Security Experts:

Connect with us

Hi, what are you looking for?



Chinese Cyberspies Use Supply Chain Attack to Deliver Windows, macOS Malware

China-linked cyberespionage group Iron Tiger was observed using the compromised servers of a chat application for the delivery of malware to Windows and macOS systems, Trend Micro reports.

China-linked cyberespionage group Iron Tiger was observed using the compromised servers of a chat application for the delivery of malware to Windows and macOS systems, Trend Micro reports.

Also referred to as APT27, Bronze Union, Emissary Panda, Lucky Mouse, and TG-3390 (Threat Group 3390), Iron Tiger has been active since at least 2010, targeting hundreds of organizations worldwide for cyberespionage purposes.

As part of recent attacks, the advanced persistent threat (APT) group abused the compromised servers of MiMi – an instant messaging application available on Windows, macOS, Android, and iOS – for malware delivery. The desktop version of MiMi is built using the cross-platform framework ElectronJS.

“Iron Tiger compromised the server hosting the legitimate installers for this chat application for a supply chain attack,” says Trend Micro, which downloaded a malicious MiMi installer for macOS from the legitimate servers this June.

The sample would fetch ‘rshell’, a macOS backdoor that can collect system information and send it to the command and control (C&C) server, as well as execute commands received from its operators and send the results to the C&C.

Based on received commands, the backdoor can open or close a shell, execute commands in a shell, list directories, read files, write to a file, close a file, prepare files for download or upload, or delete files.

Trend Micro says it has discovered numerous rshell samples, including some targeting Linux. The oldest of these samples was uploaded in June 2021.

The security firm also found evidence that Iron Tiger had access to the servers for the MiMi installers since at least November 2021, when they modified Windows installers. macOS installers, however, were modified in May 2022.

According to Trend Micro, the attackers were leveraging their access to the MiMi servers to modify installers quickly after the developers released new application versions.

“We can see that it took an hour and a half for the attackers to modify the legitimate installer and add malicious code to it. For older versions, it took the attackers one day to inject its modifications,” Trend Micro says.

The security firm also points out that the trojanized applications managed to go unnoticed by users mainly because the legitimate MiMi installers are not signed, meaning that users would need to go through multiple system warnings during installation, something that MiMi users might have been accustomed with.

The modified Windows installers would download the HyperBro backdoor onto the victim’s system. This in-memory, custom backdoor can gather system information, upload or download files, manipulate files, list the contents of folders, execute shell commands, run applications, take screenshots, kill processes, inject code into processes, and manipulate services.

As part of these attacks, Iron Tiger appears to have targeted only victims in Taiwan and the Philippines: five targets of HyperBro and eight targets of rshell. Victimology falls in line with previous Iron Tiger operations.

Trend Micro says that it was able to identify only a single victim of these attacks, namely a Taiwanese gaming development company.

Related: Ransomware Attacks Linked to Chinese Cyberspies

Related: Telecom Sector Increasingly Targeted by Chinese Hackers: CrowdStrike

Related: China’s APT27 Hackers Use Array of Tools in Recent Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...