The alleged Chinese threat actor has been linked to a series of cyberattacks targeting prominent organizations in Southeast Asia since at least October 2023.
The espionage campaign targeted organizations in a variety of sectors, including government ministries in two different countries, an air traffic control organization, a telecommunications company and the Symantec Threat Hunter Team’s media. said in a new report shared with The Hacker News.
The attacks, which used tools previously identified as linked to China’s Advanced Persistent Threat Groups (APTs), are characterized by the use of both open source and life-off-the-land (LotL) techniques.
This includes the use of reverse proxies such as Rakshasa and A stowawayas well as asset discovery and identification tools, keyloggers, and password stealers. Also deploys during attacks PlugX (aka Korplug), a remote access Trojan used by several Chinese hacking groups.
“Threat actors also install customized DLLs that act as authentication mechanism filters, allowing them to intercept login credentials,” Symantec wrote. The Broadcom-owned company told The Hacker News that it could not determine the original infection vector in any of the attacks.
In one attack on the facility, which spanned three months from June to August 2024, the adversary conducted reconnaissance and reset passwords, installed a keylogger, and executed DLL payloads capable of capturing user login information.
Symantec noted that attackers were able to maintain covert access to compromised networks for extended periods of time, allowing them to harvest passwords and display interesting networks. The collected information was compressed into password-protected archives using WinRAR and then uploaded to cloud storage services such as File.io.
“This extended dwell time and calculated approach highlight the sophistication and persistence of threat actors,” the company said. “The geographic location of the targeted organizations, as well as the use of tools previously associated with Chinese APT groups, suggests that these activities are the work of Chinese actors.”
Notably, the ambiguity in attributing these attacks to a specific Chinese threat actor underscores the difficulty of tracking cyber espionage groups when they often share tools and use the same techniques.
Geopolitical tensions in Southeast Asia are over continues territorial disputes in the South China Sea have been complemented by a series of cyberattacks targeting the region, as evidenced by threat groups tracked as Unfading sea mist, Mustang Panda, CeranaKeeperand Operation Raspberry Palace.
The development comes a day after SentinelLabs’ SentinelOne and Tinexta Cyber opened attacks carried out by the China-nexus cyber-espionage group have targeted major business-to-business IT service providers in southern Europe as part of a cluster of activities called Operation Digital Eye.
Last week also Symantec revealed that an unnamed large US organization was hacked by suspected Chinese threat actors between April and August 2024, during which time they moved across the network, compromising multiple computers and potentially stealing data.
