旺刺组织挖掘了某邮件平台网页版的XSS 0day漏洞，通过该漏洞触发CilckOnce，打开钓鱼邮件时自动弹出钓鱼框，提高钓鱼攻击成功率。此外其背后的情报机构除了拥有大量win平台0day外，也关注安卓平台邮箱软件的0day漏洞

APT-Q-14 discovered an XSS 0day vulnerability in the web version of a certain email platform, which triggered CilckOnce and automatically popped up a phishing box when opening a phishing email, increasing the success rate of phishing attacks. In addition, the intelligence agency behind it not only has a large number of Windows platform 0days, but also pays attention to 0day vulnerabilities in Android platform email software.

近期奇安信威胁情报中心发现一批Kimsuky的Endoor样本，该后门功能上变化不大，但试图伪装为来自github的开源代码，避开代码审查，此外C&C使用不常见的的53端口，一定程度上绕过恶意流量检测，体现了该组织攻击手法的灵活性。

Recently, Qi'anxin Threat Intelligence Center discovered a batch of Kimsuky's Endoor samples. The backdoor has not changed much in terms of functionality, but it attempts to disguise itself as open source code from GitHub to avoid code review. In addition, the C&C uses the uncommon port 53 to bypass malicious traffic detection to a certain extent, reflecting the flexibility of the organization's attack methods.

During the terminal operation, the Qi'anxin Threat Intelligence Center and the TianQing Falcon team discovered that a group of unknown attackers were targeting customers in the blockchain industry. The malicious compressed package was "Transfer Screenshot 2025.5.31.zip". The attackers spread it one-to-one through the Telagram communication software. The compressed package contained Lnk bait. Double-clicking it would pop up a screenshot of the transfer record and release the Baijiahei component. DcRat was loaded into the memory, and the C2 had a self-signed certificate to imitate qianxin.com.

奇安信威胁情报中心和天擎猎鹰团队在终端运营过程中发现一伙未知的攻击者正在瞄准区块链行业的客户，恶意的压缩包为“转账截图2025.5.31.zip”，攻击者通过 Telagram 通信软件一对一进行传播，压缩包中为 Lnk 诱饵，双击后弹转账记录截图和释放白加黑组件，内存加载 DcRat，C2 带有自签名证书模仿qianxin.com。

Recently, Qi'anxin Threat Intelligence Center discovered that the GoldenEyed Dog gang distributed malware disguised as installation packages such as Todesk, QuickConnect VPN and Paper Airplane through watering hole websites. After running, in addition to releasing installation software with normal signatures, it will also secretly implant Winos4.0 remote control, and combine it with the "Silver Fox" Trojan for remote control and stealing secrets, and add Shellcode backdoors and anti-antivirus software.

近日，奇安信威胁情报中心发现金眼狗团伙通过水坑网站分发伪装成Todesk、快连VPN和纸飞机等安装包的恶意软件，运行后除了释放携带正常签名的安装软件，还会暗中植入 Winos4.0 远控，并结合“银狐”类木马进行远程控制及窃密，新增Shellcode后门、对抗杀软等手段。

Our continued tracking of the donot group found that they had used couldmailauth.com to host malware. Recently, we captured another batch of samples that used this domain as the C&C server. These samples were Spyder downloaders of the Patchwork group, and one of them had the same digital signature as the donot sample. The reason for this may be that the two groups have the same resource provider behind them, or that the two groups may be acting in unison under the coordination of a higher-level group.

我们对肚脑虫组织的持续追踪发现该组织曾使用couldmailauth.com托管恶意软件。近期我们捕获到另一批以该域名为 C&C 服务器的样本，此类样本为摩诃草组织的 Spyder 下载器，并且其中一个样本带有与肚脑虫样本相同的数字签名。导致这种情况的原因可能是两个组织背后存在相同的资源提供者，也可能是两者在某个层级更高的组织的协调下统一开展行动。