APT TA423 Watering‑Hole Injects ScanBox Keylogger into News Sites

A Chinese‑based threat group identified as APT TA423 has been running a watering‑hole campaign that compromises high‑traffic news websites frequented by professionals in targeted industries. The attackers inject the ScanBox reconnaissance framework—a lightweight keylogger and credential‑harvesting tool—into the pages of these sites. When a visitor from a targeted sector loads the compromised page, ScanBox silently records login information, browser cookies, and other authentication tokens before transmitting them to the group’s command‑and‑control servers.

The compromised credentials give the adversary a foothold for further intrusion, credential stuffing, and lateral movement within victim networks. Defenders should prioritize monitoring for unknown scripts in web traffic, enforce strict content‑security policies, and employ integrity‑checking tools on frequently visited external sites. Early detection of ScanBox payloads and rapid revocation of harvested credentials can significantly reduce the risk of deeper breaches.

Categories: Threat Intelligence, Vulnerabilities & Exploits, Compliance & Regulation

Source: Read original article