Connect with us

Hi, what are you looking for?


Malware & Threats

Elusive Chinese Cyberspy Group Hijacks Software Updates to Deliver Malware

The China-linked cyberespionage group Blackwood has been caught delivering malware to entities in China and Japan. 

A Chinese cyberespionage group targeting organizations and individuals in China and Japan has remained under the radar for roughly five years, cybersecurity firm ESET reports.

Tracked as Blackwood and active since at least 2018, the advanced persistent threat (APT) actor has been using adversary-in-the-middle (AitM) attacks to deploy a sophisticated implant via the update mechanisms of legitimate software such as Sogou Pinyin, Tencent QQ, and WPS Office.

Blackwood attacks are characterized by the deployment of NSPX30, a sophisticated implant that includes a backdoor, a dropper, installers, loaders, and an orchestrator, and which can hide its command-and-control (C&C) communication through packet interception.

NSPX30 has been used against a small number of victims, including individuals in China and Japan, a Chinese-speaking individual linked to a British research university, a manufacturing and trading business in China, and a Japanese engineering and manufacturing firm.

The NSPX30 implant, ESET says, appears to be the successor of a 2005 backdoor dubbed Project Wood that has served as a code base for various implants, including the 2008 DCM (aka Dark Specter), from which NSPX30 is derived.

Public reporting shows that Project Wood was used in several attacks in the past, including a 2011 incident targeting a political figure from Hong Kong via spearphishing. The malware featured a loader and a backdoor that could collect system and network details, log keystrokes, and take screenshots.

Malware derived from the backdoor and featuring capabilities seen in DCM was also used in a 2014 cyberespionage campaign dubbed TooHash, which ESET attributes to the Gelsemium APT.

The same as DCM, NSPX30 relies on AitM attacks for delivery and can also allowlist itself in several Chinese antimalware solutions. However, it has a different component configuration, with operations divided into two stages and DCM’s code split into smaller components.

Advertisement. Scroll to continue reading.

According to ESET, Blackwood likely deploys an implant on the victims’ networks, possibly on vulnerable routers and gateways, and then uses it to intercept unencrypted HTTP traffic related to updates and deliver NSPX30’s dropper instead.

When launched, the backdoor creates a passive UDP listening socket with a port assigned by the operating system. The same port is likely used both for listening for commands and for data exfiltration, with the network implant responsible for forwarding the packets.

“We have observed victims located outside of China – that is, in Japan and the United Kingdom – against whom the orchestrator was able to deploy the backdoor. The attackers then sent commands to the backdoor to download plugins; for example, the victim from the UK received two plugins designed to collect information and chats from Tencent QQ. Therefore, we know that the AitM system was in place and working, and we must assume that the exfiltration mechanism was as well,” ESET notes.

Related: New ‘Sandman’ APT Group Hitting Telcos With Rare LuaJIT Malware

Related: New ‘GoldenJackal’ APT Targets Middle East, South Asia Governments

Related: Over 200 Organizations Targeted in Chinese Cyberespionage Campaign

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.