A newly identified cyberespionage group operating out of China has been targeting IT services providers and telecommunications companies with signed malware.
The activities of this advanced persistent threat (APT), which SentinelOne tracks as WIP19, show overlaps with Operation Shadow Force, but it is unclear whether this is a new iteration of the campaign or the work of a different, more mature adversary using new malware and techniques.
Mainly focused on entities in the Middle East and Asia, WIP19 is using stolen certificates to sign several malicious components. To date, the group was observed using malware families such as ScreenCap, SQLMaggie, and a credential dumper.
“Our analysis of the backdoors utilized, in conjunction with pivoting on the certificate, suggest portions of the components used by WIP19 were authored by WinEggDrop, a well-known Chinese-speaking malware author who has created tools for a variety of groups and has been active since 2014,” SentinelOne says.
The valid certificate that WIP19 has been using to sign its malware was issued to Korean messaging provider DEEPSoft Co. and was likely stolen by the threat actor, given that it was also used to sign legitimate software in the past.
According to SentinelOne, all of the threat actor’s credential harvesting tools were signed using the stolen certificate, including a password dumper relying on open source code to load an SSP to LSASS and dump the process.
WIP19 was also observed relying on DLL search order hijacking to load a keylogger and a screen recorder. The keylogger mainly targets the victim’s browser, to harvest credentials and other sensitive information.
The ScreenCap malware attributed to the APT performs a series of checks that involve the victim’s machine name, which suggests that it was specifically tailored for each victim.
“This does not prevent the actor from re-signing each of the payloads with the DEEPSoft certificate, proving the actors have direct access to the stolen certificate,” SentinelOne notes.
In attacks employing SQLMaggie, the backdoor was seen masquerading as a legitimate DLL that is registered to the MSSQL Server to provide the attackers with control over the server machine, to perform network reconnaissance.
SentinelOne also discovered that each version of the backdoor may support different commands, based on the targeted environment. SQLMaggie appears to be exclusive to the group or sold privately, as no portions of its code can be found publicly.
The security firm, which uses the WIPxx (work-in-progress) designation for unattributed clusters of activity, says it is highly likely that this APT is of Chinese origin, given the overlaps with Operation Shadow Force through WinEggDrop.
“The intrusions we have observed involved precision targeting and were low in volume. Specific user machines were hardcoded as identifiers in the malware deployed, and the malware was not widely proliferated. Further, the targeting of telecommunications and IT service providers in the Middle East and Asia suggest the motive behind this activity is espionage-related,” SentinelOne notes.
Related: New ‘Maggie’ Backdoor Targeting Microsoft SQL Servers
Related: Chinese Cyberspies Targeting US State Legislature
Related: Chinese Cyberespionage Group ‘Witchetty’ Updates Toolset in Recent Attacks

More from Ionut Arghire
- North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- US, Israel Provide Guidance on Securing Remote Access Software
- Blumira Raises $15 Million for SMB-Tailored XDR Platform
- KeePass Update Patches Vulnerability Exposing Master Password
- Google Workspace Gets Passkey Authentication
- Cybersecurity Startup Elba Raises €2.5 Million for Employee-Focused Product
Latest News
- North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- BBC, British Airways, Novia Scotia Among First Big-Name Victims in Global Supply-Chain Hack
- Sysdig Introduces CNAPP With Realtime CDR
- Stay Focused on What’s Important
- VMware Plugs Critical Flaws in Network Monitoring Product
