A sophisticated cyber espionage campaign, believed to be orchestrated by China-based threat actors, has been targeting prominent organizations across Southeast Asia since October 2023. According to Symantec’s Threat Hunter Team, the attacks have affected multiple sectors, including government ministries, air traffic control, telecommunications, and media organizations.
The attackers employed a combination of open-source tools and living-off-the-land (LotL) techniques, utilizing:
– Reverse proxy programs (Rakshasa and Stowaway)
– Asset discovery tools
– Keyloggers
– Password stealers
– PlugX remote access trojan
Key Features of the Attack:
– Custom DLL files for intercepting login credentials
– Extended network access periods
– Comprehensive reconnaissance activities
– Data exfiltration via WinRAR archives to cloud storage services
The campaign’s sophistication is evident in its persistent nature, with attackers maintaining covert access to compromised networks for months. In one notable case, a three-month attack between June and August 2024 involved extensive reconnaissance, password harvesting, and network mapping.
The attribution to Chinese threat actors is based on:
– Geographic targeting patterns
– Use of tools commonly associated with Chinese APT groups
– Regional focus aligning with South China Sea territorial disputes
This campaign joins a series of recent Chinese cyber operations in the region, including activities by groups such as Unfading Sea Haze, Mustang Panda, CeranaKeeper, and Operation Crimson Palace. The attacks coincide with similar operations targeting European IT service providers and U.S. organizations, highlighting China’s expanding cyber espionage efforts.