Connect with us

Hi, what are you looking for?



Chinese Cyberspies Targeting US State Legislature

A China-linked cyberespionage group was recently observed targeting a state legislature in the United States, Symantec warns.

A China-linked cyberespionage group was recently observed targeting a state legislature in the United States, Symantec warns.

Active since at least 2010, the group is tracked as APT27, Bronze Union, Budworm, Emissary Panda, Iron Tiger, Lucky Mouse, and TG-3390 (Threat Group 3390), and has been observed targeting various entities worldwide, mainly focusing on the Middle East and Asia.

In a new report detailing APT27’s recent activities, Symantec notes that the attack on the US state legislature is the first time in several years that it has seen the cyberespionage group targeting a US entity.

Over the past six months, Symantec also observed the threat actor targeting a Middle Eastern government, a hospital in South East Asia, and a multinational electronics manufacturer.

As part of these attacks, APT27 was seen exploiting Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45105) in the Apache Tomcat service to deploy web shells, and using virtual private servers (VPS) as command and control (C&C) servers.

The group continues to rely on the HyperBro malware as the main backdoor, which is often executed using DLL side-loading – in some cases, a custom HyperBro loader has been used.

In recent attacks, the cyberspies abused the endpoint privilege management application CyberArk Viewfinity for side-loading the malicious payload.

“This involves the attackers placing a malicious DLL in a directory where a legitimate DLL is expected to be found. The attacker then runs the legitimate application (having installed it themselves). The legitimate application then loads and executes the payload,” Symantec explains.

Advertisement. Scroll to continue reading.

Other malware and tools that APT27 has been using include the PlugX/Korplug trojan, Cobalt Strike beacon (penetration testing tool with shell code loading capabilities), LaZagne (credential dumping), IOX (proxy and port-forwarding), Fast Reverse Proxy (FRP), and Fscan (intranet scanning).

The HyperBro malware, which is a backdoor exclusive to APT27, was recently mentioned by the NSA, FBI and CISA in an alert describing the TTPs used by APTs in attacks targeting a US defense industrial base organization.

“While there were frequent reports of Budworm targeting U.S. organizations six to eight years ago, in more recent years the group’s activity appears to have been largely focused on Asia, the Middle East, and Europe. […] A resumption of attacks against U.S.-based targets could signal a change in focus for the group,” Symantec concludes.

Related: Chinese Cyberspies Use Supply Chain Attack to Deliver Windows, macOS Malware

Related: Stealthy ‘SockDetour’ Backdoor Used in Attacks on U.S. Defense Contractors

Related: Chinese Cyber-Spies Target Government Organizations in Middle East

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.