In 2025, NSFOCUS Fuying Lab disclosed a new APT group targeting China\u2019s scientific research sector, dubbed “ChainedShark” (tracking number: Actor240820). Been active since May 2024, the group\u2019s operations are marked by high strategic coherence and technical sophistication. Its primary targets are professionals in Chinese universities and research institutions specializing in international relations, marine technology, and related fields, with the intent to steal sensitive data and intelligence in diplomacy and marine technology.<\/p>\n\n\n\n
ChainedShark exhibits clear geopolitical motivations, focusing its attacks on experts and scholars in international relations and marine sciences within Chinese academic and research institutions. The group demonstrates strong social engineering capabilities, crafting fluent, natural, and high-quality Chinese-language lures. It skillfully exploits professional scenarios\u2014such as conference invitations and academic call-for-papers\u2014to create deceptive attack vectors, effectively lowering targets\u2019 guard.<\/p>\n\n\n\n
Technically, ChainedShark operates at the level of a state-sponsored attack team. Its arsenal integrates N-day vulnerability exploits and highly complex custom trojans, featuring meticulously designed attack chains and payloads with strong evasion and stealth capabilities. This indicates a mature attack infrastructure and continuous weapon development capacity.<\/p>\n\n\n\n
ChainedShark\u2019s attack campaigns, while maintaining consistent strategic objectives, have demonstrated a clear evolutionary trajectory in both tactics and technical execution.<\/p>\n\n\n\n
First Wave (May 2024): This initial attack remains the most complex operation identified to date. The attack chain deployed a custom-developed trojan, LinkedShell, characterized by high customization and advanced anti-forensic capabilities. The technical intricacies of this trojan underscore the group\u2019s robust initial weaponization capabilities.<\/p>\n\n\n\n
Subsequent Attacks (August\u2013November 2024): In later operations, the attackers adjusted their tactics. By successfully exploiting the GrimResource vulnerability (publicly disclosed in June 2024), they significantly streamlined the attack process, reflecting a strategic shift toward leveraging public vulnerabilities to enhance efficiency and cost-effectiveness.<\/p>\n\n\n\n
Multidimensional clue correlation linked separate attack events across different timeframes, painting a comprehensive profile of the threat actor.<\/p>\n\n\n\n
This correlational analysis not only provides critical evidence for attribution but also reveals that ChainedShark adheres to a mature social engineering script and attack management process throughout its prolonged campaigns.<\/p>\n","protected":false},"excerpt":{"rendered":"
In 2025, NSFOCUS Fuying Lab disclosed a new APT group targeting China\u2019s scientific research sector, dubbed “ChainedShark” (tracking number: Actor240820). Been active since May 2024, the group\u2019s operations are marked by high strategic coherence and technical sophistication. Its primary targets are professionals in Chinese universities and research institutions specializing in international relations, marine technology, and related […]<\/p>\n","protected":false},"author":1,"featured_media":33239,"comment_status":"open","ping_status":"open","sticky":false,"template":"post-templates\/single-layout-8.php","format":"standard","meta":{"_acf_changed":false,"_coblocks_attr":"","_coblocks_dimensions":"","_coblocks_responsive_height":"","_coblocks_accordion_ie_support":"","footnotes":""},"categories":[3],"tags":[93,357,741],"class_list":["post-35070","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-apt","tag-cybersecurity-insights","tag-web-security"],"acf":[],"yoast_head":"\n