Security Experts:

Connect with us

Hi, what are you looking for?



Researchers Analyze Chinese Malware Used Against Russian Government

At least two Chinese cyberespionage groups targeted Russian federal executive authorities in 2020, security researchers with threat hunting and intelligence firm Group-IB reveal.

At least two Chinese cyberespionage groups targeted Russian federal executive authorities in 2020, security researchers with threat hunting and intelligence firm Group-IB reveal.

Chinese threat actors have been known to conduct cyberattacks in various countries worldwide, including Russia, targeting military contractors, research institutes, state agencies, and other entities, with a focus on cyberespionage.

An in-depth analysis of the employed malware families suggests that Chinese hacker groups TA428 and TaskMasters were behind a series of attacks that targeted Russian government agencies in 2020, Group-IB says. Both groups are linked to the Chinese government.

Believed to have been active since at least 2020, TaskMasters (which is also referred to as BlueTraveller) is mainly focused on the targeting of organizations in Russia and CIS, with a focus on sectors such as government agencies, industrial and energy firms, and transport companies.

Operating since 2013, TA428 has been targeting government agencies in East Asia, with a focus on those that have connections with domestic and foreign policy, governmental information technology, and economic development.

As part of last year’s attacks against Russian authorities, the Chinese hackers used malware families Webdav-O and Mail-O to gain remote access to targeted systems and exfiltrate data of interest.

During their investigation into the attacks, Group-IB’s security researchers discovered code similarities between Webdav-O and the BlueTraveller Trojan (also referred to as RemShell), which eventually led them to the conclusion that TaskMasters might have used the malware in the 2020 attacks.

Group-IB’s investigation also revealed a connection between BlueTraveller and Albaniiutas, a relatively new malware family in TA428’s portfolio, suggesting that “Albaniiutas is nothing but a logic continuation of the malware belonging to the BlueTraveller family.”

The security researchers also note that some of the 2020 attacks against the Russian government might have been conducted by TA428, especially with Mail-O believed to be part of this group’s portfolio and with Webdav-O being linked to BlueTraveller, which is in turn linked to TA428’s Albaniiutas.

“It is noteworthy that Chinese hacker groups actively exchange tools and infrastructure, but perhaps it is just the case here,” Group-IB points out.

The researchers also note that evidence suggests that a large hacking group consisting of intelligence units of the People’s Liberation Army of China might be operating out of the country, with the various Chinese APT groups tracked by threat intelligence organizations being nothing more than subgroups.

“Each unit attacks to the fullest, according to a strict timeline and order. This means that one Trojan can be configured and modified by hackers from different departments with different levels of training and with various objectives,” Group-IB concludes.

Related: Chinese Cyberspy Group APT31 Starts Targeting Russia

Related: DeadRinger: A Three-Pronged Attack by Chinese Military Actors against Major Telcos

Related: New Chinese Threat Group ‘GhostEmperor’ Targets Governments, Telecom Firms

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.