
Sophos uncovers “Operation Crimson Palace, a long-running cyber espionage effort targeting a Southeast Asian government. Learn how attackers used DLL sideloading and VMware exploits to target sensitive military, economic and data theft in the South China Sea. Discover how Southeast Asia can defend against future cyber attacks.
Cybersecurity firm Sophos has shared details of a massive spying campaign dubbed “Crimson Palace.” The Chinese state-sponsored effort targeted a government agency in Southeast Asia for nearly two years using tactics such as DLL sideloading and VMware exploits.
According to Sophos MDR’s human-led threat hunting service, a number of Chinese state-sponsored actors have been active since early 2022, and despite a few weeks of downtime, intrusion activity continues to target the organization, which Sophos rates “mixed state”.
Sophos initially discovered the activity in March 2022 with the discovery of the NUPAKAGE malware, attributed to EarthPreta, and then in December 2022, DLL-stitching to deploy malicious backdoors on domain controllers. Interference activity was detected using
During the investigation, Sophos researchers found three distinct clusters of activity targeting the same organization: Cluster Alpha, Cluster Bravo, and Cluster Charlie. These clusters overlap with several Chinese nation-state groupings, including Workthe APT 41 Subgroup Earthlongzi, Backdoor Diplomacy, REF5961, TA428 and a relatively new threat group, Unfading Sea Haze which was Reported in May 2024. Widespread cyber attacks against military targets in the South China Sea.
Cluster Alpha focused on sideloading malware and establishing permanent C2 channels, while Cluster Bravo focused on using valid accounts to later spread. Cluster Charlie prioritized access management and was intended to extract sensitive information for espionage purposes.
These clusters used a mix of custom malware and publicly available tools to collect sensitive political, economic and military information. These include an updated version of CCoreDoor, PocoProxy. Cobalt Strike, Pow Heartbeat BackdoorEAGERBEE malware, NUPAKAGE, Merlin C2 Agent, PhantomNet backdoor, RUDEBIRD malware, and an LSASS logon credential interceptor.
“Sophos MDR has observed actors attempting to collect documents with file names that indicate they have intelligence value, including military documents related to strategies in the South China Sea.”
Sophos
Sophos believes that the main purpose of the campaign is to maintain access to cyber espionage to protect Chinese state interests, including accessing critical IT systems, conducting espionage, gathering sensitive information, and malware for command and control communications. Placement of implants.
campaign according to Sophos Blog postalso includes more than 15 different DLL sideloading scenarios, most of which exploit Windows services, legitimate Microsoft binaries, and AV vendor software.
Collaborating threat actors around the world
This is the first instance where Chinese threat groups are actively cooperating to target an institution, each with their own operating hours and scheduling activities, directed by a central authority.
Last month, cybersecurity researchers Reported checkpoint. that several Iranian state-sponsored hacker groups are working together to carry out large-scale attacks. Similarly, A Report from Flashpoint Last month highlighted that Russian state-sponsored hacker groups are changing tactics. They are now partnering and relying on more and more lossless payment tools instead of the custom-made tools they used to use.
Related Topics
- China-linked spyware found in Play Store apps, 2 million downloads
- China’s Insidious Surveillance Against Uighurs with Android Malware
- Meerkat suspected of spying through China’s Great Firewall
- Chinese Blackwood APT Deploys NSPX30 Backdoor in Cyber Espionage
- Cyber attacks in the Philippines have increased by 325 percent, amid the standoff in the South China Sea