QiAnXin Threat Intelligence Center disclosed the Operation Tornado cyber espionage activities of the Ocean Lotus group. Since 2022, this group has been continuously launching attacks against domestic IT innovation platforms and government networks. They use decoys such as Desktop, JAR, and epub files with Nday vulnerabilities, as well as internal network supply chain attacks to implant malicious code. They use weapons such as customized ELF Trojans, lightweight special malware, and IoT passive backdoors to steal government data and spy on national policies. Currently, Tianqing V10 IT innovation version can alert users to spear phishing decoys such as Desktop. It is recommended that users upgrade to version V10 and enable the protection function.

奇安信威胁情报中心披露海莲花组织的Operation Tornado网络间谍活动，该团伙自 2022 年起持续针对国产信创平台及政务网发起攻击，通过Desktop、JAR、带 Nday 漏洞的 epub 文件等诱饵及内网供应链攻击植入恶意代码，利用信创定制 ELF 木马、轻量化特马、IOT 被动后门等武器，以窃取政务数据、刺探国家政策为核心目的，目前天擎 V10 信创版已经能对 desktop 等类型的鱼叉诱饵进行告警，建议信创用户升级到 V10 版本并开启防护功能。

QiAnXin Threat Intelligence Center recently discovered a new Trojan, StreamSpy, associated with the MahaCao group. This Trojan communicates with remote servers using a combination of WebSocket and HTTP. The Trojan retrieves commands and sends back operation results via the WebSocket channel, while HTTP is used for operations such as file transfers. This Trojan also shares some similarities with MahaCao's Spyder. Furthermore, other related samples further confirm resource-sharing connections between the MahaCao and DuNaoChong attack groups.

奇安信威胁情报中心近期发现一种与摩诃草组织有关的新木马StreamSpy，该木马与远程服务器通信采用WebSocket和HTTP相结合的方式，木马获取指令与回传操作结果在WebSocket通道中进行，而用HTTP完成一些诸如文件传输之类的操作。该木马还与摩诃草的Spyder有一些相似性。此外，另外关联到的样本再次印证了摩诃草和肚脑虫两个攻击团伙在资源共享方面有一些联系。

Recently, the QiAnXin Threat Intelligence Center's Red Raindrop team discovered a previously undisclosed special Trojan horse, "SetcodeRat," which is spreading on a large scale in Chinese-speaking regions. This Trojan horse has built-in customized functions targeting Telegram, and attackers successfully attracted our attention by spreading this Telegram-specific Trojan in areas blocked by Telegram. According to our observations, SetcodeRat's earliest active period can be traced back to October 2025. It primarily appears to spread through SEO methods; we have not yet discovered other delivery methods. Its malicious installation package first verifies the victim's region; if not in a Chinese-speaking region, it automatically exits. Within just one month, this Trojan horse has infected hundreds of computers, affecting some government and enterprise organizations.

近期，奇安信威胁情报中心红雨滴团队在运营私有情报生产流程过程中发现一款此前从未被披露过的特种木马，正在中文地区大规模传播，我们将其命名为“SetcodeRat”。该木马内置针对Telegram的定制化功能，攻击者通过在TG封锁区域传播针对TG的木马，成功引起了我们的关注。 根据我们的观测，SetcodeRat 的最早活跃时间可追溯至2025年10月。它主要疑似通过SEO手段进行传播，我们暂未发现其他投递方式。其恶意安装包会首先校验受害者所在地区，若不在中文区域则自动退出。在短短一个月内，该木马已感染了数百台计算机，波及部分政府与企业单位。

In recent years, the QiAnXin Threat Intelligence Center's RedDrip team, during intense confrontations with advanced APT groups in Northeast Asia, discovered nearly 20 zero-day exploits involving domestically developed software. The related Indicators of Compromise (IOCs) cover multiple organizations with some overlap. Operation South Star is likely a forensic activity within the MSMT cooperation framework. This article primarily discloses the in-the-wild exploitation of Zipperdown.

最近几年，奇安信威胁情报中心红雨滴团队在与东北亚地区的高级APT组织进行高强度对抗的过程中，发现了近20个涉及国产软件的0day，相关IOC涵盖多个组织且均有重叠，Operation South Star可能是 MSMT 合作框架下的取证活动。本文主要披露 Zipperdown 的在野利用。

Recently, Qi'anxin's Network Security Department and Threat Intelligence Center have observed multiple instances where R&D personnel from government and enterprise customers downloaded untrusted tools or installation packages from GitHub. This has led to the implantation of information-stealing or cryptocurrency mining software on development endpoints, potentially impacting core company data.

近期，奇安信网络安全部和威胁情报中心观察到有多个政企客户研发人员从 Github 上下载不可信的工具或安装包，从而导致开发终端被植入窃密或挖矿软件，可能会对公司核心数据造成潜在的影响。