Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

China-Linked Attackers Target Indian Embassies Worldwide

A threat group first analyzed more than two years ago has continued to improve its malware arsenal and was recently observed targeting personnel at Indian embassies worldwide.

A threat group first analyzed more than two years ago has continued to improve its malware arsenal and was recently observed targeting personnel at Indian embassies worldwide.

The actor’s activities were brought to light in late 2013 by FireEye. The security firm had analyzed a campaign aimed at foreign affairs ministries in Europe, which it dubbed “Operation Ke3chang.”

FireEye linked the attackers to China and determined that they had been active since at least 2010. At the time of the initial analysis, the group had been using three pieces of malware named by researchers BS2005, BMW, and MyWeb.

While no other reports have been published since 2013, the hackers behind Operation Ke3chang are still active and they’ve made some improvements to their tools.

Researchers at Palo Alto Networks recently came across a piece of malware that appears to have been used by the group in an ongoing attack aimed at Indian embassies.

The malware, dubbed “TidePool” by Palo Alto Networks, can be used to read, write and remove files from the infected system, and to execute commands. The threat, which behaves like a remote access Trojan (RAT), is similar to the BS2005 samples analyzed in 2013.

While there are many similarities between the two pieces of malware, TidePool appears to be an evolution of BS2005. According to researchers, both threats make unique registry changes, and they share code, including for command and control (C&C) obfuscation and use of library functions.

The threat actor has sent out spear phishing emails using an annual report filed by more than 30 Indian embassies as a decoy. In order to increase their chances of success, the addresses used to send the emails have been spoofed to look like the messages come from real people with ties to Indian embassies.

The spear phishing emails observed by the security firm include an MHTML document set up to exploit a Microsoft Office vulnerability (CVE-2015-2545) that was patched in September 2015. If the flaw is exploited successfully, the TidePool malware is dropped onto the targeted user’s system.

Since FireEye’s 2013 report also mentioned that the hackers behind Operation Ke3chang targeted Indian entities, researchers believe the country could represent a high priority target for the group.

As for attribution, Palo Alto Networks reported finding evidence that the malware developer’s system was likely running an OS and software with Chinese set as the default language. It’s worth noting that Chinese officials denied hacking European foreign ministries when FireEye published the first report on Operation Ke3chang.

“Despite going unreported on since 2013, Operation Ke3chang has not ceased operations and in fact continued developing its malware,” Palo Alto Networks said in a blog post. “Unit 42 was able to track the evolution of Operation Ke3chang’s tools by observing unique behavioral quirks common throughout the malware’s lineage. By pivoting on these behaviors in AutoFocus, we were able to assess a relationship between these families dating back to at least 2012 and the creation of TidePool, a new malware family continuing in Ke3chang’s custom malware footsteps.”

Related: Attackers Target Indian Military in Data-Theft Campaign

Related: Suckfly Hackers Target Organizations in India

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.