Security researchers disclose series of attacks by threat actor of Chinese origin

The recent campaign targeting organizations in Russia and Hong Kong have been linked to Winnti (or APT41) by cybersecurity researchers. The attacks happened in May 2020 and used a malicious RAR archive file consisting of shortcuts to two bait PDF documents disguised as a curriculum vitae and an IELTS certificate. Those shortcuts themselves contain links to pages hosted on Zeplin, a legitimate collaboration tool for designers and developers that are used to fetch the final-stage malware that, in turn, includes a shellcode loader ("svchast.exe") and a backdoor called Crosswalk ("3t54dE3r.tmp"). Read more...