Security News > 2024 > January > Blackwood hackers hijack WPS Office update to install malware

A previously unknown advanced threat actor tracked as 'Blackwood' is using sophisticated malware called NSPX30 in cyberespionage attacks against companies and individuals.
Researchers at cybersecurity company ESET discovered Blackwood and the NSPX30 implant in a campaign in 2020 and believe that the group's activities align with Chinese state interests.
Blackwood's targets are in China, Japan, and the United Kingdom and delivered the malware through the update mechanisms of legitimate software like WPS Office, the Tencent QQ instant messaging platform, and the Sogou Pinyin document editor.
A notable aspect of Blackwood's activities is the ability to deliver NSPX30 by hijacking update requests made by legitimate software, including Tencent QQ, WPS Office, and Sogou Pinyin.
This is different from a supply-chain compromise because Blackwood intercepts unencrypted HTTP communication between the victim's system and the update server and intervenes to deliver the implant instead. The exact mechanism that enables Blackwood to intercept that traffic in the first place is unknown.
Based on their analysis, the researchers believe that the original backdoor at the root of the evolution of the NSPX30 custom implant seems to have been developed by skilled malware developers.
News URL
Related news
- Update VMware Tools for Windows Now: High-Severity Flaw Lets Hackers Bypass Authentication (source)
- Top 3 MS Office Exploits Hackers Use in 2025 – Stay Alert! (source)
- Chinese FamousSparrow hackers deploy upgraded malware in attacks (source)
- North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages (source)
- Fake Microsoft Office add-in tools push malware via SourceForge (source)
- Microsoft releases emergency update to fix Office 2016 crashes (source)
- Chinese Hackers Target Linux Systems Using SNOWLIGHT Malware and VShell Tool (source)
- State-Sponsored Hackers Weaponize ClickFix Tactic in Targeted Malware Campaigns (source)
- Chinese hackers target Russian govt with upgraded RAT malware (source)
- Hackers Abuse Russian Bulletproof Host Proton66 for Global Attacks and Malware Delivery (source)