• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

LapDogs: China-nexus hackers Hijack 1,000+ SOHO devices for espionage

 | 

Taking over millions of developers exploiting an Open VSX Registry flaw

 | 

OneClik APT campaign targets energy sector with stealthy backdoors

 | 

APT42 impersonates cyber professionals to phish Israeli academics and journalists

 | 

Kai West, aka IntelBroker, indicted for cyberattacks causing $25M in damages

 | 

Cisco fixed critical ISE flaws allowing Root-level remote code execution

 | 

U.S. CISA adds AMI MegaRAC SPx, D-Link DIR-859 routers, and Fortinet FortiOS flaws to its Known Exploited Vulnerabilities catalog

 | 

CitrixBleed 2: The nightmare that echoes the 'CitrixBleed' flaw in Citrix NetScaler devices

 | 

Hackers deploy fake SonicWall VPN App to steal corporate credentials

 | 

Mainline Health Systems data breach impacted over 100,000 individuals

 | 

Disrupting the operations of cryptocurrency mining botnets

 | 

Prometei botnet activity has surged since March 2025

 | 

The U.S. House banned WhatsApp on government devices due to security concerns

 | 

Russia-linked APT28 use Signal chats to target Ukraine official with malware

 | 

China-linked APT Salt Typhoon targets Canadian Telecom companies

 | 

U.S. warns of incoming cyber threats following Iran airstrikes

 | 

McLaren Health Care data breach impacted over 743,000 people

 | 

American steel giant Nucor confirms data breach in May attack

 | 

The financial impact of Marks & Spencer and Co-op cyberattacks could reach £440M

 | 

Iran-Linked Threat Actors Cyber Fattah Leak Visitors and Athletes' Data from Saudi Games

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • APT
  • Breaking News
  • Hacking
  • Intelligence
  • Malware
  • DarkHotel APT uses VPN zero-day in attacks on Chinese government agencies

DarkHotel APT uses VPN zero-day in attacks on Chinese government agencies

Pierluigi Paganini April 06, 2020

DarkHotel nation-state actor is exploiting a VPN zero-day to breach Chinese government agencies in Beijing and Shanghai

Chinese security-firm Qihoo 360 has uncovered a hacking campaign conducted by a DarkHotel APT group (APT-C-06) aimed at Chinese government agencies in Beijing and Shanghai. State-sponsored hackers used a zero-day vulnerability in Sangfor SSL VPN servers to gain access to victims’ networks.

The first Darkhotel espionage campaign was spotted by experts at Kaspersky Lab in late 2014, according to the researchers the APT group has been around for nearly a decade while targeting selected corporate executives traveling abroad. 

Threat actors behind the Darkhotel campaign aimed to steal sensitive data from executives while they are staying in luxury hotels, they appeared high skilled professionals that exfiltrated data of interest with surgical precision and deleting any trace of their activity. 

Since March, more than 200 VPN servers have been compromised by hackers, including 174 systems belonging to Chinese institutions abroad.

Experts observed Coronavirus-themed attacks launched by the group since March.

The coronavirus outbreak forced many individuals worldwide to work from home, including employees at state enterprises and institutions.

In this scenario, VPN are widely adopted, and it is not surprising that threat actors attempted to exploit vulnerabilities in VPN servers.

“Recently, Qihoo 360 captured malicious samples issued through hijacked security services of a domestic VPN vendor SangFor. The targeted attack was initiated by Darkhotel (APT-C-06), a Peninsula APT Group, targeting Chinese institutions abroad and relevant government units. Up to now, a large number of VPN users have been attacked.” reads the analysis published by Qihoo 360. “When users of the victim agency used VPN clients, the update process triggered by default was hijacked by the hackers. The update program was replaced and embedded with a backdoor.”

Once the attackers have breached the target Sangfor VPN server exploiting a zero-day vulnerability, they replaced the SangforUD.exe program with a backdoored version that is hard to distinguish.

The SangforUD.exe executable is an update for the Sangfor VPN desktop app.

“The vulnerability exists in an update that is triggered automatically when the VPN client starts to connect to the server. The client will obtain update from the configuration file at a fixed location on the connected VPN server, and download a program called SangforUD.exe. Due to the lack of security awareness of the developers, there are security risks in the entire update process. The client compares the version of the update program without doing any other security checks. This leaves a security flaw that the hackers can tamper the update configuration file and replace the update program after hacking the VPN server.” continues the researchers.

According to Qihoo360 the attacks are very sophisticated and concealed.

The security firm reported the zero-day vulnerability to Sangfor on April 3, the vendor confirmed that Sangfor VPN servers running firmware versions M6.3R1 and M6.1 are vulnerable.

Sangfor plans to release a security patched within tomorrow.

DarkHotel appears to very active in this period, experts reported that the group used other zero-day exploits in recently disclosed attacks.

The group exploited two vulnerabilities patched earlier this year in Firefox and Internet Explorer in attacks aimed at China and Japan.

Japan’s Computer Emergency Response Team Coordination Center (JPCERT/CC) published a report containing technical details on attacks exploiting both flaws and aimed at Japanese entities

Two weeks ago, Reuters reported an attack against the World Health Organization and attributed it to the DarkHotel APT group.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – DarkHotel, Coronavirus)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

APT backdoor malware Darkhotel Hacking hacking news information security news it security Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini June 28, 2025
LapDogs: China-nexus hackers Hijack 1,000+ SOHO devices for espionage
Read more
Pierluigi Paganini June 27, 2025
Taking over millions of developers exploiting an Open VSX Registry flaw
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    LapDogs: China-nexus hackers Hijack 1,000+ SOHO devices for espionage

    Malware / June 28, 2025

    Taking over millions of developers exploiting an Open VSX Registry flaw

    Hacking / June 27, 2025

    OneClik APT campaign targets energy sector with stealthy backdoors

    Hacking / June 27, 2025

    APT42 impersonates cyber professionals to phish Israeli academics and journalists

    APT / June 27, 2025

    Kai West, aka IntelBroker, indicted for cyberattacks causing $25M in damages

    Cyber Crime / June 26, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT