Connect with us

Hi, what are you looking for?



New Chinese Cyberespionage Group WIP19 Targets Telcos, IT Service Providers

A newly identified cyberespionage group operating out of China has been targeting IT services providers and telecommunications companies with signed malware.

A newly identified cyberespionage group operating out of China has been targeting IT services providers and telecommunications companies with signed malware.

The activities of this advanced persistent threat (APT), which SentinelOne tracks as WIP19, show overlaps with Operation Shadow Force, but it is unclear whether this is a new iteration of the campaign or the work of a different, more mature adversary using new malware and techniques.

Mainly focused on entities in the Middle East and Asia, WIP19 is using stolen certificates to sign several malicious components. To date, the group was observed using malware families such as ScreenCap, SQLMaggie, and a credential dumper.

“Our analysis of the backdoors utilized, in conjunction with pivoting on the certificate, suggest portions of the components used by WIP19 were authored by WinEggDrop, a well-known Chinese-speaking malware author who has created tools for a variety of groups and has been active since 2014,” SentinelOne says.

The valid certificate that WIP19 has been using to sign its malware was issued to Korean messaging provider DEEPSoft Co. and was likely stolen by the threat actor, given that it was also used to sign legitimate software in the past.

According to SentinelOne, all of the threat actor’s credential harvesting tools were signed using the stolen certificate, including a password dumper relying on open source code to load an SSP to LSASS and dump the process.

WIP19 was also observed relying on DLL search order hijacking to load a keylogger and a screen recorder. The keylogger mainly targets the victim’s browser, to harvest credentials and other sensitive information.

Advertisement. Scroll to continue reading.

The ScreenCap malware attributed to the APT performs a series of checks that involve the victim’s machine name, which suggests that it was specifically tailored for each victim.

“This does not prevent the actor from re-signing each of the payloads with the DEEPSoft certificate, proving the actors have direct access to the stolen certificate,” SentinelOne notes.

In attacks employing SQLMaggie, the backdoor was seen masquerading as a legitimate DLL that is registered to the MSSQL Server to provide the attackers with control over the server machine, to perform network reconnaissance.

SentinelOne also discovered that each version of the backdoor may support different commands, based on the targeted environment. SQLMaggie appears to be exclusive to the group or sold privately, as no portions of its code can be found publicly.

The security firm, which uses the WIPxx (work-in-progress) designation for unattributed clusters of activity, says it is highly likely that this APT is of Chinese origin, given the overlaps with Operation Shadow Force through WinEggDrop.

“The intrusions we have observed involved precision targeting and were low in volume. Specific user machines were hardcoded as identifiers in the malware deployed, and the malware was not widely proliferated. Further, the targeting of telecommunications and IT service providers in the Middle East and Asia suggest the motive behind this activity is espionage-related,” SentinelOne notes.

Related: New ‘Maggie’ Backdoor Targeting Microsoft SQL Servers

Related: Chinese Cyberspies Targeting US State Legislature

Related: Chinese Cyberespionage Group ‘Witchetty’ Updates Toolset in Recent Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...