Recent events in China have cast a long shadow on the activities of the state-backed actors supported by Beijing. While there is a slight dip in the activities of Chinese threat actors registered around the world, this is by no means an extended dip. Rather, this lull reflects a temporary slowdown as the Chinese Ministry of State Security recalibrates its priorities in response to sudden and unanticipated shifts in the domestic political environment.

The "empty chair" seen at the January 20, 2026, high-level study session in Beijing signaled what is being called the most significant decapitation of the People's Liberation Army (PLA) in the modern era. The official confirmation came soon after on January 24. General Zhang Youxia (the CMC Vice Chairman) and General Liu Zhenli (Chief of Staff, Joint Staff Department) were placed under arrest and are being investigated for alleged violations of discipline leaving the Chinese military apparatus in a state of unprecedented internal friction.

For the global cybersecurity community, this is not another instance of a regionally contained geopolitical upheaval. The Joint Staff Department of the Central Military Commission (JSDCMC) is the main operational command organ for the People's Liberation Army (PLA) and in this role it does hold a significant level of influence on China’s most formidable Advanced Persistent Threat (APT) groups who report to the Ministry of State Security (MSS).

On all matters of military and diplomatic intelligence, the Joint Staff Department (JSD) under the Central Military Commission has the last word. This includes approving the quality and relevance of the intelligence as also, if required, approving further analysis or activity and resources to obtain more data. Liu Zhenli in fact was responsible for combat operations, interservice coordination during wars, unit movements, and intelligence. JSD is one of the main consumers of processed threat intelligence churned out by the APT groups.  

The Central Military Commission (CMC), on the other hand, is the highest national command authority for China's armed forces. It oversees the People's Liberation Army (PLA), People's Armed Police (PAP), and Militia. It is chaired by none other than Xi Jinping and  directs military strategy, modernization, personnel, equipment, and training. In a way, it ensures Communist Party leadership over the military. It is essential to understand the role of CMC in the context of what is happening in China today.

 The re-organization of the Central Military Commission does have strategic implications for the activities of Chinese APT groups. That is the link we will explore in today’s blog post.

Before we move forward, don’t forget to check out our previous blog post “NIST Seeks Industry Input on Major SP 800-82 Revision for Operational Technology Security”, here.

Chaos at the command

Multiple credible sources have claimed that the arrest of Zhang and Liu has triggered a state of "passive resistance" within the military. As per unverified intelligence leaks purported to emerge deep from within the PLA, junior and mid-level officers are turning increasingly risk-averse, focusing more on political survival than operational innovation.

Impact on cyber operations:

• Operational Stutter: In the last 89 hours, we have observed and noted a temporary lull in "high-initiative" spear-phishing campaigns. This could be because cyber units are waiting for new "political commissars" to vet their target lists.

• The volume of inbound scans has also declined significantly. The volume of Chinese APT affiliated signals from across cyberspace has fallen from a high of 37,500 logged on Jan 2, 2026 down to 3781 logged at 8 PM GMT on Tuesday, January 27, 2026.  

• The Command Vacuum: With the Central Military Commission (CMC) now hollowed out, the strategic guidance for groups like Volt Typhoon and APT41 could have shifted from long-term strategic disruption to immediate regime-preservation tasks. These groups may also have been asked to reiterate their oath to abide by the directions of the Supreme Commander

Other reasons for the lull

·  The first bureau of MSS responsible for domestic intelligence and operations may have been strengthened by the induction of additional trained members from other bureaus

·  This may also be true about the Fifth bureau as well which is responsible for analysis of intelligence

·  The MSS knows that it will attract increased attention from other intelligence agencies during this period and is thus keen to keep its operational footprint low.

·  A stand-down order from the Supreme Commander himself to prevent these agencies from being used for operations that are not authorized by Xi himself      

Tactical evolution: Chinese APT groups in 2026

Despite the turmoil at the highest levels, the "hands-on-keyboard" activity from state-sponsored actors remains lethally efficient otherwise. The current threat landscape is essentially defined by three major trends:

The weaponization of Edge and n-day vulnerabilities

In January 2026, researchers identified a surge in Chinese APTs exploiting CVE-2025-8088, a high-severity vulnerability in WinRAR’s handling of alternate data streams. By embedding malicious files in decoy archives, actors are successfully bypassing traditional endpoint detection.

• Primary target: Government and military entities across the Indo-Pacific.

• Malware: PoisonIvy and PlugX (SOGU.SEC) variants are being extensively redeployed via this method.

The SharePoint "Typhoon" Wave

Microsoft’s Threat Intelligence center recently tracked Linen Typhoon and Violet Typhoon (also known as APT27/Emissary Panda) exploiting SharePoint vulnerabilities CVE-2025-49704 and CVE-2025-49706.

• Technique: These groups are basing their attacks on "malware-free" intrusions to steal cryptographic keys (MachineKey data), allowing them to forge authentication tokens and maintain persistent access without traditional backdoors.

• Statistic: Current data suggests that 81 percent of active Chinese intrusions in 2026 are now "malware-free," relying entirely on Living-off-the-Land (LOTL) binaries like PowerShell and WMI.

A new framework

A new JScript-based C2 framework has emerged as the preferred tool for activity clusters like SHADOW-VOID-044. This framework is highly modular, serving everything from fake Chrome updates to modular backdoors like MKDOOR.

 Case Study: Volt Typhoon’s "Pre-Positioning"

While the PLA leadership is purged, Volt Typhoon (Insidious Taurus) has actually intensified its focus on U.S. and allied critical infrastructure.

"The internal purge may actually accelerate Volt Typhoon's timelines," suggests one senior analyst. "If the PLA feels its kinetic readiness is compromised by leadership turnover, they may lean more heavily on 'digital booby traps' as a deterrent against U.S. intervention in the South China Sea."

Key observations in 2026:

• Focus: Energy, Water, and Telecommunications.

• Method: Continued use of compromised SOHO routers (ASUS, Cisco, Netgear) to create a "mesh" of obfuscated C2 traffic that blends into residential IP space.

Strategic outlook: What could be next?

This is a phase of immense flux in China. That goes without saying. Once things attain some level of stability, the APT groups will be back in action

 Loyalty and regime preservation are the driving factors for MSS today. With the reorganization of the CMC, the Chinese APT groups have lost a patron for now. Once the new CMC members are inducted, these groups may be reorganized and target some quick wins to show they are still in business. We should therefore be prepared for a period of heightened Chinese APT activity soon.   

Book a free threat intelligence briefing with Shieldworkz, here.

Sign up for our NIST SP 800 compliance service here.

Access our regulatory playbooks here.

Get our OT security policy template pack here.