Security News > 2022 > August > Chinese hackers target Australian govt with ScanBox malware

China-based threat actors have been targeting Australian government agencies and wind turbine fleets in the South China Sea by directing select individuals to a fake impersonating an Australian news media outlet.
Victims landed on the fraudulent site after receiving phishing emails with enticing lures and received a malicious JavaScript payload from the ScanBox reconnaissance framework.
The campaign was active from April to June this year and targeted people at local and federal Australian Government agencies, Australian news media organizations, and at global heavy industry manufacturers that provide maintenance to wind turbines in the South China Sea.
ScanBox has been seen in multiple attacks from at least six China-based threat actors in the past and there is sufficient evidence indicating that the toolkit has been used since at least 2014.
Visitors of the fake website were served with a copy of the ScanBox framework via JavaScript execution and staged module loading.
In some cases observed in June 2022, the threat actors targeted the Australian Naval Defense, oil and petroleum, and deep water drilling firms using COVID-19 passport services lures that downloaded a DLL stager for loading Meterpreter.
News URL
Related news
- Chinese Hackers Target Linux Systems Using SNOWLIGHT Malware and VShell Tool (source)
- Chinese hackers target Russian govt with upgraded RAT malware (source)
- North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages (source)
- State-Sponsored Hackers Weaponize ClickFix Tactic in Targeted Malware Campaigns (source)
- Hackers Abuse Russian Bulletproof Host Proton66 for Global Attacks and Malware Delivery (source)
- Iran-Linked Hackers Target Israel with MURKYTOUR Malware via Fake Job Campaign (source)
- North Korean Hackers Spread Malware via Fake Crypto Firms and Job Interview Lures (source)
- Chinese Hackers Abuse IPv6 SLAAC for AitM Attacks via Spellbinder Lateral Movement Tool (source)
- Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware (source)
- Russian Hackers Using ClickFix Fake CAPTCHA to Deploy New LOSTKEYS Malware (source)