ctipilot.ch

Blackfield ransomware vs Nidec Chaun Choung Technology (Taiwan)

incident · incident:nidec-chaun-choung-blackfield-ransomware-2026

Coverage timeline
1
first 2026-07-01 → last 2026-07-01
Briefs
1
1 distinct
Sources cited
7
5 hosts
Sections touched
1
active_threats
Co-occurring entities
4
see Related entities below

Story timeline

  1. 2026-07-01CTI Daily Brief — 2026-07-01
    active_threatsFirst coverage: Blackfield claims 22 June compromise, $2M extortion demand; victim reports no confirmed leak

Where this entity is cited

  • active_threats1

Source distribution

  • bleepingcomputer.com2 (29%)
  • thehackernews.com2 (29%)
  • acronis.com1 (14%)
  • nidec.com1 (14%)
  • welivesecurity.com1 (14%)

Related entities

Items in briefs about Blackfield ransomware vs Nidec Chaun Choung Technology (Taiwan) (4)

Blackfield ransomware demands $2M from Nidec's Taiwanese subsidiary after a 22 June server compromise

From CTI Daily Brief — 2026-07-01 · published 2026-07-01 · view item permalink →

Nidec Corporation's own investor-relations disclosure (2026-06-24, Tokyo Stock Exchange 6594) confirmed that its Taiwanese subsidiary Nidec Chaun Choung Technology suffered "ransomware-originated damage" to part of a subsidiary server on 2026-06-22, that the affected server and network were shut down as an emergency measure, and that the subsidiary runs an independent network isolated from the wider Nidec Group so parent operations are unaffected (Nidec Corporation, 2026-06-24). The in-window development: BleepingComputer reported on 2026-06-30 that the Blackfield ransomware crew claims the intrusion, is demanding $2 million to delete allegedly stolen data with a 15-day negotiation deadline, and is separately advertising the archive for immediate sale (BleepingComputer, 2026-06-30). Note the gap between the actor's exfiltration claim and Nidec's own statement, which as of 2026-06-24 says no personal or confidential data had been confirmed leaked — Blackfield claims data theft; Nidec has not confirmed a leak.

Why it matters to us: subsidiary/OT-adjacent segmentation is doing its job here (isolated subsidiary network limited blast radius) — a concrete counter-example worth citing when arguing for network isolation of acquired-company and regional-subsidiary estates. Attribute the extortion claim, not confirmed exfiltration.

Mustang Panda abuses Zoho WorkDrive as a dead-drop C2 channel (ZOHOMURK) against government and energy targets

From CTI Daily Brief — 2026-06-30 · published 2026-06-30 · view item permalink →

Acronis Threat Research Unit documented two coordinated June 12–22 campaigns by China-aligned Mustang Panda (also tracked TA416 / HIVE0154 / BRONZE PRESIDENT) against Indian government bodies and hydropower-sector entities (Acronis TRU, 2026-06-29 · The Hacker News, 2026-06-29). Initial access is spear-phishing with ZIP-delivered lures (a hydropower cooperation proposal; an India–Taiwan memorandum of understanding). The toolkit introduces SHARDLOADER (DLL side-loading through a legitimate Solid PDF Creator / Citrix Receiver binary, loading shellcode from fragmented files to defeat static scanning — T1574.002), MINIRECON (a reworked Toneshell variant beaconing over wss://), and ZOHOMURK, which carries hardcoded Zoho OAuth credentials to drive an attacker-controlled WorkDrive account as a dead-drop resolver (T1102.001) — reading operator commands from an "inbox" folder and writing exfiltrated output to an "outbox", blending all C2 with legitimate workdrive.zoho.com API traffic.

Why it matters to us: Abusing a legitimate SaaS platform's API for C2 defeats egress controls that allowlist well-known cloud providers — the traffic blends with sanctioned workdrive.zoho.com calls. EU public-sector SOCs should extend CASB/DLP allowlisting to less-obvious SaaS such as Zoho WorkDrive and alert on OAuth token grants for cloud apps that are not sanctioned business tools.

Threat actor: FishMonger (I-SOON) ports SprySOCKS to Windows with a kernel-mode rootkit

From CTI Weekly Summary — 2026-W25 (Jun 15 – Jun 21, 2026) · published 2026-06-22 · view item permalink →

ESET's full research paper detailed two previously undocumented Windows variants of the SprySOCKS backdoor attributed to FishMonger (Earth Lusca / Aquatic Panda — the Winnti-contractor tracked as I-SOON), centred on a RawWNPF.sys kernel driver that hides processes (NtQuerySystemInformation hook), network connections (nsiproxy.sys IOCTL interception), files (minifilter callbacks) and persistence registry keys, and redirects crafted TCP packets to a hidden backdoor port via the Windows Filtering Platform (ESET, 2026-06-16; daily 06-17). Background: FishMonger has been publicly tracked since the 2024 I-SOON contractor-leak exposed its government-espionage-for-hire model; ESET's earlier work documented the Linux SprySOCKS lineage, and this report extends the toolkit to a Windows kernel rootkit with a possible UEFI-bootkit component (leveraging the patched BlackLotus Secure Boot bypass, CVE-2023-24932). Confirmed victims are government organisations in Honduras, Taiwan, Thailand and Pakistan; the targeting class — government and defence — keeps EU government networks in scope. Enable the vulnerable-driver blocklist, hunt for the named driver and for process/network-hiding behaviours, and verify Secure Boot is at current patch level.

FishMonger (I-SOON) ports its SprySOCKS backdoor to Windows with a kernel-driver rootkit

From CTI Daily Brief — 2026-06-17 · published 2026-06-17 · view item permalink →

ESET disclosed two previously undocumented Windows variants of SprySOCKS — a backdoor it attributes to FishMonger (a.k.a. Earth Lusca / Aquatic Panda / TAG-22), assessed with high confidence as operated by Chinese contractor I-SOON (ESET WeLiveSecurity, 2026-06-16). Previously known only as a Linux backdoor, the Windows builds (WIN_PLUS and WIN_DRV) were deployed in 2023–2024 against foreign-affairs, technology and telecom government bodies in Taiwan, Thailand, Pakistan and Honduras. WIN_PLUS persists as a Windows Print Processor (VSPMsg) and supports 30+ commands over TCP/UDP/WebSocket. WIN_DRV is the notable one: it loads a kernel driver (fsdiskbit.sys, signed with a certificate from the public PastDSE leaked-cert corpus) which memory-loads a second driver to deliver rootkit-class stealth — hiding processes, files, network connections and registry keys, and performing TCP traffic diversion so the backdoor receives operator commands on an arbitrary port that never appears in netstat (BleepingComputer, 2026-06-16). ESET notes limited, unconfirmed telemetry of a possible UEFI bootkit component (potentially CVE-2023-24932-class Secure Boot bypass).

Why it matters to us: Post-deployment detection is hard because the driver actively hides artefacts; the leverage is pre-deployment hygiene. Hunt scheduled-task creation (EID 4698 / Sysmon EID 1) referencing binaries under %SystemRoot%\Fonts\, Image File Execution Options hijacks of vds.exe, and kernel-driver loads (Sysmon EID 6) of drivers signed with PastDSE-derived certificates. Because TCP diversion defeats host network-tab inspection, rely on EDR kernel sensors / ETW for listening-socket enumeration. Validate that vulnerable/revoked drivers are blocked via WDAC/HVCI and the Microsoft vulnerable-driver blocklist.