Wednesday, May 7, 2025
Homecyber securityChinese Hackers Hijack Software Updates to Install Malware Since 2005

Chinese Hackers Hijack Software Updates to Install Malware Since 2005

Published on

SIEM as a Service

Follow Us on Google News

In order to obtain unauthorized access and control, hackers take advantage of software vulnerabilities by manipulating updates.

By corrupting the updates, hackers can disseminate malware, compromise user data, and build backdoors for future attacks.

This enables hackers to compromise a large user base at once, making the software upgrades a luring target for malicious activities.

- Advertisement - Google News

Cybersecurity researchers at ESET recently identified that Chinese hackers have been actively targeting and hacking software updates to install malware since 2005.

Chinese Hackers Hijack Software Updates

ESET found China-linked threat actor Blackwood behind a cyberattack since 2018. They use AitM attacks to deliver NSPX30 implants through software updates by targeting Chinese and Japanese entities.

Document
Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

Blackwood hides the C2 server location by intercepting NSPX30-generated traffic.

In 2020, a Chinese system was hit by a surge of attacks from Evasive Panda, LuoYu, and LittleBear. Security analysts found a new threat, NSPX30, traced back to 2005 amid suspicious files, and it’s been discovered via a deep investigation.                    

Timeline (Source – ESET)

Evolution starts with a 2005 backdoor, Project Wood, which was found via timestamps. Researchers validate authenticity through the metadata of the PE header, UPX version, and Rich Headers. 

Project Wood served as a codebase that led to DCM in 2008. Tencent’s 2016 report details DCM’s advanced variant, exploiting AitM capabilities

The compromises occur during legit software updates via unencrypted HTTP that affects the popular Chinese software.

Chain of execution (Source – ESET)

Cybersecurity researchers at ESET found IP addresses linked to legitimate software firms in their telemetry. Millions of connections were registered, with downloads of genuine software components. 

How NSPX30 is delivered as malicious updates is unknown. Speculation points to a network implant, possibly on vulnerable devices like routers. 

However, no DNS redirection hints at intercepting unencrypted HTTP traffic for delivering the NSPX30 implant.

Orchestrator uses Baidu’s site to download backdoor, posing as Internet Explorer on Windows 98. Custom User-Agent and Request-URI reveal orchestrator and system info. 

While the backdoor initializes the UDP socket, facing complications with firewalls and NAT. Data exfiltration via DNS queries to Microsoft[.]com takes place and cleverly hides C&C location using AitM capability.

Geographical distribution (Source – ESET)

Victims in Japan and the UK were targeted via the AitM system. Blackwood threat actors have been observed since 2005 and have been constantly evolving from Project Wood. The history of the primordial backdoor, Project Wood, hints at experienced malware developers.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider,...

Over 2,800 Hacked Websites Targeting MacOS Users with AMOS Stealer Malware

Cybersecurity researcher has uncovered a massive malware campaign targeting MacOS users through approximately 2,800...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider,...