Fake headhunting firms linked to China target former US Federal workers.

Summary

By the CyberWire staff

At a glance.

Fake headhunting firms linked to China target former US Federal workers.
Malicious npm packages infect locally installed legitimate packages.
New ransomware gang claims credit for attack on telecom provider.

Fake headhunting firms linked to China target former US Federal workers.

Reuters reports that a secretive Chinese tech company is using several fake consulting and headhunting firms to target recently laid-off US government workers and AI researchers. It's unclear if the company is tied to the Chinese government, but Reuters notes that the activity aligns with techniques used by previous Chinese intelligence operations.

Reuters cites intelligence analysts who explained that, "[o]nce employed by the network, federal employees could then be asked to share increasingly sensitive information about government operations, or recommend additional people who might be targeted for willing or unwitting participation." One of the phony job postings, for example, seeks an HR specialist who can "utilize a deep understanding of the Washington talent pool to identify candidates with policy or consulting experience," and "leverage connections to local professional networks, think tanks, and academic institutions."

A spokesperson for the Chinese Embassy in Washington told Reuters that China was unaware of any of the entities mentioned. A White House spokesperson said in a statement, "Both active and former government employees must recognize the danger these governments pose and the importance of safeguarding government information."

Stop Identity-Based Cybercrime with SpyCloud’s Holistic Identity Threat Protection

Stolen identity data is the hot commodity for cybercriminals. With the full scope of your users’ digital footprints at risk for exposure, traditional account-centric security is no longer enough to protect your business from cyberattacks. SpyCloud helps security teams correlate and automatically remediate individuals' hidden identity exposures from breaches, malware, and phishing across their many online personas. Eliminate identity-based cyber threats and proactively defend against account takeover, fraud, and ransomware with SpyCloud.

Malicious npm packages infect locally installed legitimate packages.

Researchers at ReversingLabs discovered two malicious packages published to npm that infect legitimate local packages with a reverse shell. Once downloaded, the packages, dubbed "ethers-provider2" and "ethers-providerz," will monitor for the presence of the legitimate npm package "ethers." If ethers is installed on the machine, the malicious packages will patch it to insert a file containing a backdoor.

The researchers explain, "[T]his downloader is notable because of the exceptional strategies employed by the attackers to hide the malicious payload it delivered. These evasive techniques were more thorough and effective than we have observed in npm-based downloaders before. Specifically, once the malicious payload, ethers-provider2, was delivered, its removal wouldn’t necessarily remove its malicious functionality. Instead, it would remain hidden in another location. And if the package ethers-provider2 was present when the ethers package was removed and installed again, it would patch it again in the same way described previously."

Many Voices. One Community.

Join Us at the RSAC 2025 Conference. Join us at RSAC, April 28 - May 1 in San Francisco and gain access to cybersecurity innovators, expert-led sessions, and hands-on workshops. Leave with new strategies, insights, and connections to elevate your cybersecurity journey.

New ransomware gang claims credit for attack on telecom provider.

A new ransomware gang dubbed "Arkana Security" has claimed responsibility for an attack against US telecommunications provider WideOpenWest, SecurityWeek reports. Arkana presents itself as a penetration testing outfit, but conducts data theft extortion like a typical ransomware group. In this case, the group claims to have stolen information belonging to approximately 2.6 million accounts, including usernames, account IDs, passwords, security information, names, emails, permissions, and Firebase integration details.

Notes.

Today's issue includes events affecting , and China the United States.

Dateline

How MTTC enhances SOC efficiency and alert triage performance. (N2K Networks) This is a sponsored story produced in collaboration with Dropzone AI. Traditional SOC metrics like MTTD and MTTR focus on specific phases of alert handling, leaving gaps in efficiency evaluation. Mean Time to Conclusion (MTTC) bridges these gaps, offering a comprehensive metric that tracks the entire alert triage process—from detection to resolution.

Why SOCs rely on OSCAR: A proven investigative framework. (N2K Networks) This is a sponsored story produced in collaboration with Dropzone AI. The OSCAR methodology—Obtain, Strategize, Collect, Analyze, Report—offers SOCs a structured and efficient approach to security investigations.

Attacks, Threats, and Vulnerabilities

Micropatches released for SCF File NTLM Hash Disclosure Vulnerability (0day) - and Free Micropatches for it (0patch) While patching a SCF File NTLM hash disclosure issue on our security-adopted Windows versions, our researchers discovered a related v...

Amid Reports of Worldwide Reboots, GreyNoise Observes In-the-Wild Activity Against DrayTek Routers (GreyNoise) GreyNoise is bringing awareness to in-the-wild activity against several known vulnerabilities in DrayTek devices CVE-2020-8515, CVE-2021-20123, and CVE-2021-20124.

Rust for Malware Development (Bishop Fox) Bishop Fox's Nick Cerne, will compare developing malware in Rust compared to its C counterparts and develop a simple malware dropper for demonstration.

Exclusive: DOGE staffer 'Big Balls' provided tech support to cybercrime ring, records show (Reuters) The best-known member of Elon Musk's U.S. DOGE Service team of technologists once provided support to a cybercrime gang that bragged about trafficking in stolen data and cyberstalking an FBI agent, according to digital records reviewed by Reuters.

Litigation, Investigation, and Law Enforcement

Defense contractor to pay $4.6 million over third-party provider’s security weakness (The Record) A technology company based in Cambridge, Massachusetts, is the latest defense contractor to reach a settlement with the U.S. government for failing to meet federal cybersecurity requirements.

Industry Events

For a complete running list of events, please visit the Event Tracker.

Events

WICYS 2025 (Dallas and Virtual, Texas, USA, Apr 2 - 5, 2025) WiCyS 2025 is the go-to event for cybersecurity professionals, students, and organizations. The conference is the flagship event to recruit, retain and advance women in cybersecurity.

40th Space Symposium (Denver and Virtual, Colorado, USA, Apr 7 - 10, 2025) Bringing together leaders from commercial, government and military space from around the world, the Space Symposium provides a forum to discuss, address and plan for future achievements in space. The Space Symposium program delivers exclusive networking and engagement opportunities with influential participants in one convenient and extraordinary venue. Space Symposium luncheons and dinners provide additional contact with influential participants.

Community Event with The Cyber Guild - Book Club (Reston, Virginia, USA, Apr 17, 2025) Join the growing Cyber Guild Community - "where everyone wants to know your name " The Cyber Guild community is a growing network of cyber enthusiasts who are invested in building a sustainable cyber ecosystem.

RSA Innovation Sandbox 2025 (San Francisco, California, USA, Apr 28, 2025) RSA Conference 2025 marks 20 years for cybersecurity’s top innovation startup competition: RSAC Innovation Sandbox contest. The contest puts the spotlight on cybersecurity’s boldest new innovators while highlighting their potentially game-changing ideas. Hundreds of submissions are reviewed and narrowed down to only 10 finalists. The Top 10 Finalists will take the stage during RSA Conference 2025 and will have three minutes to make their award-winning pitch to a panel of leading industry experts. Since the start of the contest, the Top 10 Finalists have collectively seen over 90 acquisitions and over $16.4 billion in investments.*

RSA Conference 2025 (San Francisco, California, USA, Apr 28 - May 1, 2025) At RSAC 2025, you're not just attending a conference—you're stepping into a vibrant, thriving community of thinkers, innovators, and achievers. Though we come from different corners of the cybersecurity world, we are united by a common mission: to foresee risks, counter threats, and embrace the challenges ahead. Together, we shape the future of security. Together, we shine as one.

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.

Daily Briefing for 03.26.25

At a glance.

Fake headhunting firms linked to China target former US Federal workers.

Malicious npm packages infect locally installed legitimate packages.

New ransomware gang claims credit for attack on telecom provider.

Notes.

Dateline

Attacks, Threats, and Vulnerabilities

Litigation, Investigation, and Law Enforcement

Events