{
	"id": "14074837-7826-4644-b77c-1f990119d86e",
	"created_at": "2026-04-06T00:09:32.38364Z",
	"updated_at": "2026-04-10T03:32:20.919842Z",
	"deleted_at": null,
	"sha1_hash": "309aeecd7e1a3c0184372dbefcd610bc0bb5fa2e",
	"title": "Chinese APT Uses VPN Bug to Exploit Worldwide OT Orgs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2328617,
	"plain_text": "Chinese APT Uses VPN Bug to Exploit Worldwide OT Orgs\r\nBy Nate Nelson\r\nPublished: 2025-02-27 · Archived: 2026-04-05 20:23:40 UTC\r\nSource: Ken Hawkins via Alamy Stock Photo\r\nChinese cybercriminals have penetrated sensitive manufacturing companies worldwide through a virtual private\r\nnetwork (VPN) bug.\r\nIn an exclusive interview with Dark Reading at CPX 2025, Check Point researchers provided new information\r\nabout a monthslong espionage campaign aimed at prized intellectual property (IP). In short: Through a months-old\r\npath traversal vulnerability in Check Point's security gateways, attackers attributed with low confidence to APT41\r\n(aka Winnti) managed to gain initial access into dozens of operational technology (OT) organizations globally.\r\nIn fact, Check Point has only tracked compromises of its own customers. For that reason, the researchers say, it's\r\nentirely possible that plenty more organizations have been touched by the same campaign.\r\nChinese Attackers Exploit a Gateway CVE\r\nThe activity occurred in waves: beginning shortly after that vulnerability was disclosed and patched in May 2024,\r\npeaking in November, and continuing until last month. All these victims fell victim to CVE-2024-24919, a\r\nvulnerability in Check Point security gateways exposed to the open Internet and configured to enable remote\r\naccess.\r\nhttps://www.darkreading.com/ics-ot-security/chinese-apt-vpn-bug-worldwide-ot-orgs\r\nPage 1 of 3\n\nThe issue resulted from a minor oversight in how the appliances validated file paths. With specially crafted\r\nrequests, even unauthenticated attackers could access directories and files they otherwise shouldn't. These files\r\nmight contain password hashes, for example, which, once decrypted, could be used to obtain superuser privileges,\r\nand thereby full control over a device. This risk earned CVE-2024-24919 a \"high\" score of 8.6 out of 10 in the\r\nCommon Vulnerability Scoring System (CVSS).\r\nThe threat actor took advantage of the access afforded by the bug to perform lateral movement in targeted\r\nnetworks, gaining higher privileges and access to more systems along the way, including domain controllers.\r\nFinally, they'd install remote access points in the form of the modular ShadowPad backdoor. Check Point's\r\nresearchers believe that their goal was to steal valuable IP.\r\nThe researchers have not observed any cases in which attackers caused disruption to their victims. For this reason,\r\nthey track this activity as a separate cluster from what Orange Cyberdefense disclosed on Feb. 18, where a group\r\nit tracks as \"Green Nailao\" used CVE-2024-24919 to infect European organizations with ShadowPad, PlugX, and\r\nthe previously undocumented \"NailoLocker.\"\r\nGlobal OT Orgs Targeted\r\nIn all, Check Point identified two or three dozen victim organizations spanning broad geographic regions. Many\r\nare based in the US and Latin America — around 20% of all targets come from Mexico alone — but Europe, the\r\nMiddle East, and Africa have also been touched.\r\nThough they didn't limit themselves to one part of the world, the attackers were largely focused on specific, highly\r\nvaluable OT industries. For example, a number of targets were significant supply chain manufacturers to aviation\r\nand aerospace companies. Around half of all victims tracked were manufacturers of one kind or another.\r\nA lesser share of victims came from unrelated industries in more obscure locations — utilities from various small\r\ncountries and finance companies in Africa, for example. Lotem Finkelsteen, Check Point director of threat\r\nintelligence, argues that \"we tend to believe that attackers are surgical — that they know exactly what to do, with\r\nflawless operation — but sometimes there are, let's say, collateral targets that were not part of the strategy. And\r\nonce they have that access, why not just gain access anyway and utilize it later?\"\r\nAnd Check Point research group manager Eli Smadja emphasizes that \"you never know what an attacker is\r\nthinking. A seemingly not-so-meaningful company could be a door into another company. They can use a finance\r\ncompany to get access to their real target.\"\r\nSmall OT Orgs Under Fire\r\nJust as noteworthy as the industries these hackers targeted are the sizes of the companies they infected.\r\n\"We tend to believe manufacturers are very big, but no, most of them are very small organizations,\" Finkelsteen\r\npoints out. Plenty of manufacturers operate just one factory, or something more akin to a workshop, but they can\r\nbe just as valuable as their larger counterparts. \"We've seen it in other operations from Chinese actors over the last\r\nfew years — that many targets have been small businesses,\" he says.\r\nhttps://www.darkreading.com/ics-ot-security/chinese-apt-vpn-bug-worldwide-ot-orgs\r\nPage 2 of 3\n\nSmall OT organizations make good targets for the same reasons any other businesses do. \"They usually don't have\r\ncybersecurity personnel,\" explains Sergey Shykevich, threat intelligence group manager at Check Point. \"It's one\r\nIT person at most, doing security, IT, and all kinds of other stuff.\" Sometimes, even, the contact person threat\r\nresearchers have to reach out to when something goes wrong is the business owner.\r\nAs a result, Finkelsteen says, \"they usually don't patch quickly, or they're not even aware of the security measures\r\nneeded to support their gateway, router, or whatever it may be. Small businesses need to be aware that if they buy\r\nsomething, it's being continuously supported, so they're not vulnerable to the very powerful groups that are after\r\nthem.\"\r\nHe laments that \"very advanced threat actors with very advanced tools, targeting small businesses, is not a fair\r\ngame.\"\r\nAbout the Author\r\nContributing Writer\r\nNate Nelson is a journalist and scriptwriter. He writes for \"Darknet Diaries\" — the most popular podcast in\r\ncybersecurity — and co-created the former Top 20 tech podcast \"Malicious Life.\" Before joining Dark Reading,\r\nhe was a reporter at Threatpost.\r\nSource: https://www.darkreading.com/ics-ot-security/chinese-apt-vpn-bug-worldwide-ot-orgs\r\nhttps://www.darkreading.com/ics-ot-security/chinese-apt-vpn-bug-worldwide-ot-orgs\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.darkreading.com/ics-ot-security/chinese-apt-vpn-bug-worldwide-ot-orgs"
	],
	"report_names": [
		"chinese-apt-vpn-bug-worldwide-ot-orgs"
	],
	"threat_actors": [
		{
			"id": "4d5f939b-aea9-4a0e-8bff-003079a261ea",
			"created_at": "2023-01-06T13:46:39.04841Z",
			"updated_at": "2026-04-10T02:00:03.196806Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"WICKED PANDA",
				"BRONZE EXPORT",
				"Brass Typhoon",
				"TG-2633",
				"Leopard Typhoon",
				"G0096",
				"Grayfly",
				"BARIUM",
				"BRONZE ATLAS",
				"Red Kelpie",
				"G0044",
				"Earth Baku",
				"TA415",
				"WICKED SPIDER",
				"HOODOO",
				"Winnti",
				"Double Dragon"
			],
			"source_name": "MISPGALAXY:APT41",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e698860d-57e8-4780-b7c3-41e5a8314ec0",
			"created_at": "2022-10-25T15:50:23.287929Z",
			"updated_at": "2026-04-10T02:00:05.329769Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"APT41",
				"Wicked Panda",
				"Brass Typhoon",
				"BARIUM"
			],
			"source_name": "MITRE:APT41",
			"tools": [
				"ASPXSpy",
				"BITSAdmin",
				"PlugX",
				"Impacket",
				"gh0st RAT",
				"netstat",
				"PowerSploit",
				"ZxShell",
				"KEYPLUG",
				"LightSpy",
				"ipconfig",
				"sqlmap",
				"China Chopper",
				"ShadowPad",
				"MESSAGETAP",
				"Mimikatz",
				"certutil",
				"njRAT",
				"Cobalt Strike",
				"pwdump",
				"BLACKCOFFEE",
				"MOPSLED",
				"ROCKBOOT",
				"dsquery",
				"Winnti for Linux",
				"DUSTTRAP",
				"Derusbi",
				"ftp"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2a24d664-6a72-4b4c-9f54-1553b64c453c",
			"created_at": "2025-08-07T02:03:24.553048Z",
			"updated_at": "2026-04-10T02:00:03.787296Z",
			"deleted_at": null,
			"main_name": "BRONZE ATLAS",
			"aliases": [
				"APT41 ",
				"BARIUM ",
				"Blackfly ",
				"Brass Typhoon",
				"CTG-2633",
				"Earth Baku ",
				"GREF",
				"Group 72 ",
				"Red Kelpie ",
				"TA415 ",
				"TG-2633 ",
				"Wicked Panda ",
				"Winnti"
			],
			"source_name": "Secureworks:BRONZE ATLAS",
			"tools": [
				"Acehash",
				"CCleaner v5.33 backdoor",
				"ChinaChopper",
				"Cobalt Strike",
				"DUSTPAN",
				"Dicey MSDN",
				"Dodgebox",
				"ForkPlayground",
				"HUC Proxy Malware (Htran)"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434172,
	"ts_updated_at": 1775791940,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/309aeecd7e1a3c0184372dbefcd610bc0bb5fa2e.pdf",
		"text": "https://archive.orkl.eu/309aeecd7e1a3c0184372dbefcd610bc0bb5fa2e.txt",
		"img": "https://archive.orkl.eu/309aeecd7e1a3c0184372dbefcd610bc0bb5fa2e.jpg"
	}
}