Recently, Qi'anxin's Network Security Department and Threat Intelligence Center have observed multiple instances where R&D personnel from government and enterprise customers downloaded untrusted tools or installation packages from GitHub. This has led to the implantation of information-stealing or cryptocurrency mining software on development endpoints, potentially impacting core company data.

近期，奇安信网络安全部和威胁情报中心观察到有多个政企客户研发人员从 Github 上下载不可信的工具或安装包，从而导致开发终端被植入窃密或挖矿软件，可能会对公司核心数据造成潜在的影响。

L3Harris子公司Trenchant网络业务总经理Peter Williams被控将同一批0day秘密出售，原iOS研究员Jay Gibson被误判为内鬼遭开除，事件暴露美国十大政府承包商双重失守：既被外部0day攻破，又出现内鬼外泄

Peter Williams, general manager of network operations at L3Harris subsidiary Trenchant, was accused of secretly selling the same batch of 0days. Former iOS researcher Jay Gibson was mistakenly identified as an insider and fired. This incident exposed a double loss for the top ten US government contractors: they were breached by external 0days and leaked by insiders.

The Qi'anxin Threat Intelligence Center discovered attack samples associated with the 蔓灵花(APT-Q-37) group. The attackers used two methods to implant a C# backdoor capable of delivering arbitrary EXE files from a remote server. The first method exploited a VBA macro contained in an xlam file to release a C# code file, which was then compiled and installed using the .NET Framework's csc.exe and InstallUtil.exe on the victim's machine. The second method exploited a WinRAR path traversal vulnerability to replace the Normal.dotm file in the user's template library. When the victim opened a .docx file, the malicious Normal.dotm macro code executed, which then retrieved and executed the backdoor program hosted on the remote server.

奇安信威胁情报中心发现与蔓灵花（APT-Q-37）组织相关的攻击样本，攻击者使用两种方式植入可以从远程服务器下发任意 EXE 文件的 C# 后门。第一种方式是利用 xlam 文件携带的 VBA 宏释放 C# 代码文件，借助受害者机器上的 .NET 框架的 csc.exe 和 InstallUtil.exe 完成编译与安装。第二种方式是利用 WinRAR 路径穿越漏洞，替换用户目录模板库中的 Normal.dotm 文件，当受害者打开 docx 文件时，触发恶意 Normal.dotm 宏代码的执行，宏代码获取托管在远程服务器上的后门程序并运行。

近年来我们观察到了大量基于软硬件供应链的攻击案例，比如针对Xshell源代码污染的攻击机理是攻击者直接修改了产品源代码并植入特洛伊木马；针对苹果公司的集成开发工具Xcode的攻击，则是通过影响编译环境间接攻击了产出的软件产品。这些攻击案例最终影响了数十万甚至上亿的软件产品用户，并可以造成比如盗取用户隐私、植入木马、盗取数字资产等危害。奇安信威胁情报中心对供应链来源的攻击做了大量的案例分析，得到了一些结论并提供对策建议。

Between 2020 and 2021, we systematically exposed a series of espionage activities by the Confucius group, including Operation Tipu and Operation Angi. Despite the passage of time, the group's overall tactics, techniques, and procedures (TTPs) remain highly similar. Through multi-source intelligence analysis, we believe Confucius is an outsourced APT group, with attacks primarily conducted by local contractors or individuals. These outsourced cyberattacks exhibit several notable characteristics: low cost, relatively simple technical techniques, and often targets that reflect national will.

在 2020 至 2021 年期间，我们曾系统性地披露了魔罗桫（Confucius）组织的《提菩行动》以及 Operation Angi 等系列间谍活动。时隔多年，该组织的整体战术、技术与程序（TTPs）仍与以往高度相似。通过多源情报分析研判，我们认为“魔罗桫”属于具有外包性质的 APT 组织，其攻击行动多由本土承包商或个人发起。此类外包型网络攻击具备几个显著特征：攻击成本较低、技术手法相对简单，但攻击目标往往体现国家意志。

The CVE-2025-29824 vulnerability was first discovered and exploited in the wild by the Microsoft Threat Intelligence Center and fixed on the April 2025 patch day. Qi'anxin Threat Intelligence Center detected a wild exploit sample of this vulnerability uploaded to vt on May 30, 2025, and conducted in-depth analysis and research on the vulnerability and the sample.