Security News > 2024 > June > Chinese attackers leverage previously unseen malware for espionage

Sophos released its report, "Operation Crimson Palace: Threat Hunting Unveils Multiple Clusters of Chinese State-Sponsored Activity Targeting Southeast Asia," which details a highly sophisticated, nearly two-year long espionage campaign against a high-level government target.

During Sophos X-Ops' investigation, which began in 2023, the managed detection and response team found three distinct clusters of activity targeting the same organization, two of which included tactics, techniques and procedures that overlap with well-known, Chinese nation-state groups: BackdoorDiplomacy, APT15 and the APT41 subgroup Earth Longzhi.

The attackers designed their operation to gather reconnaissance on specific users as well as sensitive political, economic, and military information, using a wide variety of malware and tools throughout the campaign that Sophos has since dubbed "Crimson Palace." This includes previously unseen malware: a persistence tool that Sophos named PocoProxy.

Cluster Alpha also utilized TTPs and malware that overlap with the Chinese threat groups BackdoorDiplomacy, APT15, Worok, and TA428.

Cluster Charlie shares TTPs with Chinese threat group Earth Longzhi, a reported subgroup of APT41.

"Given how often these Chinese threat groups overlap and share tooling, it's possible that the TTPs and novel malware we observed in this campaign will resurface in other Chinese operations globally. We will keep the intelligence community informed of what we find as we continue our investigations into these three clusters," said Jaramillo.

News URL

https://www.helpnetsecurity.com/2024/06/06/chinese-state-sponsored-activity-government-target/