eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
New GitHub Action Supply Chain Attack
Bottom Line: CISA is warning of a supply chain attack involving a compromised GitHub Action that was used to steal privileged information from organizations.
Security researchers have identified a complex supply chain attack that involved compromising GitHub Actions to access victim environments. GitHub Actions is a Continuous Integration/Continuous Delivery (CI/CD) platform, used to automate software development workflows. On March 11th, a GitHub Action that installs reviewdog was compromised. Threat actors added malicious code that “dumps exposed secrets to Github Actions Workflow Logs”. This issue was tracked under the designation CVE-2025-30154 (CVSS: 8.6). Threat actors gained initial access via a compromised GitHub Personal Access Token (PAT), which would be used by a bot with access to the repo; it remains unclear how the token was compromised.
Only four days later, the GitHub Actions for installing tj-actions was compromised. Malicious update features code in tj-actions would allow remote threat actors to discover secrets by reading actions logs. This issue is tracked as CVE-2025-30066 (CVSS: 8.6). The vulnerability was patched by GitHub in version 46.0.1. The “secrets” impacted by CVE-2025-30154 and CVE-2025-30066 include valid access keys, GitHub Personal Access Tokens (PATs), npm tokens, and private RSA keys.
According to CISA, the compromise of tj-actions was “potentially due” to the previous reviewdog compromise. At this time, it is believed that leaked secrets were used to access accounts associated with tj-actions, and these accounts enabled malicious edits to proliferate the theft of secrets.
According to Wiz, the overall goal of this supply chain attack was to compromise one specific high value target. Based on a payload variant observed, as well as other supporting information, it is believed that the threat actors were attempting to compromise the cryptocurrency exchange Coinbase. Coinbase has confirmed that the attempted breach was unsuccessful.
eSentire Threat Intelligence Analysis:
Both tj-actions and reviewdog have released updated versions that mitigate this threat. Any organizations that employ these GitHub Actions need to update to the most recent versions immediately. It should be noted that there are factors that limit the risk of this attack. Only public repositories are at risk of leaking secrets, and the impacted tokens have a 24-hour lifespan, meaning a threat actor would need to rapidly establish persistence via other means to maintain access.
Coinbase is an enticing target for financially motivated threat actors due to their involvement in cryptocurrency transactions. Both cybercriminal groups and state-sponsored APTs have targeted similar organizations in the past, with the goal of stealing cryptocurrency for financial gain. In February 2025, North Korean threat actors successfully compromised ByBit, leading to the theft of $1.5bn worth of cryptocurrency.
The actors behind the GitHub Actions supply chain compromise appear to be highly sophisticated and have an in-depth understanding of GitHub Actions. No conclusive attribution has been made at this time, but according to Wiz researchers, the threat actors are fluent in English and French and operate during working hours aligned with Europe or Africa.
While the attack is believed to have had the primary goal of breaching Coinbase, it is possible that coincidental infections will be actioned at a later date. If the threat actors established persistence in other organizations, it is likely that they will attempt to monetize these infections, as the attack on Coinbase failed. Any organizations using tj-actions or reviewdog should apply the relevant updates and examine logs for unusual logins and activity.
Apache Tomcat Vulnerability Exploited
Bottom Line: Threat Actors are now confirmed to be actively exploiting the Apache Tomcat vulnerability CVE-2025-24813. As exploitation is ongoing, it is critical that organizations apply the relevant security patches immediately.
On March 10th, Apache disclosed a vulnerability impacting the Java web application server Apache Tomcat. Proof-of-Concept (PoC) exploit code was publicly released only days later, and 30 hours after the disclosure, real-world exploitation was confirmed. CVE-2025-24813 (CVSS: 9.8) is described as a path equivalence vulnerability. Exploitation may allow threat actors to add malicious content to uploaded files, cause information disclosure, and achieve Remote Code Execution (RCE). The vulnerability may be exploited without any prior access or authentication. The vulnerability impacts Apache Tomcat versions 11.0.0-M1 through 11.0.2, 10.1.0-M1 through 10.1.34, and 9.0.0.M1 through 9.0.98.
The real-world exploitation of CVE-2025-24813 to perform RCE was first identified by Wallarm researchers, prior to the public disclosure of the PoC exploit code. Threat actors are now reportedly leveraging the PoC exploit code to gain complete access to the vulnerable Apache servers.
The attack occurs in two stages, ultimately granting the attacker full remote access. Initially, the attackers send a PUT request uploading Base-64 encoded malicious serialized session file to the server. The file gets automatically written to the server’s session storage directory, thereby storing the payload onto the disk. The next stage of the attack involves triggering deserialization of the session. The attacker sends a GET request with the JSESSIONID addressing the malicious session. In response to which the server retrieves the file from the disk causing deserialization and execution of malicious JavaScript (JS) embedded into it, subsequently granting remote access to the attacker.
eSentire Threat Intelligence Analysis:
Wallarm emphasizes that the vulnerability can be easily exploited without the need for any form of authentication. The Base-64 encoded payloads would make it difficult for security tools such as Web Application Firewalls (WAFs) to detect malicious PUT requests. The exploitation of CVE-2025-24813 in the wild, within 30 hours of disclosure of the PoC exploit code makes rapidly addressing the vulnerability critical. Ivan Novikov, Wallarm's CEO has stated that exploitation is being carried out by “Chinese operators”, and that the vulnerability will be added to CISA’s Known Exploited Vulnerabilities catalog in the near future.
It should be noted that successful exploitation requires specific configurations to be enabled on a vulnerable server. The eSentire Threat Intelligence team has released a advisory detailing the requirements for exploitation. The vulnerability is highly concerning, as authentication is not required for successful exploitation. The potential impact of attacks can be minimized by ensuring that writes are disabled for the default servlet; this setting is disabled by default and would need to have been specifically enabled.
GreyNoise researchers have identified exploitation attempts originating from five different IP addresses. Most of these attacks are focused on systems in the U.S., Japan, India, South Korea, and Mexico, with over 70% of the sessions targeting systems based in the U.S. It is it is critical that organizations apply the relevant security patches (versions 9.0.99, 10.1.35, and 11.0.3) immediately.
In response to the active exploitation attempts, eSentire Threat Response Unit is actively tracking this topic for additional details and detection opportunities. eSentire MDR for Network has rules in place to identify exploitation attempts. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to CVE-2025-24813.
Global Espionage Activity by the APT Group FishMonger
Bottom Line: ESET released a report detailing a global espionage operation dubbed FishMedley conducted by the Chinese APT group FishMonger. The group is believed to be operated by the Chinese contractor I-SOON which was recently indicted by the U.S. Justice Department.
On March 20th, ESET researchers released a detailed report on a global cyberespionage campaign named FishMedley led by the APT group FishMonger. ESET linked the campaign to espionage conducted by the employees of the Chinese information security firm I-SOON. The research determined that the threat group FishMonger is being operated by I-SOON.
Eight employees of China-based infosec organization I-SOON (Anxun Information Technology Co., Ltd), along with two freelance Chinese hackers were recently charged by the U.S. Justice Department for their role in cyberattacks against the U.S. government and private organizations since 2011. According to a public service announcement from the FBI, I-SOON, which purported to offer information technology security consulting services, was actually engaged in cyberattacks targeting “U.S.-based critics of the Chinese government and Chinese dissidents, a U.S. news organization, a large U.S.-based religious organization, multiple governments in Asia, and U.S. federal and state government agencies”. The stolen data from these victims was subsequently sold to various bureaus within China's Ministry of State Security and Ministry of Public Security.
FishMonger (aka Earth Lusca, TAG‑22, Aquatic Panda, or Red Dev 10) APT group is believed to be operated by I-SOON and is a part of the Winnti group. Throughout 2022, the group conducted Operation FishMedly targeting countries including the United States, France, Hungary, Turkey, Thailand, and Taiwan. The 10-month-long espionage campaign targeted seven organizations, including government and non-governmental entities, religious organizations, and think tanks.
The initial access vector used in the operation to breach victim networks remains unidentified. However, the threat actors were observed leveraging high-privilege access credentials within the local network to deploy initial-stage payloads. With access to previously compromised domain accounts, the threat actors used Impacket to deliver malware. Impacket was also utilized for lateral movement to gather information on other local machines and install malware. The threat actors performed manual reconnaissance and dumped local Security Authority Subsystem Service (LSASS) credentials using Living-off-the-Land binaries (LOLBin). Multiple backdoor malware such as ShadowPad, SodaMaster, Spyder, and RPipeCommander were observed in the campaign. These backdoors were deployed on the victim devices to serve multiple purposes primarily including establishing Command-and-Control (C2) connection and delivering further
malicious payloads. The threat actors used tools such as PasswordChangeNotify, fscan, nbtscan, and dbxcli for data collection and exfiltration.
eSentire Threat Intelligence Analysis:
The connection between the FishMonger APT group behind the FishMedley espionage campaign and the Chinese infosec firm I-SOON underscores the intricate network of Chinese threat actors, private firms, and government entities working together to advance the nation’s espionage objectives. The recent indictment of employees at I-SOON may impact the operations of the FishMonger APT group, potentially disrupting their activities. Despite the setbacks, the Chinese cyberespionage efforts are expected to remain resilient and continue in the future.
FishMonger APT group has been observed using multiple tools such as ShadowPad, Spyder, Cobalt Strike, FunnySwitch, SprySOCKS, and BIOPASS RAT in their campaigns. Similar toolsets have been heavily utilized by other Chinese APT groups such as APT 41, APT 10, and SparklingGoblin. ShadowPad is a successor to the PlugX malware, that emerged in 2015 and is known to be exclusively available to a select group of users, primarily Chinese APT groups. Cisco Talos reported that APT 41 targeted a Taiwanese government-affiliated research institute in 2023 by deploying ShadowPad malware, Cobalt Strike, and other custom malware in the victim network. Chinese APT group SparklingGoblin along with FishMonger have reportedly been using ShadowPad as per a report by SentinelOne. In 2019, APT 10 used SodaMaster backdoor in an campaign against multiple industries including the Japanese manufacturing industry to steal sensitive information. Based on various reports, it is evident that Chinese APT groups are willing to rely on the same set of tools until their espionage objectives are fully achieved.
It is unlikely that Chinese espionage campaigns will cease or even diminish significantly, despite the efforts of law enforcement agencies. To safeguard sensitive data, it is crucial for organizations to implement a Defense-in-Depth security strategy, ensuring multiple layers of protection against sophisticated cyber threats.
Organizations should maintain an efficient vulnerability and patch management system to be at the forefront of the newly identified vulnerabilities. Vulnerabilities in internet-facing applications should be resolved promptly to reduce the risk of network intrusion. Implementing strict access management controls and Multi-Factor Authentication (MFA) for all user accounts can be an effective measure to avoid user account compromise. Organizations should implement robust Endpoint Detection and Response (EDR) solutions to detect deployment of malicious payloads in the environment.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
