Connect with us

Hi, what are you looking for?


Malware & Threats

New ‘Carderbee’ APT Targeted Chinese Security Software in Supply Chain Attack

A new APT group called Carderbee has been observed deploying the PlugX backdoor via a supply chain attack targeting organizations in Hong Kong.

A newly discovered advanced persistent threat (APT) actor has been observed deploying the PlugX backdoor via a supply chain attack, mainly targeting organizations in Hong Kong, Symantec reports.

Dubbed Carderbee, the adversary was seen abusing the legitimate Cobra DocGuard software, which helps users protect, encrypt, and decrypt applications. The tool is developed by EsafeNet, which is owned by Chinese information security firm NSFocus.

In September 2022, following a malicious update, Cobra DocGuard was abused in a supply chain attack targeting a gambling company in Hong Kong. The attack was attributed to APT27 (Budworm, LuckyMouse), which compromised the same company in September 2021.

Starting April 2023, Symantec has observed a signed version of the PlugX backdoor (also known as Korplug) being delivered in a Cobra DocGuard supply chain attack targeting organizations in Hong Kong and other parts of Asia, but could not link the activity to a known threat actor.

“Korplug is a backdoor that is known to be used by multiple APTs, including APT41 and Budworm. It was not possible to link this activity definitively to a known group, which is why we attributed it to a new group, Carderbee,” Symantec notes.

The security firm identified malicious activity on roughly 100 computers – out of approximately 2,000 running Cobra DocGuard – within the targeted organizations and observed multiple malware families being deployed using the same supply chain compromise attack.

“In one interesting case, a downloader deployed by the attackers had a digitally signed certificate from Microsoft, called Microsoft Windows Hardware Compatibility Publisher. This downloader was used to install the Korplug backdoor on targeted systems,” Symatec explains.

Advertisement. Scroll to continue reading.

The downloader attempted to fetch a ZIP archive that would execute the PlugX backdoor in memory, allowing the attackers to execute commands, enumerate files and running processes, download files, open firewall ports, and log keystrokes.

According to Symantec, the activity was likely performed by “patient and skilled actors” that attempted to stay under the radar using both a supply chain attack and malware signed with a valid certificate.

“The fact that they appear to only deploy their payload on a handful of the computers they gain access to also points to a certain amount of planning and reconnaissance on behalf of the attackers behind this activity,” the cybersecurity firm notes.

Symantec has not linked Carderbee to any country, but attacks involving PlugX malware and ones aimed at Hong Kong are typically conducted by Chinese state-sponsored threat actors. 

Related: Cascading Supply Chain Attack: 3CX Hacked After Employee Downloaded Trojanized App

Related: PyPI Users Targeted With ‘Wacatac’ Trojan in New Supply Chain Attack

Related: Iranian Hackers Deliver New ‘Fantasy’ Wiper to Diamond Industry via Supply Chain Attack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.