Security Experts:

Connect with us

Hi, what are you looking for?



Chinese Cyberspies Hacked DLP Company Serving Military, Government Orgs

The Chinese hacker group Tick has targeted an East Asian data loss prevention firm whose customers include military and other government organizations.

A notorious Chinese cyberespionage group has been spotted targeting a data loss prevention (DLP) company that serves military and other government organizations.

Cybersecurity firm ESET analyzed the attack, which it managed to trace back to March 2021. Over the course of more than a year, the hackers conducted activities within the network of the targeted organization.

The victim is a DLP software development company located in an unnamed East Asian country. ESET’s report does mention possible links to a different attack aimed at South Korean companies and individuals, but it’s unclear if the DLP firm is from the same country. 

Tick, also known as Bronze Butler and RedBaldKnight, has been around since at least 2006, mainly targeting entities in the APAC region with the goal of stealing intellectual property and classified information. The hackers have been known to use sophisticated methods — including zero-day vulnerabilities — in their attacks.

ESET has attributed the attack on the DLP company to Tick with high confidence, primarily based on the use of malware that is unique to this APT.

The attackers deployed three pieces of malware during this operation, including a new downloader named ShadowPy.

One interesting aspect of the attack observed by ESET is the fact that the hackers compromised update servers and tools used by the victim, but they apparently leveraged them to spread laterally within the company’s environment rather than for conducting a supply chain attack targeting its customers.

ESET did identify two customers who had received trojanized installers developed by the attackers, but researchers believe these malicious installers were transferred to the customers by mistake by the DLP firm’s employees during tech support activities rather than being distributed by the attackers. 

“Using ESET telemetry, we didn’t identify any customers of the DLP company who had received any malicious files through the software developed by that company,” ESET said.

Related: Custom Chinese Malware Found on SonicWall Appliance

Related: EU Organizations Warned of Chinese APT Attacks

Related: Cybersecurity Firm Group-IB Repeatedly Targeted by Chinese APT

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


A newly identified threat actor tracked as NewsPenguin has been targeting military organizations in Pakistan with sophisticated malware.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...