Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

This top Microsoft Office alternative has been hijacked by Chinese hackers — and their malware is coming for your devices

A computer being guarded by cybersecurity.

Chinese hackers are hijacking legitimate software updates to deliver backdoors capable of stealing sensitive information from the target endpoints, experts have warned. 

A new report from cybersecurity researchers ESET recently observed a previously unknown threat actor which they dubbed Blackwood. 

This group, which apparently is on the Chinese government’s payroll, delivers malware through software updates for legitimate tools such as WPS Office, Tencent QQ, and Sogou Pinyin.

Potent tool

This doesn’t seem to be a classic supply chain attack, as the software itself is not compromised, and neither are the updates. Instead, the hackers intercept the traffic between the server hosting the update and the target endpoint and work in the middle. It is unknown exactly how the attackers are able to intercept the traffic. ESET believes Blackwood might be using an implant in the victims’ networks, possibly in routers and similar devices.

The malware they look to install on target endpoints is called NSPX30. The researchers describe this malware as “sophisticated”, and say its built upon a simple backdoor from 2005 called Project Wood. 

NSPX30 has grown into a capable tool, however. Today, it can log keystrokes, grab screenshots, pull system information, and exfiltrate other data from the devices. It can also steal chat logs and contact lists from different communications apps, including Telegram, and Skype. Finally, it can terminate processes by PID, create a reverse shell, move files, and uninstall itself if necessary.

Most of the victims seem to be located in China. However, there are compromised devices in Japan, and the United Kingdom, too. Blackwood’s activities can be traced back to 2020.  

Those looking to stay protected from Blackwood and similar threats should read ESET’s in-depth report on the malware and its operations, here. This report, among other things, offers a list of indicators of compromise which IT teams can use to protect their infrastructure. 

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.