Chinese Hackers Unleash Sophisticated PlugX Attack on Asian Nations, Targeting Defense and Political Systems

Chinese Hackers Unleash Sophisticated PlugX Attack on Asian Nations, Targeting Defense and Political Systems

China-Linked RedDelta’s Cyber Espionage Campaign Targets Asian Nations

A sophisticated cyber espionage campaign conducted by the China-nexus threat actor RedDelta has targeted multiple Asian nations between July 2023 and December 2024. The operation primarily focused on Mongolia, Taiwan, Myanmar, Vietnam, and Cambodia, utilizing a customized version of the PlugX backdoor.

Key Developments:
– Successfully compromised the Mongolian Ministry of Defense (August 2024) and Communist Party of Vietnam (November 2024)
– Expanded operations to Malaysia, Japan, USA, Ethiopia, Brazil, Australia, and India
– Used politically themed lure documents, including content about Taiwan’s presidential candidate Terry Gou and ASEAN meetings

Technical Infrastructure:
– Implemented sophisticated infection chains using Windows Shortcut (LNK), Installer (MSI), and Management Console (MSC) files
– Leveraged DLL side-loading techniques for PlugX deployment
– Utilized Cloudflare CDN to mask C2 traffic
– Operated through 10 administrative servers linked to China Unicom Henan Province

The group, also known as BASIN, Bronze President, and Mustang Panda, has been active since 2012. Their recent activities align with Chinese strategic interests, particularly focusing on governments and diplomatic organizations in Southeast Asia. The campaign represents RedDelta’s return to its traditional Asian targets after focusing on European organizations in 2022.

This operation demonstrates the evolving sophistication of Chinese state-sponsored cyber operations and their continued focus on regional geopolitical interests.

Share This Article