Cybersecurity News in Asia

Features
- Featured
  
  Editor's pick: Cybersecurity trends in 2026
  
  Wednesday, January 7, 2026, 10:36 AM Asia/Singapore | Cyberthreat Landscape, Features
- Featured
  
  Exploding identity fraud and deepfakes challenge manual oversight of autonomous AI
  
  Tuesday, December 30, 2025, 9:27 AM Asia/Singapore | Features, Newsletter
- Featured
  
  Amid rapid digitalization and lagging cybersecurity oversight, India buckles up
  
  Monday, December 22, 2025, 4:50 AM Asia/Singapore | Features
Opinions
Tips
Whitepapers
Awards 2025
Directory
E-Learning

Espionage group exploits virtualization infrastructure, evades conventional network defenses

By CybersecAsia editors | Monday, July 28, 2025, 3:56 PM Asia/Singapore

China-linked attackers used advanced techniques to maintain persistent, stealthy access to vital assets by exploiting undetected weaknesses in enterprise infrastructure.

A recently identified espionage campaign linked to a China-based state-sponsored threat actor has targeted critical infrastructure by exploiting virtualization and networking environments.

The campaign had relied on advanced, multilayered attack sequences to infiltrate assets that were previously believed to be segmented and isolated within organizational networks.

Since early 2025, investigation teams have observed this threat actor focusing on hypervisor platforms and management consoles, as well as network appliances, to gain initial access and establish advanced persistence.

Attackers reportedly adapted swiftly to containment efforts by deploying redundant backdoors, manipulating network configurations, and replacing toolsets after remediation attempts.

Key details of the campaign include:

Focus on exploiting virtualization management layers, hypervisor platforms and management consoles
Extraction of service account credentials to facilitate ongoing access
Deployment of persistent backdoors on both hypervisors and management consoles to maintain presence across reboots
Repeated compromise of network appliances as a means to bypass network segmentation
Use of tunneling techniques to move across ostensibly separate network segments while leveraging legitimate, approved communication paths
Tactics designed to remain below the detection threshold of traditional endpoint protections, exploiting blind spots in typical security stacks

Technical characteristics of the campaign overlap with previous activity attributed to a known nation-state threat actor UNC3886, including:

Use of specific malicious binaries and exploitation of vulnerabilities affecting enterprise virtualization environments
Targeting of critical infrastructure entities across multiple geographic regions

Security experts have noted that these infrastructure-centric attacks highlight the ongoing challenge of monitoring activity below the visibility of conventional endpoint controls. There is an observed need for organizations to address surveillance and detection at the hypervisor and infrastructure layer, where traditional tools often face significant limitations.

According to Yoav Mzaar, Head of Incident Response (APJ), Sygnia, the firm that identified the campaign: “… traditional endpoint security tools often struggle to identify malicious activity. Organizations will need to adopt proactive cyber resilience with an advanced multi-layered security approach.”