News

PoisonedSeed Hackers Bypass FIDO2 Keys in Targeted Cyber-Espionage Attacks

Security researchers have uncovered a sophisticated Chinese cyber-espionage campaign, dubbed PoisonedSeed, that successfully bypasses FIDO2 hardware authentication using a stealthy malware framework and man-in-the-middle (MitM) techniques.

This marks the first known public case of a successful attack targeting FIDO2 USB security keys, long considered one of the most secure authentication methods available.

Who’s Behind It?

The campaign is believed to be the work of a Chinese nation-state threat actor, with activity observed targeting:

  • Journalists
  • Dissidents
  • Think tanks
  • Government-related organizations in Southeast Asia and Europe

The attackers used highly targeted phishing and malware implants to compromise endpoints and steal credentials even when FIDO-based 2FA was in place.

How Was FIDO Bypassed?

Researchers at [Insert Attribution if Available] discovered that attackers deployed a malware chain designed to intercept authentication requests and manipulate browser or application behavior in real-time.

Key aspects:

  • FIDO2 tokens were not broken cryptographically, but instead:
  • Malware positioned itself between the user and the authentication interface, performing MitM-style manipulation of the session.
  • Credential session hijacking was used post-authentication to gain access.

This technique highlights that even strong hardware security is ineffective if the endpoint is already compromised.

The PoisonedSeed Malware Framework

The malware used in the campaign is modular and stealthy:

  • Signed drivers and rootkit-level access
  • Persistence via UEFI or low-level boot mechanisms
  • Injection into authentication workflows (browser plugins, desktop apps)
  • Custom payloads that adapt based on target profile

According to analysis, it includes:

  • Credential harvesting
  • Network monitoring
  • Session token theft
  • C2 communications disguised as legitimate traffic

Mitigation and Defensive Recommendations

To defend against advanced threats like PoisonedSeed:

  • Treat endpoint security as critical – FIDO keys do not protect against malware on a compromised system.
  • Monitor for anomalous logins and token reuse.
  • Use trusted boot, EDR/XDR tools, and behavioral monitoring.
  • Educate users against highly targeted phishing.
  • Implement out-of-band authentication if possible for high-risk operations.

Takeaway

This campaign is a stark reminder that hardware-backed security like FIDO2 is only part of the equation. When attackers own the endpoint, they can undermine even the strongest authentication systems.

🔐 “PoisonedSeed” proves that attackers are adapting faster than ever – and endpoint integrity is the new battlefield.”

Source: https://thehackernews.com/2025/07/poisonseed-hackers-bypass-fido-keys.html