September 27, 2023

The German authorities said that a Chinese cyberespionage group known as APT27 has repeatedly attacked German companies over the past few months using vulnerabilities in Microsoft Exchange and Zoho SelfService.

The attacks, which have been taking place since at least March 2021, have aimed to install a version of the HyperBro malware inside corporate networks for the purpose of intelligence collection from infected hosts. In addition to stealing business secrets and intellectual property, are also trying to infiltrate the networks of customers or service providers.


APT27, also known as Emissary Panda, has used the following exploits as a way to get a foothold inside companies that failed to patch their internet-exposed servers

  • CVE-2021-40539 – Zoho Manage Engine ADSelfService Plus
  • CVE-2021-26855 – Microsoft Exchange
  • CVE-2021-26857 – Microsoft Exchange
  • CVE-2021-26858 – Microsoft Exchange
  • CVE-2021-27065 – Microsoft Exchange

All these are exploited by other Chinese hacking groups. The four Exchange bugs, also known as ProxyLogon, were also used by a group known as Hafnium. The Zoho vulnerability is also the exact same abused through the fall and winter.

The final payload was HyperBro, a malware strain seen in attacks as far back as 2018, typically used by APT27, and which can grant the group full control over infected systems.


Chinese hackers have often targeted large German companies, from where they are believed to have stolen intellectual property and other business information.

Past victims include software company TeamViewer, steel producer ThyssenKrupp, pharmaceutical giant Bayer.

Leave a Reply

%d bloggers like this: