Google: Sophisticated APT Group Burned 11 Zero-Days in Mass Spying Operation

Google has added new details on a pair of exploit servers used by a sophisticated threat actor to hit users of Windows, iOS and Android devices.


Malware hunters at Google continue to call attention to a sophisticated APT group that burned through at least 11 zero-days exploits in less than a year to conduct mass spying across a range of platforms and devices.


The group, believed to be linked to operators in China, have actively used “watering hole” attacks to redirect specific targets to a pair of exploit servers delivering malware on Windows, iOS and Android devices.


The cross-platform capabilities and the willingness to use almost a dozen zero-days in less than a year signals a well-resourced actor with the ability to access hacking tools and exploits from related teams.


In a new blog post, Google Project Zero researcher Maddie Stone released additional details on the exploit chains discovered in the wild last October and warned that the latest discovery is tied to a February 2020 campaign that included the use of multiple zero-days.


According to Stone, the actor from the February 2020 campaign went dark for a few months but returned in October with dozens of websites redirecting to an exploit server. 


“Once our analysis began, we discovered links to a second exploit server on the same website. After initial fingerprinting (appearing to be based on the origin of the IP address and the user-agent), an iframe was injected into the website pointing to one of the two exploit servers. 


In our testing, both of the exploit servers existed on all of the discovered domains,” Stone google sophisticated group burned spying operation