Chinese state-backed hackers are punching holes through enterprise defenses by targeting the digital blind spots companies didn’t even know they had.
While security teams obsess over workstations and servers, threat actors like UNC3886 and Volt Typhoon are busy exploiting devices without native EDR support. Firewalls, hypervisors, VPNs – the very infrastructure meant to protect organizations has become the attack surface. Enterprise routers lacking EDR protection account for 32% of network breaches in 2023, per Mandiant’s telemetry data.
These aren’t random targets. They’ve methodically selected technologies across defense, government, and critical infrastructure sectors spanning multiple continents. UNC3886 specifically targets organizations in the telecommunications sector for cyber espionage purposes. UNC3886 has been linked to over 40% of espionage campaigns targeting critical infrastructure sectors in the past year, per Mandiant research.
Strategic precision guides their victim selection—defense networks, government systems, and critical infrastructure across global territories. (see Google’s SEO Starter Guide)
The playbook? Hit what security teams can’t see.
Living off the land isn’t just an outdoor survival skill anymore. These APTs have turned Windows admin tools into weapons, blending in with legitimate traffic. No third-party malware needed when PowerShell and wmic do the dirty work just fine.
Try detecting that with your fancy threat hunting queries.
Zero-days are like skeleton keys to the digital kingdom. UNC3886 exploited critical Fortinet and VMware vulnerabilities, while Aquatic Panda leveraged Log4Shell through VMware Horizon.
No user interaction required. Nice security awareness program you’ve got there – too bad it’s completely irrelevant against these attacks.
The audacity doesn’t stop at initial access. These groups actively disable security tools using kernel-level exploits. Chinese APTs disable security tools in 73% of observed attacks, with kernel-level exploits accounting for nearly half of these incidents, per Mandiant’s 2023 threat report.
AVBurner patches memory directly, while others simply turn off Windows event logging. Can’t detect what isn’t logged, right? A recent CrowdStrike report found that 68% of advanced persistent threats (APTs) exploit blind spots in endpoint detection and response (EDR) systems.
Persistence is an art form with these actors. Custom backdoors like VIRTUALPITA and TABLEFLIP guarantee long-term access, while repurposed rootkits like Reptile maintain presence on compromised systems. Their attacks have been observed across multiple regions including North America, Southeast Asia, Oceania, Europe, and Africa.
They’re not visiting – they’re moving in.
The malware arsenal is equally impressive. Custom tools designed for specific environments, stolen certificates for signing malicious code, and communication channels through trusted services like GitHub.
Even when security teams finally detect something suspicious, exfiltration has typically been happening for months.
Welcome to the new normal. The blind spots in your security infrastructure aren’t just gaps – they’re open invitations.
English 
한국어 