The Red RedDrip Team of the Qi'anxin Threat Intelligence Center observed that a SharePoint server deployed on the extranet of a medical client had been compromised, and the execution of a malicious PowerShell was intercepted by TianQing. Subsequent analysis revealed the Golang-based 4L4MD4r ransomware, which appears to belong to the mimo group, a financially motivated threat actor.

奇安信威胁情报中心红雨滴团队观察到某医疗客户部署在外网的SharePoint服务器被入侵，执行恶意powershell被天擎拦截，后续分析发现基于golang的4L4MD4r勒索软件，该武器似乎属于mimo团伙，一个具有经济动机的威胁行为者。

In 2025, the White House restarted the tariff war, and the political dilemma was simultaneously reflected in cyberspace. OceanLotus launched a supply chain attack to spy on china's foreign trade policy intelligence in the 15th Five-Year Plan, attempting to find a way to alleviate it. In order to reduce dependence on the single market, expand diversified supply chains and open up secondary trade channels in the European Union, the group has recently turned its strategic focus to Africa.

2025年白宫重启关税战，政治困境同步映射到了网络空间，海莲花发起供应链攻击刺探我国十五五规划中对外贸易政策情报，企图寻找缓解之法。为了降低对单一市场的依赖，扩展多元化供应链并打通欧盟次级贸易通道，该组织近期将战略目光转向非洲。

Qi'anxin Threat Intelligence Center conducted a detailed analysis of Chrome's wild 0day CVE-2025-6554. The vulnerability was fixed by Google on June 30, 2025 and confirmed to exist in the wild. Two days later, the relevant POC was made public.

奇安信威胁情报中心对Chrome在野0day CVE-2025-6554进行了详细分析，该漏洞于2025年6月30日被Google修复并证实存在在野漏洞，之后时隔两天相关poc便公开。

Qi'anxin Threat Intelligence Center recently discovered that the Patchwork group's LNK attack samples downloaded bait documents and subsequent payloads from a remote server that imitated the domain name of a domestic university. The subsequent payload was a loader written in Rust, which used shellcode to decrypt and load a C# Trojan into memory.

奇安信威胁情报中心近期发现摩诃草组织 LNK 攻击样本从仿冒国内高校域名的远程服务器下载诱饵文档和后续载荷，后续载荷为 Rust 编写的加载器，借助 shellcode 解密并内存加载 C# 木马。

旺刺组织挖掘了某邮件平台网页版的XSS 0day漏洞，通过该漏洞触发CilckOnce，打开钓鱼邮件时自动弹出钓鱼框，提高钓鱼攻击成功率。此外其背后的情报机构除了拥有大量win平台0day外，也关注安卓平台邮箱软件的0day漏洞

APT-Q-14 discovered an XSS 0day vulnerability in the web version of a certain email platform, which triggered CilckOnce and automatically popped up a phishing box when opening a phishing email, increasing the success rate of phishing attacks. In addition, the intelligence agency behind it not only has a large number of Windows platform 0days, but also pays attention to 0day vulnerabilities in Android platform email software.