Connect with us

Hi, what are you looking for?



China-Linked ‘BlackTech’ Hackers Start Targeting U.S.

The China-linked BlackTech cyber-spies have adopted new malicious tools in recent attacks, and they have started targeting the United States, Symantec security researchers revealed on Tuesday.

The China-linked BlackTech cyber-spies have adopted new malicious tools in recent attacks, and they have started targeting the United States, Symantec security researchers revealed on Tuesday.

Also referred to as Palmerworm, the hacking group is believed to have been active since at least 2013. The campaign analyzed by Symantec ran from August 2019 until as recently as August 2020, and it targeted organizations in construction, electronics, engineering, media, and finance in Japan, Taiwan, the U.S., and China. The threat actor was previously known to target East Asia.

The recent attacks revealed the use of dual-use tools and a new suite of custom malware, including backdoors such as Consock, Waship, Dalwit, and Nomri. Previously, the threat actor was observed employing the backdoors known as Kivars and Plead (which Symantec refers to as Palmerworm).

“We have not observed the group using these malware families in previous attacks – they may be newly developed tools, or the evolution of older Palmerworm tools,” the security firm notes in a new report.

Despite the use of undocumented malware, other artefacts observed in these attacks, including the use of previously employed infrastructure, suggest that the BlackTech threat actor is behind them.

In addition to the new backdoors, the hackers leveraged a custom loader and a network reconnaissance tool, along with dual-use tools, such as Putty, PSExec, SNScan, and WinRAR.

Furthermore, the threat actor signed the payloads in these attacks with stolen code-signing certificates, a tactic it was observed employing before. While Symantec hasn’t identified the initial attack vector, the actor is known for the use of spear-phishing to access victim networks.

A total of five victims were identified in these attacks, including organizations in media, electronics, and finance based in Taiwan, an engineering company in Japan, and a construction company in China. Some U.S.-based companies were targeted as well, but they haven’t been identified.

Advertisement. Scroll to continue reading.

The targeting of Taiwanese companies isn’t something new for BlackTech, which previously infiltrated government agencies in the country. Taipei said at the time that the group is operating out of China.

Although the first activity associated with the recent campaign started in August 2019, the attackers were able to maintain presence in the compromised networks for a long time: activity associated with the attack was observed on compromised machines within the media company’s network in August 2020.

“Palmerworm also maintained a presence on the networks of a construction and a finance company for several months. However, it spent only a couple of days on the network of a Japanese engineering company in September 2019, and a couple of weeks on the network of an electronics company in March 2020,” Symantec explains.

The security researchers are unsure what type of data the attackers might have exfiltrated from the compromised organizations, but believe that cyber-espionage might have been the purpose of the attacks.

Related: Hackers Exploit ASUS Update Process to Install Backdoor

Related: Hackers Using Stolen D-Link Certificates for Malware Signing

Related: Thousands of Taiwan Government Email Accounts ‘Hacked by China’

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...