In recent years, the QiAnXin Threat Intelligence Center's RedDrip team, during intense confrontations with advanced APT groups in Northeast Asia, discovered nearly 20 zero-day exploits involving domestically developed software. The related Indicators of Compromise (IOCs) cover multiple organizations with some overlap. Operation South Star is likely a forensic activity within the MSMT cooperation framework. This article primarily discloses the in-the-wild exploitation of Zipperdown.

最近几年，奇安信威胁情报中心红雨滴团队在与东北亚地区的高级APT组织进行高强度对抗的过程中，发现了近20个涉及国产软件的0day，相关IOC涵盖多个组织且均有重叠，Operation South Star可能是 MSMT 合作框架下的取证活动。本文主要披露 Zipperdown 的在野利用。

Recently, Qi'anxin's Network Security Department and Threat Intelligence Center have observed multiple instances where R&D personnel from government and enterprise customers downloaded untrusted tools or installation packages from GitHub. This has led to the implantation of information-stealing or cryptocurrency mining software on development endpoints, potentially impacting core company data.

近期，奇安信网络安全部和威胁情报中心观察到有多个政企客户研发人员从 Github 上下载不可信的工具或安装包，从而导致开发终端被植入窃密或挖矿软件，可能会对公司核心数据造成潜在的影响。

L3Harris子公司Trenchant网络业务总经理Peter Williams被控将同一批0day秘密出售，原iOS研究员Jay Gibson被误判为内鬼遭开除，事件暴露美国十大政府承包商双重失守：既被外部0day攻破，又出现内鬼外泄

Peter Williams, general manager of network operations at L3Harris subsidiary Trenchant, was accused of secretly selling the same batch of 0days. Former iOS researcher Jay Gibson was mistakenly identified as an insider and fired. This incident exposed a double loss for the top ten US government contractors: they were breached by external 0days and leaked by insiders.

The Qi'anxin Threat Intelligence Center discovered attack samples associated with the 蔓灵花(APT-Q-37) group. The attackers used two methods to implant a C# backdoor capable of delivering arbitrary EXE files from a remote server. The first method exploited a VBA macro contained in an xlam file to release a C# code file, which was then compiled and installed using the .NET Framework's csc.exe and InstallUtil.exe on the victim's machine. The second method exploited a WinRAR path traversal vulnerability to replace the Normal.dotm file in the user's template library. When the victim opened a .docx file, the malicious Normal.dotm macro code executed, which then retrieved and executed the backdoor program hosted on the remote server.

奇安信威胁情报中心发现与蔓灵花（APT-Q-37）组织相关的攻击样本，攻击者使用两种方式植入可以从远程服务器下发任意 EXE 文件的 C# 后门。第一种方式是利用 xlam 文件携带的 VBA 宏释放 C# 代码文件，借助受害者机器上的 .NET 框架的 csc.exe 和 InstallUtil.exe 完成编译与安装。第二种方式是利用 WinRAR 路径穿越漏洞，替换用户目录模板库中的 Normal.dotm 文件，当受害者打开 docx 文件时，触发恶意 Normal.dotm 宏代码的执行，宏代码获取托管在远程服务器上的后门程序并运行。

近年来我们观察到了大量基于软硬件供应链的攻击案例，比如针对Xshell源代码污染的攻击机理是攻击者直接修改了产品源代码并植入特洛伊木马；针对苹果公司的集成开发工具Xcode的攻击，则是通过影响编译环境间接攻击了产出的软件产品。这些攻击案例最终影响了数十万甚至上亿的软件产品用户，并可以造成比如盗取用户隐私、植入木马、盗取数字资产等危害。奇安信威胁情报中心对供应链来源的攻击做了大量的案例分析，得到了一些结论并提供对策建议。

Between 2020 and 2021, we systematically exposed a series of espionage activities by the Confucius group, including Operation Tipu and Operation Angi. Despite the passage of time, the group's overall tactics, techniques, and procedures (TTPs) remain highly similar. Through multi-source intelligence analysis, we believe Confucius is an outsourced APT group, with attacks primarily conducted by local contractors or individuals. These outsourced cyberattacks exhibit several notable characteristics: low cost, relatively simple technical techniques, and often targets that reflect national will.