Chinese hacking group StormBamboo compromised an internet service provider (ISP) to deliver malware through poisoned software updates. The hacker group, active for over a decade, targeted organizations across Asia and beyond. They exploited insecure HTTP update mechanisms that lacked digital signature validation. By intercepting DNS requests, they injected malicious IP addresses. This tactic led to malware installation on Windows and macOS devices, deceiving applications like 5KPlayer into installing backdoored software instead of legitimate updates.
Volexity researchers uncovered the breach. They reported that StormBamboo deployed a malicious Google Chrome extension, ReloadText, to steal browser cookies and mail data. The group has a history of exploiting insecure update processes in various software vendors. The ISP mitigated the attack by taking key network components offline. This action stopped the DNS poisoning. The incident underscores the ongoing risks posed by supply chain and adversary-in-the-middle (AITM) attacks, when update mechanisms are not adequately secured.