picked up on the Snip3 crypter, a Crypter-as-a-Sevice offering which uses multiple obfuscated stages; an AMSI Bypass, and SQL queries to circumvent security controls.

Sysdig share insights from a sophisticated #AWS-centric campaign; ESET have uncovered a new backdoor used by China's Mustang Panda (#APT27) which implements C2 over MQTT, and Team Cymru have again picked apart #IcedID's infrastructure to identify key TTPs.

Some interesting supply chain vulnerabilities this week, with bugs found in the ZK web app framework and Trusted Platform Module (TPM) having the potential to affect an untold number of applications and devices.

#Redteam members will get a kick out of DroppedConnection - a PoC that mimics Cisco AnyConnect VPN to siphon credentials and serve up malware to unwitting victims.

The #blueteam can look forward to some tips for GCP DFIR, bypassing malware geo-fencing, and tracking cyber criminal infrastructure.

Catch all this and much more in this week's newsletter:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-3fd

#infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #soc #threatintel #threatintelligence #DarkWeb #criticalinfrastructure #breach #privacy #Australia #crypter

SOC Goulash: Weekend Wrap-Up

27/02/2023 - 05/03/2023

Opalsec