A China-linked cyber espionage group has breached the systems of satellite operators, telecommunications companies and defense contractors in the United States and Southeast Asia, Symantec reported on Tuesday.
Symantec has been tracking the threat actor, which it has named “Thrip,” since 2013. However, the security firm says the group’s activities have not been made public until now.
Thrip has used a combination of custom malware and legitimate tools in its attacks. One victim was a satellite communications operator, where the hackers targeted devices involved in operations, as well as systems running software designed for monitoring and controlling satellites.
“This suggests to us that Thrip’s motives go beyond spying and may also include disruption,” Symantec researchers said.
Thrip has also targeted a company specializing in geospatial imaging and mapping. The attackers attempted to gain access to machines hosting MapXtreme GIS, Google Earth Server and Garmin imaging software.
The list of victims identified by Symantec also includes three telecoms firms in Southeast Asia. The companies themselves appear to have been Thrip’s targets rather than their customers. Another victim is a defense contractor, but no details have been shared by the security firm on this attack.
Symantec has been monitoring Thrip since 2013, when it spotted a campaign conducted from systems located in China. The group initially relied mostly on custom malware, but more recent campaigns, which started last year, also involved legitimate tools.
The pieces of malware used by the group include Trojan.Rikamanu, a trojan designed for stealing credentials and other information from compromised systems, and Infostealer.Catchamas, an evolution of Rikamanu that includes improved data theft and anti-detection capabilities.
Thrip has also been spotted using Trojan.Mycicil, a keylogger offered on Chinese underground marketplaces but which has not been seen often, and Backdoor.Spedear and Trojan.Syndicasec, both of which have been observed in the group’s older campaigns.
As for the legitimate tools used by the cyberspies, the list includes the Windows SysInternals utility PSExec, PowerShell, the post-exploitation tool Mimikatz, the open source FTP client WinSCP, and the LogMeIn remote access software.
“This is likely espionage,” said Greg Clark, CEO of Symantec. “The Thrip group has been working since 2013 and their latest campaign uses standard operating system tools, so targeted organizations won’t notice their presence. They operate very quietly, blending in to networks, and are only discovered using artificial intelligence that can identify and flag their movements. Alarmingly, the group seems keenly interested in telecom, satellite operators, and defense companies. We stand ready to work with appropriate authorities to address this serious threat.”
Related: Chinese Cyberspies Target National Data Center in Asia
Related: China-Linked Spies Used New Malware in U.K. Government Attack
Related: Researchers Link Several State-Sponsored Chinese Spy Groups

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
- Apple Patches Exploited iOS Vulnerability in Old iPhones
- FBI Confirms North Korean Hackers Behind $100 Million Horizon Bridge Heist
Latest News
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
- Tenable Launches $25 Million Early-Stage Venture Fund
- 820k Impacted by Data Breach at Zacks Investment Research
- Mapping Threat Intelligence to the NIST Compliance Framework Part 2
- Hive Ransomware Operation Shut Down by Law Enforcement
- US Government Agencies Warn of Malicious Use of Remote Management Software
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
