{ "id": "cca0647f-3bcc-46c0-a874-9d920b08e2af", "created_at": "2026-04-06T00:16:52.502044Z", "updated_at": "2026-04-10T03:26:58.684082Z", "deleted_at": null, "sha1_hash": "8f6ef35c6ce37d397f9cc391cc5de04a5a8c9eff", "title": "Top Security Incidents of 2025:  The Emergence of the ChainedShark APT Group - NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 226677, "plain_text": "Top Security Incidents of 2025:  The Emergence of the\r\nChainedShark APT Group - NSFOCUS, Inc., a global network and\r\ncyber security leader, protects enterprises and carriers from\r\nadvanced cyber attacks.\r\nBy NSFOCUS\r\nPublished: 2026-02-13 · Archived: 2026-04-02 10:51:00 UTC\r\nIn 2025, NSFOCUS Fuying Lab disclosed a new APT group targeting China’s scientific research sector, dubbed\r\n“ChainedShark” (tracking number: Actor240820). Been active since May 2024, the group’s operations are marked\r\nby high strategic coherence and technical sophistication. Its primary targets are professionals in Chinese\r\nuniversities and research institutions specializing in international relations, marine technology, and related fields,\r\nwith the intent to steal sensitive data and intelligence in diplomacy and marine technology.\r\nChainedShark exhibits clear geopolitical motivations, focusing its attacks on experts and scholars in international\r\nrelations and marine sciences within Chinese academic and research institutions. The group demonstrates strong\r\nsocial engineering capabilities, crafting fluent, natural, and high-quality Chinese-language lures. It skillfully\r\nexploits professional scenarios—such as conference invitations and academic call-for-papers—to create deceptive\r\nattack vectors, effectively lowering targets’ guard.\r\nTechnically, ChainedShark operates at the level of a state-sponsored attack team. Its arsenal integrates N-day\r\nvulnerability exploits and highly complex custom trojans, featuring meticulously designed attack chains and\r\nhttps://nsfocusglobal.com/top-security-incidents-of-2025-the-emergence-of-the-chainedshark-apt-group/\r\nPage 1 of 2\n\npayloads with strong evasion and stealth capabilities. This indicates a mature attack infrastructure and continuous\r\nweapon development capacity.\r\nEvent Summary\r\nChainedShark’s attack campaigns, while maintaining consistent strategic objectives, have demonstrated a clear\r\nevolutionary trajectory in both tactics and technical execution.\r\nFirst Wave (May 2024): This initial attack remains the most complex operation identified to date. The attack chain\r\ndeployed a custom-developed trojan, LinkedShell, characterized by high customization and advanced anti-forensic\r\ncapabilities. The technical intricacies of this trojan underscore the group’s robust initial weaponization\r\ncapabilities.\r\nSubsequent Attacks (August–November 2024): In later operations, the attackers adjusted their tactics. By\r\nsuccessfully exploiting the GrimResource vulnerability (publicly disclosed in June 2024), they significantly\r\nstreamlined the attack process, reflecting a strategic shift toward leveraging public vulnerabilities to enhance\r\nefficiency and cost-effectiveness.\r\nEvent Analysis\r\nMultidimensional clue correlation linked separate attack events across different timeframes, painting a\r\ncomprehensive profile of the threat actor.\r\nTarget Consistency: The same individuals were targeted in both the May and November 2024 attacks,\r\nstrongly indicating the directed and persistent nature of these operations.\r\nLure Homogeneity: Despite variations in payloads, the phishing emails used in different attacks shared\r\nstriking similarities in subject selection, phrasing, and social engineering tactics—forming a behavioral\r\n“fingerprint.”\r\nThis correlational analysis not only provides critical evidence for attribution but also reveals that ChainedShark\r\nadheres to a mature social engineering script and attack management process throughout its prolonged campaigns.\r\nSource: https://nsfocusglobal.com/top-security-incidents-of-2025-the-emergence-of-the-chainedshark-apt-group/\r\nhttps://nsfocusglobal.com/top-security-incidents-of-2025-the-emergence-of-the-chainedshark-apt-group/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://nsfocusglobal.com/top-security-incidents-of-2025-the-emergence-of-the-chainedshark-apt-group/" ], "report_names": [ "top-security-incidents-of-2025-the-emergence-of-the-chainedshark-apt-group" ], "threat_actors": [ { "id": "d3d9832e-1e66-42c3-a977-2e0404578605", "created_at": "2026-03-08T02:00:03.470716Z", "updated_at": "2026-04-10T02:00:03.981345Z", "deleted_at": null, "main_name": "ChainedShark", "aliases": [ "Actor240820" ], "source_name": "MISPGALAXY:ChainedShark", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434612, "ts_updated_at": 1775791618, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8f6ef35c6ce37d397f9cc391cc5de04a5a8c9eff.pdf", "text": "https://archive.orkl.eu/8f6ef35c6ce37d397f9cc391cc5de04a5a8c9eff.txt", "img": "https://archive.orkl.eu/8f6ef35c6ce37d397f9cc391cc5de04a5a8c9eff.jpg" } }