A sophisticated cyber campaign, dubbed Green Nailao, has been discovered targeting European organizations, particularly in the healthcare sector. The attacks, occurring between June and October 2024, utilize advanced malware including PlugX, ShadowPad, and NailaoLocker ransomware.

The threat actors exploited a vulnerability (CVE-2024-24919) in Check Point network gateway security products to gain initial access. Using DLL search-order hijacking, they deployed ShadowPad and PlugX, two malware variants commonly associated with Chinese cyber operations.

After gaining access, the attackers:
– Retrieved user credentials
– Conducted network reconnaissance
– Used RDP for lateral movement
– Deployed ShadowPad through a legitimate binary
– Attempted data exfiltration
– Ultimately deployed NailaoLocker ransomware

The campaign has been attributed to Chinese-aligned threat actors, particularly the Teleboyi group, based on:
– Use of ShadowPad malware
– DLL side-loading techniques
– Infrastructure overlaps with Operation Harvest
– Similar tactics to APT41 and FamousSparrow

According to Trend Micro, the campaign targeted 21 companies across 15 countries, affecting manufacturing, transportation, and publishing sectors. The latest ShadowPad variant features enhanced anti-debugging capabilities and DNS-over-HTTPS to mask communications.

While the primary objective appears to be espionage, the deployment of ransomware suggests additional financial motivations. Organizations are advised to implement strong security measures and monitor for suspicious activities related to these threats.