China-linked attackers used advanced techniques to maintain persistent, stealthy access to vital assets by exploiting undetected weaknesses in enterprise infrastructure.

A recently identified espionage campaign linked to a China-based state-sponsored threat actor has targeted critical infrastructure by exploiting virtualization and networking environments.

The campaign had relied on advanced, multilayered attack sequences to infiltrate assets that were previously believed to be segmented and isolated within organizational networks.

Since early 2025, investigation teams have observed this threat actor focusing on hypervisor platforms and management consoles, as well as network appliances, to gain initial access and establish advanced persistence.

Attackers reportedly adapted swiftly to containment efforts by deploying redundant backdoors, manipulating network configurations, and replacing toolsets after remediation attempts.

Key details of the campaign include:

  • Focus on exploiting virtualization management layers, hypervisor platforms and management consoles
  • Extraction of service account credentials to facilitate ongoing access
  • Deployment of persistent backdoors on both hypervisors and management consoles to maintain presence across reboots
  • Repeated compromise of network appliances as a means to bypass network segmentation
  • Use of tunneling techniques to move across ostensibly separate network segments while leveraging legitimate, approved communication paths
  • Tactics designed to remain below the detection threshold of traditional endpoint protections, exploiting blind spots in typical security stacks

Technical characteristics of the campaign overlap with previous activity attributed to a known nation-state threat actor UNC3886, including:

  • Use of specific malicious binaries and exploitation of vulnerabilities affecting enterprise virtualization environments
  • Targeting of critical infrastructure entities across multiple geographic regions

Security experts have noted that these infrastructure-centric attacks highlight the ongoing challenge of monitoring activity below the visibility of conventional endpoint controls. There is an observed need for organizations to address surveillance and detection at the hypervisor and infrastructure layer, where traditional tools often face significant limitations.

According to Yoav Mzaar, Head of Incident Response (APJ), Sygnia, the firm that identified the campaign: “… traditional endpoint security tools often struggle to identify malicious activity. Organizations will need to adopt proactive cyber resilience with an advanced multi-layered security approach.”