Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Vietnamese Hackers Mount COVID-19 Espionage Campaigns Against China

A Vietnam-linked threat actor tracked as APT32 is believed to have carried out intrusion campaigns against Chinese entities in an effort to collect intelligence on the COVID-19 crisis, FireEye reports.

A Vietnam-linked threat actor tracked as APT32 is believed to have carried out intrusion campaigns against Chinese entities in an effort to collect intelligence on the COVID-19 crisis, FireEye reports.

A state-sponsored hacking group also known as OceanLotus and APT-C-00, APT32 is believed to be well-resourced and determined, and was previously observed targeting corporate and government organizations in Southeast Asia.

The most recent attacks associated with the group started with spear phishing messages sent to China’s Ministry of Emergency Management and to the government of Wuhan province, which is considered the epicenter of the current coronavirus pandemic.

“While targeting of East Asia is consistent with the activity we’ve previously reported on APT32, this incident, and other publicly reported intrusions, are part of a global increase in cyber espionage related to the crisis, carried out by states desperately seeking solutions and nonpublic information,” FireEye points out.

The first attack was observed on January 6, 2020, with an email sent to China’s Ministry of Emergency Management. The message included a tracking link containing the recipient’s email address, to inform the attackers if the email was opened.

Additional tracking URLs identified by FireEye revealed the targeting of China’s Wuhan government and of another email account associated with the Ministry of Emergency Management.

One domain used in the attack (libjs.inquirerjs[.]com) was employed in December 2019 as a command and control (C&C) domain for a METALJACK phishing campaign supposedly targeting Southeast Asian countries.

Advertisement. Scroll to continue reading.

FireEye believes that APT32 used COVID-19-themed attachments against Chinese-speaking targets, and that these were designed to ultimately deliver a METALJACK loader to the victim’s machine.

While the payload was being loaded, a COVID-19 decoy document with the filename written in Chinese would be displayed, showing a copy of a New York Times article to the victim.

Shellcode loaded from an additional resource contains the METALJACK payload. The shellcode would fingerprint the victim’s system to collect computer name and username, and append them to a URL string. Successful attempts to call out to the URL would result in METALJACK being loaded into memory.

“The COVID-19 crisis poses an intense, existential concern to governments, and the current air of distrust is amplifying uncertainties, encouraging intelligence collection on a scale that rivals armed conflict. National, state or provincial, and local governments, as well as non-government organizations and international organizations, are being targeted, as seen in reports,” FireEye concludes.

Related: Vietnam-Linked Hackers Use Atypical Executables to Avoid Detection

Related: Google Sees Millions of COVID-19-Related Malicious Emails Daily

Related: Syrian Hackers Target Mobile Users With COVID-19 Lures

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...