Security Experts:

Connect with us

Hi, what are you looking for?



China-Linked ‘CactusPete’ Hackers Successful Despite Lack of Sophistication

A Chinese threat actor tracked by Kaspersky as CactusPete was observed leveraging an updated backdoor in recent attacks targeting military and financial organizations in Eastern Europe.

A Chinese threat actor tracked by Kaspersky as CactusPete was observed leveraging an updated backdoor in recent attacks targeting military and financial organizations in Eastern Europe.

Also referred to as Karma Panda or Tonto Team and active since at least 2013, the threat actor has been mainly focused on military, diplomatic, and infrastructure targets in Asia and Eastern Europe. The adversary lacks sophistication, but has been relatively successful in attacks despite that, the security researchers say.

Attacks observed at the end of February 2020 employed a new variant of the group’s Bisonal backdoor to hit organizations in the military and financial sectors in Eastern Europe. Analysis of the malware revealed the APT released more than 20 samples per month; over 300 identical samples were used between March 2019 and April 2020.

“The target location forced the group to use a hardcoded Cyrillic codepage during string manipulations. This is important, for example, during remote shell functionality, to correctly handle the Cyrillic output from executed commands,” Kaspersky explains.

While the delivery method for the new attacks is yet unknown, the threat actor was previously observed leveraging spear-phishing for intrusion. The emails carried attachments attempting to exploit recently patched vulnerabilities, but leveraged other methods as well to ensure successful compromises.

Upon initial communication with the attackers’ server, the malware sends information on the victim network, including hostname, IP and MAC address; OS version; infected host time; proxy usage flags, information on whether it was executed in a VMware environment; and system default CodePage Identifier.

On the compromised system, the backdoor can execute a remote shell, silently run programs, retrieve the process list, terminate processes, upload/download/erase files, list available drives, and retrieve a list of files in a specified folder.

In addition to reconnaissance and gaining deeper access to a compromised network, the hackers use custom Mimikatz iterations and keyloggers to steal credentials, and attempt to escalate privileges.

“Since the malware contains mostly information gathering functionality, most likely they hack into organizations to gain access to the victims’ sensitive data. If we recall that CactusPete targets military, diplomatic and infrastructure organizations, the information could be very sensitive indeed,” Kaspersky notes.

Other malware employed by the adversary includes the DoubleT backdoor, along with CALMTHORNE, Curious Korlia, and DOUBLEPIPE.

Despite being a medium-level group in terms of technical capabilities, CactusPete was observed using more complex code, such as ShadowPad, which suggests outside support. ShadowPad was leveraged in attacks targeting defense, energy, government, mining, and telecom entities in Asia and Eastern Europe.

The group was historically observed targeting organizations in South Korea, Japan, the US and Taiwan, but it has expanded the target list to additional Asian and Eastern European regions over the past couple of years.

“We call CatusPete an Advanced Persistent Threat (APT) group, but the Bisonal code we analyzed is not that advanced. Yet, interestingly, the CactusPete APT group has had success without advanced techniques, using plain code without complicated obfuscation and spear-phishing messages with ‘magic’ attachments as the preferred method of distribution,” Kaspersky concludes.

Related: Chinese Hackers Target Uyghurs With Multiple Android Surveillance Tools

Related: Chinese Hackers Target Air-Gapped Systems With Custom USB Malware

Related: Chinese Hackers Target Air-Gapped Military Networks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...