Connect with us

Hi, what are you looking for?


Malware & Threats

Multiple Chinese APTs Targeted Southeast Asian Government for Two Years

Multiple Chinese state-sponsored groups have targeted a Southeast Asian government in a years-long cyberespionage campaign.

Multiple China-linked state-sponsored groups have been observed targeting the same Southeast Asian government in a years-long cyberespionage campaign, Sophos reports.

The campaign, dubbed Operation Crimson Palace, focused on reconnaissance on specific individuals and on harvesting economic, military, and political information using numerous tools, including a new malware family named PocoProxy. The targeted country has not been named.

Sophos identified three distinct clusters of activity involved in attacks against a high-level government entity, two overlapping with the tactics, techniques, and procedures (TTPs) of known Chinese advanced persistent threat (APT) actors such as APT15, BackdoorDiplomacy, Earth Longzhi, REF5961, TA428, Unfading Sea Haze, and Worok.

Active between early March and late August 2023, the first cluster deployed tools for disabling antivirus protections, performing reconnaissance, and privilege escalation, including a version of the EagerBee malware. The cluster’s TTPs overlap with those of known Chinese APTs.

The second cluster was active in the victim’s network for three weeks in March 2023 and focused on lateral movement, to deploy the CCoreDoor backdoor, which supports discovery, credential exfiltration, and communication with the attacker’s server.

The third cluster was active for a year, between March 2023 and at least April 2024, focusing on espionage and sensitive data exfiltration, including credentials and military and political documents. The cluster uses the PocoProxy persistence tool and overlaps with the TTPs of Earth Longzhi, an APT41 subgroup.

According to Sophos, the attackers were seen using web shells to re-penetrate the victim’s network after periods of inactivity, and scheduling activity around one another, including alternating it by day, suggesting that they were aware of the others’ activities.

“We have moderate confidence that these activity clusters were part of a coordinated campaign under the direction of a single organization,” Sophos notes.

Advertisement. Scroll to continue reading.

“Based on our investigation, Sophos asserts with high confidence the overall goal behind the campaign was to maintain access to the target network for cyberespionage in support of Chinese state interests,” the cybersecurity firm continues.

The threat actors involved in Operation Crimson Palace relied on 15 different DLL sideloading techniques, abusing Windows services, Microsoft binaries, and antivirus software for malware delivery.

In addition to CCoreDoor, PocoProxy, and EagerBee, the attackers also deployed tools such as Cobalt Strike, Merlin C2 Agent, NuPakage, PhantomNet and PowHeartBeat backdoors, and RudeBird malware.

“The threat actors leveraged many novel evasion techniques, such as overwriting ntdll.dll in memory to unhook the Sophos AV agent process from the kernel, abusing AV software for sideloading, and using various techniques to test the most efficient and evasive methods of executing their payloads,” Sophos explains.

Initial access to the victim’s network, Sophos explains in a technical writeup, likely occurred around March 2022, involving the deployment of NuPackage, a tool previously linked to Earth Preta. The campaign targeting the organization appears to continue.

“Though we are currently unable to perform high-confidence attribution or confirm the nature of the relationship between these clusters, our current investigation suggests that the clusters reflect the work of separate actors tasked by a central authority with parallel objectives in pursuit of Chinese state interests,” Sophos says.

Related: US Disrupted Chinese Hacking Operation Aimed at Critical Infrastructure: Report

Related: Chinese Hackers Target North American, APAC Firms in Web Skimmer Campaign

Related: Spies, Hackers, Informants: How China Snoops on the West

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Gabriel Agboruche has been named Executive Director of OT and Cybersecurity at Jacobs.

Data security startup Reco adds Merritt Baer as CISO

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

More People On The Move

Expert Insights