In a report published today (http://blogs.360.cn/post/APT_Darkhotel_attacks_during_coronavirus_pandemic.html), Qihoo 360 made it public that it detected an APT attack that delivers malicious files through hijacked security services of a domestic VPN provider. They have reported the vulnerability details to the service provider and received confirmation. Further reversing shows that the attack can be attributed to the Darkhotel (APT-C-06), an APT gang in the Korean Peninsula. Since March this year, more than 200 VPN servers have been compromised and many Chinese institutions abroad were under attack. In early April, the attack spread to government agencies in Beijing and Shanghai.
The monitoring and analysis also suggest that a large number of VPN servers and endpoint devices in associated functioning units have been under the control of the attackers.