What is a watering hole attack?

Attackers compromise sites victims frequent—like news portals—then serve malware to specific visitors.

Who is Red Ladon APT?

China-based TA423, tied to Hainan MSS, indicted by US for cyber-espionage supporting state intel.

How does ScanBox keylogger work without malware?

JavaScript runs in-browser, hooks keystrokes, uses WebRTC/STUN to exfil data past NAT/firewalls.

Red Ladon Poisons Australian News Sites with ScanBox Keyloggers

Click that 'Sick Leave' email from Australian Morning News. Boom—your keystrokes are ScanBox's. China's Red Ladon just dusted off a 10-year-old trick for fresh espionage.

Threat Digest Apr 03, 2026 3 min read

Compromised fake Australian news site loading ScanBox JavaScript keylogger

⚡ Key Takeaways

Red Ladon uses ScanBox in watering holes mimicking Aussie news to keylog without disk malware. 𝕏
WebRTC/STUN enables NAT traversal, turning browsers into stealth C2 channels. 𝕏
Ties to China's MSS signal South China Sea cyber-escalation; expect broader use. 𝕏

Published by

Threat Digest

Threat intelligence. Zero noise.

#APT TA423 #Red Ladon #ScanBox keylogger #watering hole attacks

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by Threatpost

⚡ Key Takeaways

The 60-Second TL;DR

Threat Digest

Share this article

Worth sharing?

Related Stories

Apple's Rare Lifeline to Old iPhones: Dodging DarkSword's Web Traps

Ransomware's Vicious Evolution: From Locks to Blackmail and Beyond

North Korea's Hackers Vaporize $285M from Drift in Seconds

0ktapus Phishing Snags 10,000 Credentials Across 130 Companies—Your MFA Is the Weak Link

Stay in the loop