The Qi'anxin Threat Intelligence Center discovered attack samples associated with the 蔓灵花(APT-Q-37) group. The attackers used two methods to implant a C# backdoor capable of delivering arbitrary EXE files from a remote server. The first method exploited a VBA macro contained in an xlam file to release a C# code file, which was then compiled and installed using the .NET Framework's csc.exe and InstallUtil.exe on the victim's machine. The second method exploited a WinRAR path traversal vulnerability to replace the Normal.dotm file in the user's template library. When the victim opened a .docx file, the malicious Normal.dotm macro code executed, which then retrieved and executed the backdoor program hosted on the remote server.

奇安信威胁情报中心发现与蔓灵花（APT-Q-37）组织相关的攻击样本，攻击者使用两种方式植入可以从远程服务器下发任意 EXE 文件的 C# 后门。第一种方式是利用 xlam 文件携带的 VBA 宏释放 C# 代码文件，借助受害者机器上的 .NET 框架的 csc.exe 和 InstallUtil.exe 完成编译与安装。第二种方式是利用 WinRAR 路径穿越漏洞，替换用户目录模板库中的 Normal.dotm 文件，当受害者打开 docx 文件时，触发恶意 Normal.dotm 宏代码的执行，宏代码获取托管在远程服务器上的后门程序并运行。

Between 2020 and 2021, we systematically exposed a series of espionage activities by the Confucius group, including Operation Tipu and Operation Angi. Despite the passage of time, the group's overall tactics, techniques, and procedures (TTPs) remain highly similar. Through multi-source intelligence analysis, we believe Confucius is an outsourced APT group, with attacks primarily conducted by local contractors or individuals. These outsourced cyberattacks exhibit several notable characteristics: low cost, relatively simple technical techniques, and often targets that reflect national will.

在 2020 至 2021 年期间，我们曾系统性地披露了魔罗桫（Confucius）组织的《提菩行动》以及 Operation Angi 等系列间谍活动。时隔多年，该组织的整体战术、技术与程序（TTPs）仍与以往高度相似。通过多源情报分析研判，我们认为“魔罗桫”属于具有外包性质的 APT 组织，其攻击行动多由本土承包商或个人发起。此类外包型网络攻击具备几个显著特征：攻击成本较低、技术手法相对简单，但攻击目标往往体现国家意志。

The CVE-2025-29824 vulnerability was first discovered and exploited in the wild by the Microsoft Threat Intelligence Center and fixed on the April 2025 patch day. Qi'anxin Threat Intelligence Center detected a wild exploit sample of this vulnerability uploaded to vt on May 30, 2025, and conducted in-depth analysis and research on the vulnerability and the sample.

CVE-2025-29824 漏洞最早被微软威胁情报中心发现在野利用，并于 2025 年 4 月的补丁日修复。奇安信威胁情报中心于 2025/05/30 日监测到该漏洞的在野利用样本被上传至 vt 并对该漏洞及样本进行了深入分析研究。

In May 2024, the Qi'anxin Threat Intelligence Center disclosed UTG-Q-010, a malware targeting games and artificial intelligence. Subsequently, the group launched a retaliatory spear phishing attack on our company's public mailbox. In July 2025, through the TianQing "Liuhe" engine and the Red Raindrop team's private intelligence, the group's latest activities were discovered, targeting financial institutions in HongKong, China, with supply chain attacks.

2024年5月，奇安信威胁情报中心披露了针对游戏与人工智能的UTG-Q-010，随后该团伙对我司公开邮箱发起报复性鱼叉攻击。2025年7月，通过天擎“六合”引擎和红雨滴团队私有情报，发现该组织最新活动，针对中国香港地区金融机构进行供应链攻击

Lazarus incorporates the ClickFix technique into phishing attacks using fake job postings as bait. The phishing website will prompt the victim at a specific time that the camera configuration does not meet the requirements or is faulty, and provide a repair solution. The repair command appears to be downloading an update for Nvidia-related software, but the real purpose is to implant malware.

Lazarus 在以虚假招聘为诱饵的钓鱼攻击中融入 ClickFix 手法，钓鱼网站会在特定时机提示受害者摄像头配置不符合要求或者存在故障，并给出修复方案，修复命令看起来是下载 Nvidia 相关软件的更新，真实目的却是植入恶意软件。