China's Cyber Ninjas Strike Again: Droppers, Phishing, and Ransom, Oh My!

This is your Red Alert: China's Daily Cyber Moves podcast.

Hey listeners, Ting here, your favorite cyber sleuth with wit sharper than a zero-day exploit—reporting live on August 25, 2025, because Red Alert: China’s Daily Cyber Moves is not code for a slow news day! The dragon’s not just awake, it’s breakdancing through US networks with a fresh set of tactics, so let’s slice right into what matters.

Starting last night, digital diplomats in the US got zapped by a campaign Google’s elite Threat Intelligence gurus linked to UNC6384. No, not just another alphabet soup hacker crew—these are your People’s Republic of China cyber contractors or quite possibly government hit squad. Patrick Whitsell at Google says they combined social engineering artistry with malware dressed as legit software updates, sneaking tools like STATICPLUGIN and, for the old-school fans, SOGU.SEC right into memory so antivirus felt like an innocent bystander. The operation: hijack Wi-Fi networks, pop open fake Adobe plug-ins, and snag sensitive documents straight from important laptops. Google’s not guessing. Last week, two dozen victims got burned—and yes, diplomats count. Who needs black ops when you have captive portals and in-memory droppers?[Google Threat Intelligence Group]

But the chess game isn’t happening on one board. The FBI and CISA sent out urgent overnight alerts after seeing an uptick in China-tied Interlock ransomware attacks. If you thought phishing was so 2022, think again: now attackers abuse Microsoft 365’s Direct Send feature so their emails look like they’re coming from inside your building—imagine getting a voicemail from your own IT department, only to have your login credentials snatched and your files locked. The trick uses internal-looking Microsoft endpoints and clever QR code PDFs. Microsoft finally pushed a new tenant control to block this stunt, but as of this morning, thousands of Exchange servers are still vulnerable, and the crooks are ramping up with AI chatbots that intensify harassment. If your org hasn’t rehearsed its incident response, you’re pretty much a sitting duck.[Black Arrow Cyber Alert]

Let’s put timestamps on the mayhem: August 22, Microsoft shut off proof-of-concept exploit sharing with Chinese firms after SharePoint zero-day leaks became a buffet for advanced persistent threat groups. The backlash echoes—Beijing’s own officials now finger the US for exploiting old Microsoft flaws to steal defense secrets, as reported today from Beijing’s cybersecurity mouthpiece.[Security Affairs]

Potential escalation? If UNC6384 nails more credential theft, get ready for spear-phishing campaigns, business email compromise, and possibly lateral moves into critical infrastructure. Ransomware gangs—ShinyHunters, Scattered Spider—are collaborating and hitting financial sectors, raising stakes across the board. We’re not talking isolated incidents; this week saw a Chinese developer convicted in Ohio for sabotaging his employer’s systems with custom kill-switch malware, proving the insider threat is alive and well, and not always officially state-linked.

So, what should you do? Activate Enhanced Safe Browsing across Chrome and Workspace, double-down on multi-factor authentication, push emergency patch updates—especially if you’re still holding out on last month’s SharePoint fix—and restrict suspicious traffic from unknown domains. Internally, practice your incident response. The “attack yourself first” advice from pros isn’t a joke—offensive security beats playing catch-up every single time.

That’s it from Ting—your day’s cyber rollercoaster, direct from the battlefield, all flavor, no filler. Thanks for tuning in, and don’t forget to subscribe so you never miss a breach. This has been a quiet please production, for more check out quiet please dot ai.

For more