A new Chinese-speaking hacker group

Jun 25 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s not sure if it’s more scared of the ever-increasing threat of cybercrime or having to watch England play again this evening 😭😭😭

Today’s hottest cybersecurity news stories:

  • 👻🐀 SugarGh0st, SpiceRAT deployed by Chinese hackers 👨🏻‍💻

  • 🐉 China has been spying via telecom operators since 2021 📅

  • 🐝 CosmicSting affects 75% of Adobe Commerce, Magneto sites 🛒

SneackyChef uses Sugar and Spice and all things rice 👻🐀🍜

🚨 SneakyChef Strikes! 🌍👨‍💻

🎯 Target: Governments & More! 🌏 A new Chinese-speaking hacker group, SneakyChef, is on the loose! They've been using their SugarGh0st malware to target government entities across Asia, Europe, the Middle East, and Africa since August 2023. Their lures? Scanned documents from government agencies, especially Ministries of Foreign Affairs. 📄

🔍 Cisco Talos & Proofpoint Insights 🕵️‍♀️🔍

Cisco Talos first detected SneakyChef in November 2023, focusing on South Korea and Uzbekistan. 🗂️ Recently, Proofpoint discovered SugarGh0st targeting U.S. organisations involved in AI, from academia to private industry. 🤖🏛️ They call this cluster UNK_SweetSpecter.

🧩 Operation Diplomatic Specter 🌐

Palo Alto Networks Unit 42 has been tracking this campaign under Operation Diplomatic Specter since late 2022. 🚨 It has hit governmental entities in the Middle East, Africa, and Asia. Talos has now seen it targeting Angola, India, Latvia, Saudi Arabia, and Turkmenistan with phishing campaigns. 🌍

📁 Crafty Attack Methods 🧑‍💻💼

SneakyChef uses Windows Shortcut (LNK) files within RAR archives to deliver SugarGh0st. 🗂️ The latest wave includes self-extracting RAR archives (SFX) that launch Visual Basic Scripts (VBS), executing the malware and showing a decoy file. 📄

🕵️‍♂️ SpiceRAT: The New Threat 🌶️🐀

In Angola, a new remote access trojan, SpiceRAT, has been spotted using lures from a Russian-language newspaper. 📰 It uses DLL side-loading techniques to propagate, displaying decoy documents while running malicious code. 🖥️

This sophisticated malware can download and run executable binaries, increasing the attack surface significantly. 💻🔒 Stay alert and protect your networks! 🚨🛡️

Goodluck China stop us 💀💀💀

🚨 Chinese Cyber Espionage Hits Telecoms! 📞👾

🎯 Long-Running Campaign 🚨 Chinese cyber espionage groups have been infiltrating telecom operators in an unnamed Asian country since at least 2021. 🔍 Symantec's Threat Hunter Team reported that these hackers planted backdoors and attempted to steal credentials from targeted networks. 🔓

🕵️‍♂️ Extended Reach 🌍

The cyber attack didn't stop at telecoms; a services company supporting the telecom sector and a university in another Asian country were also targeted. 📡🎓 Symantec believes the malicious activities might have started as early as 2020. 🕰️

🧩 Familiar Tools 🛠️

The campaign's tools match those used by known Chinese espionage groups like Mustang Panda, RedFoxtrot, and Naikon. 🐼 The backdoors—COOLCLIENT, QUICKHEAL, and RainyDay—are designed to steal sensitive data and communicate with command-and-control (C2) servers. 📡💾

🔍 Unknown Entry Points & Techniques 🕵️‍♀️

While the initial access method remains unknown, the campaign is notable for using port scanning tools and stealing credentials by dumping Windows Registry hives. 🔓🖥️

🤔 Who's Behind It? 🎭

Three possibilities emerge:

  1. Independent attacks by different groups

  2. A single threat actor using tools from other groups

  3. Collaboration among diverse actors 🤝

📞 Motives & Implications 🧐

The primary motive is unclear, but Chinese hackers often target global telecom sectors. 🌐 In November 2023, Kaspersky uncovered a ShadowPad malware campaign targeting Pakistan's national telecom company. 🕵️‍♂️ Symantec speculates the attackers might be gathering intelligence, eavesdropping, or aiming to disrupt critical infrastructure. 🔧🚦

🎣 Catch of the Day!! 🌊🐟🦞

Stay ahead of the curve with Presspool.ai! 🚀 Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." 🤓💡 That’s us, alright! 🤵 How about you? Visionary AI executive, much? 👀

And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business 🤖👩‍💻🌐

Rest assured, the process is very straightforward.

You simply:

🆕 Sign Up & Create Campaign

📊 Define your audience, budget, and message to captivate your audience.

🚀 Launch your campaign, as Presspool’s AI matches it with ideal newsletter audiences for optimal reach and conversions. 🎯

🕵️ Finally, you leverage real-time analytics to track performance and refine future strategies. 📈 Elevate your marketing game and stay informed with Presspool.ai! 🌟 Simples! 🦦

Presspool.ai 📰🏊🤖 may just have what you need to succeed. And if the product isn’t for you, the newsletter alone is a gamechanger. And we know newsletters 😉

It’s got a CosmicSting in its tail 🦂🦂🦂

🚨 CosmicSting Alert: Patch Your Sites Now! 🛠️🔒

🌐 Millions of Sites at Risk! 🛒 A critical vulnerability named "CosmicSting" (CVE-2024-34102) is threatening Adobe Commerce and Magento websites. Despite a security update released nine days ago, most sites remain unpatched, exposing millions to catastrophic attacks. 🚨

🕵️‍♂️ What is CosmicSting? 👾

CosmicSting allows attackers to read private files and, when combined with a Linux iconv bug, enables remote code execution (RCE). 🖥️ This flaw, rated 9.8 on the CVSS scale, affects:

  • Adobe Commerce 2.4.7 and earlier

  • Adobe Commerce Extended Support 2.4.3-ext-7 and earlier

  • Magento Open Source 2.4.7 and earlier

  • Adobe Commerce Webhooks Plugin 1.2.0 to 1.4.0

🚨 Why You Should Worry 😱

Sansec describes CosmicSting as the worst bug in two years for Magento and Adobe Commerce stores. It poses a significant risk of XML external entity injection (XXE) and RCE, potentially making it one of the most damaging attacks in e-commerce history. 🛒💣

🛠️ Apply Fixes Immediately! 🏃‍♂️💨

To protect your site, apply the following updates ASAP:

  • Adobe Commerce 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9

  • Adobe Commerce Extended Support 2.4.3-ext-8, 2.4.2-ext-8, 2.4.1-ext-8, 2.4.0-ext-8, 2.3.7-p4-ext-8

  • Magento Open Source 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9

  •  Adobe Commerce Webhooks Plugin version 1.5.0

Switch to 'Report-Only' mode before upgrading to avoid breaking checkout functionality. 🛒

🛡️ Temporary Measures 🛡️

If you can't upgrade right away, follow these steps:

Check glibc Library:

Run this command to see if your Linux system is vulnerable to CVE-2024-2961:


curl -sO https://sansec.io/downloads/cve-2024-2961.c &&

gcc cve-2024-2961.c -o poc &&


Add Emergency Fix:

Add this code to 'app/bootstrap.php' to block most CosmicSting attacks:


if (strpos(file_get_contents('php://input'), 'dataIsURL') !== false) {

 header('HTTP/1.1 503 Service Temporarily Unavailable');

 header('Status: 503 Service Temporarily Unavailable');



Note: This fix is untested by Gone Phishing. Use at your own risk. ⚠️

Patch your systems now to stay safe from CosmicSting! 🚀🔒

🗞️ Extra, Extra! Read all about it! 🗞️

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • 🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅

  • 💵 Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓

  • 📈 Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles