Cybersecurity News in Asia

RECENT STORIES:

SEGA moves faster with flow-based network monitoring
AI agents are turning “always‑on” access into a ghost admin problem...
Sports loses trust as fans compete with bots
US Treasury sanctions VPN provider accused of supporting ransomware op...
US CISA advisory highlights ongoing state-sponsored attacks on routers...
CloudMile and Tookitaki Sign MoU to Strengthen AI-Driven Financial Cri...
LOGIN REGISTER
CybersecAsia
  • Features
    • Featured

      S E Asia governments targeted by cyber-espionage group

      S E Asia governments targeted by cyber-espionage group

      Tuesday, June 23, 2026, 8:00 AM Asia/Singapore | Features
    • Featured

      Rethinking network and infrastructure design for resilience

      Rethinking network and infrastructure design for resilience

      Thursday, June 18, 2026, 2:17 PM Asia/Singapore | Features
    • Featured

      Bringing cybercriminals to justice in APAC

      Bringing cybercriminals to justice in APAC

      Thursday, June 11, 2026, 10:30 AM Asia/Singapore | Features
  • Opinions
  • Tips
  • Whitepapers
  • AWARDS 2026
  • Directory
  • E-Learning

Select Page

News

China-linked hackers exploit Windows Group Policy in cyberespionage across SEA, Japan

By CybersecAsia editors | Monday, January 12, 2026, 11:45 AM Asia/Singapore

China-linked hackers exploit Windows Group Policy in cyberespionage across SEA, Japan

Researchers uncover government-targeted operations using stealthy malware, memory loaders, and cloud-based C2 infrastructure spanning Asia and Europe since 2023.

A newly identified China-linked advanced persistent threat (APT) group has been conducting cyberespionage operations targeting government institutions across Southeast Asia and Japan, according to new threat intelligence.

Researchers have found that the group abuses Windows Group Policy, a legitimate administrative mechanism used in Active Directory environments, to deploy malware and move laterally within victim networks. The technique enables attackers to push malicious configurations across multiple machines and maintain persistence without detection.

The campaign, active since at least September 2023, came to light in 2024 when investigators discovered previously undocumented malware in the network of a South-east Asian government agency. Activity linked to the same actors resumed in late 2025, with renewed targeting focusing on regional governmental infrastructure.

Modus operandi

The intrusions rely on multiple custom-developed tools designed for data theft, command execution, and long-term reconnaissance.

  • One of the tools, written in C#/.NET, collects browser history data from commonly used browsers. This information is reportedly used to determine subsequent targets for further compromise.
  • Another utility collects metadata from victim machines — including hostnames, usernames, and operating system details — and communicates with external command-and-control (C&C) servers.
  • Additional components in the toolkit include a credential and browser data stealer, a downloader that executes encrypted payloads directly in memory, and a keylogger derived from an existing open-source project.

Analysts have also identified a reverse SOCKS5 proxy and an auxiliary tool capable of launching external applications, one of which was used to activate video recording software — likely FFmpeg — to capture audio and visual feeds.

Investigators have also documented a related malware variant deployed against an organization based in the European Union. That sample had used the Yandex Disk cloud storage platform for its command and control &C infrastructure, diverging from earlier cases that had relied on Microsoft OneDrive and Google Drive. The overlap in tooling and shared malware elements suggest possible cooperation or code sharing among multiple China-aligned threat actors.

According to the researchers from ESET who discovered the China-linked APT, the malware may be distributed “among multiple China-aligned threat groups.” The campaign reflects an evolution in regional cyberespionage activity aimed at collecting intelligence from public sector and diplomatic networks in Asia and Europe. The use of legitimate administrative functions such as Group Policy underscores the attackers’ emphasis on stealth and persistence within government networks.

Share:

PreviousLeveraging digital twins to combat rising AI-powered threats
NextAutonomous AI agent sprawl will demand governance overhauls this year

Related Posts

Hackers leverage jailbroken AI to probe OT systems in Mexican Water Breach: report

Hackers leverage jailbroken AI to probe OT systems in Mexican Water Breach: report

Friday, May 8, 2026

Law enforcement actions, constant RaaS migrations: making ransomware groups harder to track

Law enforcement actions, constant RaaS migrations: making ransomware groups harder to track

Thursday, May 19, 2022

Backing up is hard to do: cyber protection survey

Backing up is hard to do: cyber protection survey

Monday, April 6, 2020

Q2 saw a rise in exploitation of Chrome browser, Windows 10 zero day vulnerabilities

Q2 saw a rise in exploitation of Chrome browser, Windows 10 zero day vulnerabilities

Tuesday, June 15, 2021

Leave a reply Cancel reply

You must be logged in to post a comment.

Voters-draw/RCA-Sponsors

Slide

CybersecAsia Voting Placement

Gamification listing or Participate Now

PARTICIPATE NOW

Vote Now -Placement(Google Ads)

Top-Sidebar-banner

Whitepapers

  • Critical Security Threatsand the Need for ZTNA: How evolving cyberattacks demand a Zero Trust approach

    Critical Security Threatsand the Need for ZTNA: How evolving cyberattacks demand a Zero Trust approach

    Cyber threats have become more frequent and sophisticated, targeting organizations of all sizes across all …Download Whitepaper
  • Zero Trust Made Simple: Why it matters and how to get started

    Zero Trust Made Simple: Why it matters and how to get started

    Data breaches and cyberattacks are no longer limited to large, high-profile organizations.Download Whitepaper
  • Cloud Secure Edge: Remote access, better security

    Cloud Secure Edge: Remote access, better security

    ​SonicWall Cloud Secure Edge™ is a modern, cloud-native Security Service Edge (SSE) solution that addresses …Download Whitepaper
  • Closing the Gap in Email Security:How To Stop The 7 Most SinisterAI-Powered Phishing Threats

    Closing the Gap in Email Security:How To Stop The 7 Most SinisterAI-Powered Phishing Threats

    Insider threats continue to be a major cybersecurity risk in 2024. Explore more insights on …Download Whitepaper

Middle-sidebar-banner

Case Studies

  • How a Vietnamese D2C retailer built its own secure digital infrastructure

    How a Vietnamese D2C retailer built its own secure digital infrastructure

    Would your organization build your own digital infrastructure – including AI governance and cybersecurity – …Read more
  • Cyber protection for medical clinics in Singapore

    Cyber protection for medical clinics in Singapore

    As Singapore’s healthcare sector becomes increasingly digital and interconnected, clinics are facing heightened cyber risks, …Read more
  • India’s WazirX strengthens governance and digital asset security

    India’s WazirX strengthens governance and digital asset security

    Revamping its custody infrastructure using multi‑party computation tools has improved operational resilience and institutional‑grade safeguardsRead more
  • Bangladesh LGED modernizes communication while addressing data security concerns

    Bangladesh LGED modernizes communication while addressing data security concerns

    To meet emerging data localization/privacy regulations, the government engineering agency deploys a secure, unified digital …Read more

Bottom sidebar

Other News

  • CloudMile and Tookitaki Sign MoU to Strengthen AI-Driven Financial Crime Prevention in Malaysia

    Wednesday, July 15, 2026
    KUALA LUMPUR, Malaysia, July 15, …Read More »
  • VIDA Demonstrates How Passwordless Authentication Can Break the Scam Chain

    Monday, July 13, 2026
    KUALA LUMPUR, Malaysia, July 13, …Read More »
  • Sparsa AI Launches Sovereign Enterprise AI Platform with Global Deployment at QNET

    Wednesday, July 8, 2026
    The Sparsa AI Enterprise Operating …Read More »
  • Conifers AI Opens Singapore Data Region, Bringing Local Data Residency to Asia-Pacific Security Teams

    Wednesday, July 8, 2026
    With data regions now spanning …Read More »
  • DXC Opens Flagship AI-first Customer Experience Center in Bengaluru

    Tuesday, July 7, 2026
    Strengthens DXC’s India presence with …Read More »
  • Our Brands
  • DigiconAsia
  • MartechAsia
  • Home
  • About Us
  • Contact Us
  • Sitemap
  • Privacy & Cookies
  • Terms of Use
  • Advertising & Reprint Policy
  • Media Kit
  • Subscribe
  • Manage Subscriptions
  • Newsletter

Copyright © 2026 CybersecAsia All Rights Reserved.