{ "id": "03383d72-75be-4d5b-b019-5f823dd1f382", "created_at": "2026-04-06T00:06:29.138149Z", "updated_at": "2026-04-10T13:11:46.637789Z", "deleted_at": null, "sha1_hash": "00311cd932c635381929af6b471c2006dcac4481", "title": "Cyber Espionage in the South China Sea | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5202980, "plain_text": "Cyber Espionage in the South China Sea | Proofpoint US\r\nBy August 30, 2022 Michael Raggi and Sveva Scenarelli at PwC\r\nPublished: 2022-08-25 · Archived: 2026-04-05 13:24:53 UTC\r\nProofpoint’s Threat Research Team details a recent cyber espionage campaign targeting entities globally and\r\nconducted by a threat actor publicly which was attributed in 2021 by multiple governments and was the focus of a\r\n2021 indictment by the US Department of Justice. The targets of this recent campaign spanned Australia,\r\nMalaysia, and Europe, as well as entities that operate in the South China Sea. Proofpoint’s research has been\r\nassisted by the PwC Threat Intelligence team to provide the information security community with a\r\ncomprehensive view of the threat activity described.  \r\nIntroduction \r\nProofpoint and PwC Threat Intelligence have jointly identified a cyber espionage campaign, active since April\r\n2022 through June, delivering the ScanBox exploitation framework to targets who visit a malicious domain posing\r\nas an Australian news website. The joint efforts of Proofpoint and PwC researchers provide a moderate confidence\r\nassessment that recent campaigns targeting the federal government, energy, and manufacturing sectors globally\r\nmay represent recent efforts by TA423 / Red Ladon. Activity which overlaps with this threat actor has been\r\npublicly referred to in governmental indictments as “APT40” and “Leviathan.” This blog analyzes the structure\r\nand capabilities of the sample of ScanBox and the plugins identified in this campaign. It also correlates this\r\ncampaign and its observed victimology with previous campaigns conducted by TA423 / Red Ladon which\r\nleveraged RTF template injection.   \r\nThe blog details:  \r\nRecent targeted phishing campaigns that use URLs impersonating Australian media entities to deliver the\r\nScanBox reconnaissance framework;  \r\nHow this custom ScanBox script and related modules work;  \r\nHow this campaign correlates to threat activity dating back to June 2021 which leveraged RTF template\r\ninjection;  \r\nThe history of the ScanBox framework; and,  \r\nThe targeting focus of TA423/Red Ladon on domestic Australian organisations, as well as entities involved\r\nwith offshore energy exploration in the South China Sea.  \r\nTA423 / Red Ladon: TA423 / Red Ladon is a China-based, espionage-motivated threat actor that has been active\r\nsince 2013, targeting a variety of organisations in response to political events in the Asia-Pacific region, with a\r\nfocus on the South China Sea. Targeted organisations include defence contractors, manufacturers, universities,\r\ngovernment agencies, legal firms involved in diplomatic disputes, and foreign companies involved with\r\nAustralasian policy or South China Sea operations.   \r\nhttps://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea\r\nPage 1 of 30\n\nTA423 / Red Ladon Targets the Australian Government and Wind Turbine Fleets in South China\r\nSea \r\nBeginning on 12 April 2022, and continuing through mid-June 2022, Proofpoint identified several waves of a\r\nphishing campaign resulting in the execution of the ScanBox reconnaissance framework, in part based on\r\nintelligence shared by PwC Threat Intelligence related to ongoing ScanBox activity. The phishing campaign\r\ninvolved URLs delivered in phishing emails, which redirected victims to a malicious website posing as an\r\nAustralian news media outlet. The website’s landing page delivered a JavaScript ScanBox malware payload to\r\nselected targets. In historic instances, ScanBox has been delivered from websites that were the victim of strategic\r\nweb compromise (SWC) attacks with legitimate sites being injected with malicious JavaScript code. In this\r\ninstance, the threat actor controls the malicious site and delivers malicious code to unsuspecting users.  \r\nA ScanBox Primer: ScanBox, detailed in open source as early as 2014 by AlienVault, is a JavaScript based web\r\nreconnaissance and exploitation framework which allows threat actors to profile victims, and to deliver further\r\nmalware to selected targets of interest. PwC Threat Intelligence assesses it is highly likely that ScanBox is shared\r\nprivately amongst multiple China-based threat actors.   \r\nFigure 1. A timeline of activity involving ScanBox since 2014 to May 2022\r\nThe following China-based threat actors have been observed using ScanBox:  \r\nRed Sylvan (a.k.a. APT3, Gothic Panda);  \r\nRed Apollo (a.k.a. APT10, Stone Panda);  \r\nRed Phoenix (a.k.a. APT27, Emissary Panda);  \r\nTA423 / Red Ladon (a.k.a. APT40, Leviathan, GADOLINIUM);  \r\nRed Dev 16 (a.k.a. Evil Eye, Earth Empusa, Poison Carp); and,  \r\nTA413 / White Dev 9 (a.k.a. LuckyCat).  \r\nTA423 / Red Ladon’s 2018 ScanBox activity targeting Cambodia involved domains masquerading as news\r\nwebsites and targeted high profile government entities, including the National Election Commission. One of the\r\nhttps://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea\r\nPage 2 of 30\n\nScanBox server domains used in that campaign, mlcdailynews[.]com, hosted several articles about Cambodian\r\naffairs and US and East Asia relations, for which contents were copied from legitimate publications (Khmer Post,\r\nAsia Times, Reuters, Associated Press). These were likely used as lures in phishing emails to convince targets to\r\nfollow malicious links to the actor-controlled ScanBox domain.  \r\nThe 2022 ScanBox Campaign  \r\nThe April 2022 to June 2022 ScanBox campaign primarily targeted:  \r\nlocal and federal Australian Governmental agencies;  \r\nAustralian news media companies; and,  \r\nglobal heavy industry manufacturers which conduct maintenance of fleets of wind turbines in the South\r\nChina Sea.   \r\nThis demonstrated the comingling of targets involved in Australian governmental affairs as well as offshore\r\nenergy production in the South China Sea. Proofpoint previously observed similar targeting in June 2021 by\r\nTA423 / Red Ladon, wherein the threat actor would deliver a downloader in DLL format via RTF template\r\ninjection. The campaign showed a consistency of victimology spanning thirteen months and bridging diverse\r\nphishing tactics, techniques, and procedures (TTPs).  \r\nThe ScanBox-related phishing campaigns identified in April through June 2022 originated from Gmail and\r\nOutlook email addresses which Proofpoint assess with moderate confidence were created by the threat actor, and\r\nutilized a variety of subjects including “Sick Leave,” “User Research,” and “Request Cooperation.” The threat\r\nactor would frequently pose as an employee of the fictional media publication “Australian Morning News”,\r\nproviding a URL to the malicious domain and soliciting targets to view its website or share research content that\r\nthe website would publish.  \r\nIn emails, the threat actor claimed to be starting a “humble news website” (sic) and solicited user feedback while\r\nproviding a link to australianmorningnews[.]com. While this is not impersonating an existing Australian media\r\npublication, it does copy content from legitimate news publications (including the BBC and Sky News) which was\r\nthen displayed when victims navigated to the website.   \r\nUpon clicking the link and redirecting to the site, visitors were served the ScanBox framework. The impersonation\r\nof a fictional media publication local to targets of interest is a tactic that Proofpoint and PwC Threat Intelligence\r\nhad previously observed being used in historic TA423 / Red Ladon ScanBox campaigns identified preceding the\r\nCambodian elections in 2018. The content of the emails and the malicious URL technique reprised a technique\r\npreviously observed in September 2021 TA423 / Red Ladon campaigns detailed later in this blog, in which the\r\nthreat actor impersonated Australian media publications with its malware delivery infrastructure.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea\r\nPage 3 of 30\n\nFigure 2. TA423 Phishing Emails 28 April 2022 and 1 June 2022\r\nhttps://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea\r\nPage 4 of 30\n\nFigure 3. The homepage of australianmorningnews[.]com, posing as “Australia’s largest news site”. The same\r\nexact headline, picture, and text can be found in the BBC’s coverage.  \r\nAn interesting commonality to earlier activity can be observed across several of the campaigns identified from\r\nApril through May 2022. The malicious URLs provided in the emails also appear to use values that are\r\ncustomized for each target, although they all redirect to the same page and serve the same malicious payload. In\r\none instance the threat actor was observed appending the URI extension “?p=23-\u003c##\u003e”. It appears that p=23\r\nspecifies the page value for landing page the user is redirected to, while the number string that follows it, e.g. the\r\n“11” in “?p=23-11”, appears to be a unique identifier for each recipient. Proofpoint had also observed customized\r\nURLs, and URL redirect destinations distinct for each target, in TA423’s earlier campaigns in March 2022. This\r\nmay be an attempt by the threat actor to correlate traffic to its servers, which host the page infected by ScanBox\r\nmalware, with custom user identifiers which targets received within the URLs via email:  \r\nhxxp://australianmorningnews[.]com/?p=23-7  \r\nhxxp://australianmorningnews[.]com/?p=23-11  \r\nhxxp://australianmorningnews[.]com/?p=23-24  \r\nhxxp://australianmorningnews[.]com/?p=23-27  \r\nMalware  \r\nScanBox can deliver JavaScript code in one single block, or, as is the case in the April 2022 campaign, as a\r\nplugin-based, modular architecture. While delivering the entire code at once would allow threat actors full\r\nfunctionality on a victim system, PwC threat intelligence analysts assess that a primary motivation for selectively\r\nloading plugins is likely a way to prevent crashes or errors that might tip off the owners of compromised websites.\r\nPwC assesses that another likely motivation to adopt a modular architecture was to reduce researchers’ visibility\r\nand access into the plugins and the threat actor’s toolset.   \r\nCampaigns from May through June 2022 delivered the same JavaScript file with contents similar to those PwC\r\nhad originally encountered in samples of ScanBox as early as 2014:  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea\r\nPage 5 of 30\n\nSHA-256  7795936ed1bdb7a5756c1ff821b2dc8739966abbb00e3e0ae114ee728bf1cf1a \r\nFilename  cwhe18nc \r\nFile type  JavaScript \r\nFile size  24,768 bytes \r\n.info.seed  0c62cf7354f80d5519b71656540567a1 \r\nThe malicious file executed in victim’s browsers was originally hosted at the URL:\r\nhxxp://image[.]australianmorningnews[.]com/i/?cwhe18nc  \r\nMain Script and Overall Characteristics: The modular architecture of ScanBox works by executing a main\r\nJavaScript payload, and then loading additional modules to profile the victim. At the very end of the code of its\r\nmain module, ScanBox sets up its configuration, which includes the C2 server to contact\r\n(hxxp://image.australianmorningnews[.]com/i/ followed by specific URLs as described later in this blog), and the\r\ninformation to gather from victim systems, as seen in Figure 4 below.  \r\nFigure 4. The 2022 ScanBox initial script setting up its configuration\r\nhttps://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea\r\nPage 6 of 30\n\nFigure 5. A 2015 sample of ScanBox’s initial script setting up its configuration\r\nThe initial script harvests several types of information from visitors and serves as a setup for the following stages\r\nof information gathering and potential follow-on exploitation or compromise. From PwC's analysis, the\r\ncapabilities of the initial ScanBox JavaScript executed in victim’s browsers include:  \r\nGetting the current time;  \r\nGetting the language of the victim’s browser;   \r\nGetting the major and minor version of Adobe Flash installed on the victim’s browser, if any;  \r\nChecking if the victim’s browser is Safari or Internet Explorer;  \r\nChecking whether the C2 is alive and responding;  \r\nSending Information about the victim’s browser back to the C2, including:  \r\nVersion of Flash installed  \r\nLocation (that is the URL being visited);  \r\nThe URI the victim was redirected from;  \r\nTitle of the webpage being visited;  \r\nDomain being visited;  \r\nReferrer;  \r\nUser-Agent;  \r\nCookie;  \r\nCharacter encoding;  \r\nScreen width and height;  \r\nUnderlying Operating System;  \r\nLanguage;  \r\nScreen’s colour depth;  \r\nLoading further ScanBox plugins and parsing their responses back into JSON to send to the C2.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea\r\nPage 7 of 30\n\nFigure 6. The initial ScanBox script checks whether it’s ready and able to connect to the C2 to send back victim\r\ninformation\r\nThe modular ScanBox architecture works by sending data to different responsive PHP scripts hosted on a same\r\nserver-side folder, which in many cases in the past few years has been called /i/, and which in this case is\r\nhxxp://image[.]australianmorningnews[.]com/i/. The scripts perform different functions, as follows:  \r\nURI path  Action \r\n/i/v.php?m=b  Send victim information back to the C2 \r\n/i/c.php?data=  Load a specified child JavaScript object \r\n/i/k.php?data=  Create an iframe, or replace one, containing the data in the URL \r\n/i/p.php?data=  Execute a ScanBox plugin \r\n/i/v.php?m=a\u0026data=  Heartbeat to the C2 server to know whether the C2 is online \r\nhttps://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea\r\nPage 8 of 30\n\n/i/v.php?m=p\u0026data=  Get information on the plugin \r\n/i/v.php?m=plug  URL that plugins send gathered data back to \r\nThe one-letter script names closely match their functionality, as p.php refers to executing a ScanBox plugin, k.php\r\nrelates to keylogger data, while v.php handles victim information harvested by the ScanBox scripts.  \r\nModern versions of ScanBox have function names prepended by a seemingly random set of 32 alphanumeric\r\ncharacters (which could represent an MD5 hash), which are also referred to in ScanBox scripts as the .info.seed\r\nparameter. We identified other samples of the main ScanBox script which embed different .info.seed parameter\r\nwithin the script on the URL: hxxp://image[.]australianmorningnews[.]com/i/?cwhe18nc:  \r\nSHA-256  2f204f3b3abc97efc74b6fa016a874f9d4addb8ac70857267cc8e4feb9dbba26 \r\nFilename  cwhe18nc.js \r\nFile type  JavaScript \r\nFile size  24,685 bytes \r\n.info.seed  4845456f078aa3b7ed5221b8fcda5bb4 \r\nSHA-256  18db4296309da48665121899c62ed8fb10f4f8d22e44fd70d2f9ac8902896db1 \r\nFilename  cwhe18nc.htm \r\nFile type  JavaScript \r\nFile size  24,518 bytes \r\n.info.seed   d78bd216a4811d8eba37576dbe186492 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea\r\nPage 9 of 30\n\nInfection Chain and ScanBox Control Flow \r\nFigure 7. A diagram of the infection chain and ScanBox control flow\r\nhttps://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea\r\nPage 10 of 30\n\nFigure 8. A summary of ScanBox installation, control flow, and plugin activity\r\nKeylogger plugin: The keylogger plugin records any key pressed by the victim within the iframe created by the\r\nScanBox code and sends data back to the C2. PwC has described an extremely similar module in a 2017 report on\r\nScanBox, with the code having remained roughly the same since the first ScanBox keylogger plugins were\r\nobserved in 2014.  \r\nVictim browser plugins Identification: This plugin gathers the name, filename, and description of any legitimate\r\nbrowser plugin installed in the victim’s browser, sending the result back to the C2 as a list.  \r\nBrowser fingerprinting plugin: This plugin gathers further information about the victim’s browser, likely for the\r\nthreat actor to understand the available attack surface and which capabilities might be required for follow-on\r\nexploitation. It checks, among other details:  \r\nWhether Java is installed, and if so what version;  \r\nThe version of ActiveX installed;  \r\nWhether specific Java web applications are installed;  \r\nWhether the victim’s browser is Internet Explorer, iPhone, Firefox, Chrome, Safari, “Other” from the\r\nNetscape family, Opera, or “unknown”; and,  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea\r\nPage 11 of 30\n\nWhether the Microsoft Java Virtual Machine (MSJVM) is installed in the victim’s browser.  \r\nPeer connection plugin: PwC had previously documented this module in a 2017 report (‘A ScanBox darkly’, PwC\r\nCyber Threat Intelligence, CTO-TIB-20170713-01A). The module implements WebRTC, a free and open-source\r\ntechnology supported on all major browsers, which allows web browsers and mobile applications to perform real-time communication (RTC) over application programming interfaces (APIs). This allows ScanBox to connect to a\r\nset of pre-configured targets. In this sample, the targets are STUN servers at the following URL:  \r\nstun:stun.l.google[.]com:19302, on a legitimate Google address.  \r\nSTUN (Session Traversal Utilities for NAT) is a standardised set of methods, including a network protocol, that\r\nallows interactive communications (including real-time voice, video, and messaging applications) to traverse\r\nnetwork address translator (NAT) gateways. STUN is supported by the WebRTC protocol. Through a third-party\r\nSTUN server located on the Internet, it allows hosts to discover the presence of a NAT, and to discover the\r\nmapped IP address and port number that the NAT has allocated for the application's User Datagram Protocol\r\n(UDP) flows to remote hosts. ScanBox implements NAT traversal using STUN servers as part of Interactive\r\nConnectivity Establishment (ICE), a peer-to-peer communication method used for clients to communicate as\r\ndirectly as possible, avoiding having to communicate through NATs, firewalls, or other solutions.  \r\nThis means that the ScanBox module can set up ICE communications to STUN servers, and communicate with\r\nvictim machines even if they are behind NAT.   \r\nSecurity check plugin: The final plugin that this ScanBox instance delivers to targets checks whether Kaspersky\r\nInternet Security (KIS) is installed on the victim machine. This is achieved by calling the JavaScript method\r\nElement.getElementsByTagName(). The method checks any HTML Element in the victim’s browser for the value\r\nkaspersky-labs.com or klTabId_kis, which signals whether code has been injected into the user's browser\r\nby Kaspersky Internet Security.  \r\nInfrastructure  \r\nThe ScanBox C2 domain image[.]australianmorningnews[.]com has resolved to three IP addresses:  \r\nIP address   First seen  Last seen \r\n198.13.45[.]227  2022-06-06  2022-07-08 \r\n139.180.161[.]195  2022-04-26  2022-06-05 \r\n45.77.237[.]243  2022-04-25  2022-04-25 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea\r\nPage 12 of 30\n\naustralianmorningnews[.]com was first registered on 8th April 2022 with the following unique WHOIS\r\ninformation, which has not been used to register any other domain:  \r\nEmail  suzannehhu316@outlook.com \r\nName  Florence Gourley \r\nCity  Logandale \r\nPhone  103,104 bytes \r\nThis domain first started resolving on 8th April 2022 to 104.168.140[.]23, a probable dedicated server which also\r\nhosts an FTPd server, a Dovecot mail delivery agent, an Exim mail server, and a MariaDB database.  \r\nCorrelating ScanBox Campaigns to Earlier TA423 RTF Template Injection Campaigns  \r\nBeginning in March 2021, Proofpoint began to observe a consistent pattern of targeting against entities based in\r\nMalaysia and Australia, as well as against entities that are involved in the operations and supply chain of offshore\r\nenergy projects in the South China Sea. From June 2021 through May 2022, Proofpoint observed an ongoing\r\nphishing campaign which involved malicious RTF attachments weaponized through template injection.\r\nAdditionally, this campaign made use of malicious URLs which delivered RTF template injection files. Both\r\ninitial infection vectors delivered first-stage downloader malware to targets. The downloaders retrieved XOR-encoded versions of Meterpreter shellcode.   \r\nThroughout this campaign, Australian targets regularly included military academic institutions, as well as local\r\nand federal government, defense, and public health sectors. Malaysian targets included offshore drilling and deep-water energy exploration entities as well as global marketing and financial companies. Several global companies\r\nwere also targeted that appear to relate to the global supply chains of offshore energy projects in the South China\r\nSea. These included:  \r\nheavy industry and manufacturers responsible for the maintenance of offshore wind farms;  \r\nmanufacturers of installation components used in offshore wind farms;  \r\nexporters of energy from prominent energy exploration sites in the South China Sea;  \r\nlarge consulting firms providing expertise at projects in the South China Sea; and,  \r\nglobal construction companies responsible for the installation of Offshore energy projects in the South\r\nChina Sea.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea\r\nPage 13 of 30\n\nFigure 9. A Visualization of Targeted Countries\r\nProofpoint assesses with moderate confidence that the campaigns were conducted by the China-based, espionage-motivated threat actor TA423, which PwC tracks as Red Ladon and which also overlaps with “Leviathan,”\r\n“GADOLINIUM,” and “APT40.”   \r\nThis threat actor has demonstrated a consistent focus on entities involved with energy exploration in the South\r\nChina Sea, in tandem with domestic Australian targets including defense and health care. Both the CopyPaste\r\nattacks targeting the Australian government in 2021, attributed publicly to TA423 / Red Ladon, and the threat\r\nactor’s historic focus on the South China Sea, align with the observed victimology of the long running campaign\r\ndescribed in this blog. More distinctly, this threat actor has repeatedly targeted both Australian governmental and\r\nenergy-related target sets within a single campaign over multiple years.   \r\nFinally, this threat actor has been observed using both ScanBox in a watering hole capacity as well as Meterpreter\r\nin intrusions within the geographic areas that this observed threat actor is currently operating.  \r\nThe technical evolution of the observed campaigns can be divided into three phases.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea\r\nPage 14 of 30\n\nFigure 10. A timeline of detected phishing activity involved in ongoing TA423 Campaign May 2021 – June 2022\r\nPhase 1: March 2021 – September 2021: The first phase of this campaign consisted of phishing targeting users in\r\nAustralia and Malaysia. The emails delivered Zip Archive attachments containing RTF template injection files as\r\nwell as in some cases simply RTF attachments (not contained in Zip archives). These files would retrieve either\r\nfurther Zip archives, or macro-laden Word documents using RTF template injection which serve as a next stage\r\ndownloader.   \r\nRegardless of the nature of the downloader, the following stage payload would consist of a legitimate PE and a\r\nmalicious DLL stager. This DLL stager is executed using DLL sideloading and communicates with a threat actor-controlled server to retrieve a response encoded with a single-byte XOR. The decoded response is Meterpreter\r\nshellcode which is executed on the victim’s machine.   \r\nSimilarly to ScanBox activity in April 2022 to June 2022, several of the domains utilized to deliver malware\r\npayloads and to communicate with threat actor C2 servers were themed around Australian news media. Most\r\nnotably, the domains impersonated “The Australian” and “Herald Sun.” Examples of malicious URLs originating\r\nfrom RTF Template Injection phishing attachments from this phase of the campaign include:  \r\nhxxps://theaustralian[.]in/europa.eeas (RTF Template URL Retrieving Macro Document)  \r\nhxxps://theaustralian[.]in/office (Macro Initiated Request Retrieving Legitimate PE)  \r\nhxxps://theaustralian[.]in/word (Macro Initiated Request Retrieving DLL Loader/Stager)  \r\nheraldsun[.]me (Meterpreter C2)  \r\nPhase 2: March 2022: The second observed phase of this campaign occurred in March 2022, and consisted of\r\nphishing campaigns which used RTF template injection attachments leveraging template URLs that were\r\ncustomized for each target. Despite returning the same payload to all victims, these URLs were distinct, with each\r\nincluding a victim ID number that correlated to the intended victims, allowing the threat actor to track active\r\ninfections based on the initial URL beacons to the staging server.   \r\nhttps://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea\r\nPage 15 of 30\n\nThe RTF template injection URL returned a macro-laden Microsoft Word document. The macro contains a series\r\nof hardcoded hex bytes stored as strings. These strings are reassembled by the macro and converted into two files,\r\na PE and a DLL, which are saved to the victim host and executed. The macro also makes a URL request\r\nseemingly to return an “UpdateConfig” value which may be used by the final installed payload. At the time of\r\ndiscovery, Proofpoint could not successfully retrieve the payload. However, Proofpoint analysts have previously\r\nobserved the weaponised RTF files ultimately delivering a DLL downloader which retrieves an XOR encoded\r\nMeterpreter payload response. Notably, the recurring use of custom URLs that are unique to each victim, likely for\r\ninfection tracking purposes, is a commonality to the ScanBox phishing URLs observed later in April 2022.  \r\nPhase 3: April 2022 – June 2022: The current phase of this ongoing campaign consisted of malicious Australian\r\nmedia-themed URLs delivered in phishing emails characterized above. These URLs utilized victim-specific URLs\r\nin some instances, and redirected users to a website posing like that of an Australian media themed site. While this\r\nversion of ScanBox has been customized to download subsequent modules, it is unencoded and heavily resembles\r\nearlier versions of standard ScanBox code base.   \r\nA Case Study in Victimology: Targeting of the Kasawari Gas Field and Entities Involved with its\r\nSupply Chain  \r\nOn 2 June 2021 numerous emails were sent from a Gmail email address to several companies involved with deep\r\nwater drilling, oil and petroleum exploration, and Australian Naval Defense. The emails used “COVID19 passport\r\nservices in Australia” themes to deliver the aforementioned ZIP and RTF attachments that utilize RTF template\r\ninjection to download a DLL stager and downloader payload leading to a Meterpreter payload.  \r\nFigure 11. RTF Template Injection Attachment titled “COVID-19 and passport services Australia.” \r\nThis campaign focused heavily on Malaysia, and specifically on companies that appear to be involved in either the\r\nengineering, extraction of natural gasses, or export of natural gas products from the Kasawari Gas Project off the\r\nhttps://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea\r\nPage 16 of 30\n\ncoast of Malaysia. Specifically, four of the eight entities targeted by this campaign were associated directly with\r\nthis project. Additional targets observed in this campaign were involved in Australian Defense universities,\r\nconsumer healthcare in Australia, and large financial banking entities in Malaysia. A similar array of targeting\r\nacross Australian domestic entities and organisations operating in the South China Sea was later observed in the\r\nMay 2022 ScanBox campaign that was described in the Phase 3 phishing activity section of this publication.  \r\nIn close temporal proximity to the cyber espionage campaigns targeting these entities, the Asia Maritime\r\nTransparency Initiative reported disruption at the project site stemming from Chinese Coast Guard Intervention.\r\nProofpoint assesses with moderate confidence that this activity may be attributable to the threat actor TA423 / Red\r\nLadon, which multiple reports assess to operate out of Hainan Island, China. A 2021 indictment by the US\r\nDepartment of Justice assessed that TA423 / Red Ladon provides long-running support to the Hainan Province\r\nMinistry of State Security (MSS). One of TA423’s longest running areas of responsibility is assessed to include\r\nthe South China Sea, with the US Department of Justice indictment indicating that the threat actor has historically\r\nfocused on intellectual property related to naval technology developed by federally-funded defense contractors\r\nglobally. This indictment also explicitly included the mention of the existence of the Yulin Naval Base which has\r\nbeen stated to be located on Hainan Island.  \r\nWhile a direct correlation cannot be drawn between the cyber espionage campaign targeting entities involved with\r\nthe site and portions of its supply chain in the days directly preceding kinetic naval intervention, the historic\r\ntargeting focus of TA423 / Red Ladon and the subsequent naval intervention may suggest that this project in the\r\nSouth China Sea was highly likely an area of priority interest for the threat actor.  \r\nA Case Study Extended: TA423 Targets the Supply Chain of the Yunlin Offshore Windfarm in the\r\nStrait of Taiwan  \r\nOn 24th, 28th, and 29th March 2022, Proofpoint observed phishing activity leveraging RTF template injection that\r\ntargeted a European manufacturer of heavy equipment utilized in the installation of an offshore windfarm in the\r\nStrait of Taiwan. Specifically, the manufacturer targeted was a key supplier of equipment for entities involved in\r\nthe construction of the Yunlin Offshore Windfarm. This is a project which begun in 2020 and was projected to be\r\ncompleted in 2022. However, the project began to encounter construction delays which resulted in several major\r\ncontractors terminating contracts and leaving the project unfinished between November 2021 and February 2022.\r\nThis offshore energy project resumed in late April 2022.   \r\nThe dates of the observed phishing activity align with the period between 2nd February 2022 and 28th April 2022\r\nwhere the project’s future was uncertain. The targeting of supply chain entities by TA423 during this period of\r\nproject uncertainty is notable, since the group has previously targeted projects in the South China Sea during key\r\nmoments in their development timeline.   \r\nhttps://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea\r\nPage 17 of 30\n\nFigure 12. Map of Projected Offshore Windfarms in the Strait of Taiwan Circa 2018\r\nConclusion \r\nThis blog examined several phases of a sustained phishing campaign, running for over a year and currently\r\nongoing, that Proofpoint and PwC threat intelligence analysts attribute to the China-based, espionage motivated\r\nthreat actor TA423 / Red Ladon. The campaign has an international reach, but a heavy focus on the Asia Pacific\r\nregion, Australian governmental entities, and companies and countries operating in the South China Sea. In\r\nparticular, Proofpoint has observed TA423 / Red Ladon targeting entities directly involved with development\r\nprojects in the South China Sea closely around the time of tensions between China and other countries related to\r\ndevelopment projects of high strategic importance, such as the Kasawari Gas field developed by Malaysia, and an\r\noffshore wind farm in the Strait of Taiwan.   \r\nFrom an operational perspective, other than its custom toolset and offensive security tools like Meterpreter, TA423\r\n/ Red Ladon has also returned to ScanBox. The last time that TA423 / Red Ladon was publicly documented using\r\nScanBox was in 2018. While ScanBox activity has been reported more sporadically since its first appearance in\r\n2014 and heavy use in 2015, it remains a tool available to, and shared among, China-based threat actors to\r\nselectively deploy in campaigns. We have observed TA423 / Red Ladon using ScanBox, both in 2018 and 2022, in\r\ncampaigns using an upcoming national election as a lure, wherein the threat actor built local news-themed\r\nmalicious websites to draw targets to in order to infect them.   \r\nhttps://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea\r\nPage 18 of 30\n\nFollowing the US Department of Justice indictment and public disclosure in July 2021, Proofpoint analysts have\r\nnot observed a distinct disruption of operational tempo specifically for phishing campaigns associated with\r\nTA423/Red Ladon. While the indictment attributed this threat actor to a specific entity operating with support of a\r\nChinese state intelligence agency, the technical details included did not cover the tactics currently in use by the\r\ngroup in the wild. As a result, the group was free to continue its usage of novel phishing techniques like RTF\r\nTemplate Injection which began in early 2021 (before the indictment) and persisted through March 2022.   \r\nOverall, Proofpoint and PwC collectively expect TA423 / Red Ladon to continue pursuing its intelligence-gathering and espionage mission primarily targeting countries in the South China Sea, as well as further intrusions\r\nin Australia, Europe and the United States.  \r\nIndicators of Compromise (IOCs)\r\nPhase 3 IOCs (April to June 2022) Type of IOC \r\nvisitable.daishaju@gmail[.]com \r\nPhishing Email\r\nSender Address\r\ngoodlandteactuator@gmail[.]com \r\nPhishing Email\r\nSender Address\r\nclaire3bluntxq@gmail[.]com \r\nPhishing Email\r\nSender Address\r\nascents.nestora2@gmail[.]com \r\nPhishing Email\r\nSender Address\r\nwalknermohammad26@gmail[.]com \r\nPhishing Email\r\nSender Address\r\nentertainingemiliano20@gmail[.]com \r\nPhishing Email\r\nSender Address\r\nentertainingemiliano20@gmail[.]com \r\nPhishing Email\r\nSender Address\r\nhttps://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea\r\nPage 19 of 30\n\nosinskigeovannyxw@gmail[.]com \r\nPhishing Email\r\nSender Address\r\nbrittanisoq@outlook[.]com \r\nPhishing Email\r\nSender Address\r\ncharmainejuxtzk@outlook[.]com \r\nPhishing Email\r\nSender Address\r\ngradyt18iheme@outlook[.]com \r\nPhishing Email\r\nSender Address\r\ndagny382cber@outlook[.]com \r\nPhishing Email\r\nSender Address\r\nmarikok2bedax@outlook[.]com \r\nPhishing Email\r\nSender Address\r\npearlykeap3l@outlook[.]com \r\nPhishing Email\r\nSender Address\r\nmattbotossd@outlook[.]com \r\nPhishing Email\r\nSender Address\r\nthuang6102@gmail[.]com \r\nPhishing Email\r\nSender Address\r\nearlt1948@gmail[.]com \r\nPhishing Email\r\nSender Address\r\namianggitaphill@yahoo[.]com \r\nPhishing Email\r\nSender Address\r\nhttps://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea\r\nPage 20 of 30\n\nzoezlb@gmail[.]com\nPhishing Email\nSender Address\nDaisha Manalo Phishing Email\nHeader From\nBlair Goodland Phishing Email\nHeader From\nClaire Blunt Phishing Email\nHeader From\nNestor Pyles Phishing Email\nHeader From\nMohammad Walkner Phishing Email\nHeader From\nEmiliano Regulus Phishing Email\nHeader From\nEmiliano Regulus Phishing Email\nHeader From\nGeovanny Osinski Phishing Email\nHeader From\nBrittani Silvestre Phishing Email\nHeader From\nCharmaine Jubinville Phishing Email\nHeader From\nhttps://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea\nPage 21 of 30\n\nGrady Iheme \u003cgradyt18iheme@outlook[.]com\u003e \r\nPhishing Email\r\nHeader From\r\nDagny Berdecia \u003cdagny382cber@outlook[.]com\u003e \r\nPhishing Email\r\nHeader From\r\nMariko Dax \u003cmarikok2bedax@outlook[.]com\u003e \r\nPhishing Email\r\nHeader From\r\nPearly Keasler \u003cpearlykeap3l@outlook[.]com\u003e \r\nPhishing Email\r\nHeader From\r\nMatt Botos \u003cmattbotossd@outlook[.]com\u003e \r\nPhishing Email\r\nHeader From\r\nami phillips \u003camianggitaphill@yahoo[.]com\u003e \r\nPhishing Email\r\nHeader From\r\nTom Huang \u003cthuang6102@gmail[.]com\u003e \r\nPhishing Email\r\nHeader From\r\nThomas Earl \u003cearlt1948@gmail[.]com\u003e \r\nPhishing Email\r\nHeader From\r\nzoe browne \u003czoezlb@gmail[.]com\u003e \r\nPhishing Email\r\nHeader From\r\nhxxp://australianmorningnews[.]com/?p=23  Phishing URL\r\nhxxp://australianmorningnews[.]com/?p=30  Phishing URL\r\nhttps://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea\r\nPage 22 of 30\n\nhxxp://australianmorningnews[.]com/?p=58  Phishing URL\r\nhxxp://australianmorningnews[.]com/?p=55  Phishing URL\r\nhxxp://australianmorningnews[.]com/?p=30  Phishing URL\r\nhxxp://australianmorningnews[.]com/?p=23-\u003cUserID\u003e  Phishing URL\r\nhxxp://asutralianmorningnews[.]com/?p=19-\u003cUserID\u003e (Actor Typo)  Phishing URL\r\nhxxp://australianmorningnews[.]com/?p=23-\u003cUserID\u003e  Phishing URL\r\naustralianmorningnews[.]com \r\nActor-controlled\r\nDomain\r\nimage[.]australianmorningnews[.]com \r\nActor-controlled\r\nDomain\r\nregionail[.]xyz \r\nActor-controlled\r\nDomain\r\nheraldsun[.]me \r\nActor-controlled\r\nDomain\r\nwalmartsde[.]com \r\nActor-controlled\r\nDomain\r\ntheaustralian[.]in \r\nActor-controlled\r\nDomain\r\nhttps://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea\r\nPage 23 of 30\n\nsuzannehhu316[@]outlook[.]com  Registrant Eamil\r\ncwhe18nc\r\nScanBox main\r\nmodule filename\r\n7795936ed1bdb7a5756c1ff821b2dc8739966abbb00e3e0ae114ee728bf1cf1a\r\nSHA-256 ScanBox\r\nSample\r\n4dedb022d3c43db6cddd87f250db4758bd88c967f98302d97879d9fc4fadd8a2\r\nSHA-256 ScanBox\r\nSample\r\n5a1c689cddb036ca589f6f2e53d323109b94ce062a09fb5b7c5a2efedd7306bc\r\nSHA-256 ScanBox\r\nSample\r\ncb981d04f21a97fdb46b101a882a3490e245760489f4122deb4a0ac951a8eaee\r\nSHA-256 ScanBox\r\nSample\r\n3d37a977f36e8448b087f8e114fe2a1db175372d4b84902887808a6fb0c8028f\r\nSHA-256 ScanBox\r\nSample\r\ne8a919e0e02fecfe538a8698250ac3eaba969e2af2cc9d96fc86675a658e201e\r\nSHA-256 ScanBox\r\nSample\r\n0b9447cb00ae657365eb2b771f4f2c505e44ca96a0a062d54f3b8544215fc082\r\nSHA-256 ScanBox\r\nSample\r\n2f204f3b3abc97efc74b6fa016a874f9d4addb8ac70857267cc8e4feb9dbba26\r\nSHA-256 ScanBox\r\nSample\r\n2a17927834995441c18d1b1b7ec9594eedfccaacca11e52401f83a82a982760e\r\nSHA-256 ScanBox\r\nSample\r\nhttps://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea\r\nPage 24 of 30\n\n18db4296309da48665121899c62ed8fb10f4f8d22e44fd70d2f9ac8902896db1\r\nSHA-256 ScanBox\r\nSample\r\nhxxp://image[.]australianmorningnews[.]com/i/ ScanBox URL \r\nhxxp://image[.]australianmorningnews[.]com/i/?cwhe18nc ScanBox URL \r\nhxxp://image[.]australianmorningnews[.]com/i/v.php?m=b ScanBox URL \r\nhxxp://image[.]australianmorningnews[.]com/i/c.php?data= ScanBox URL \r\nhxxp://image[.]australianmorningnews[.]com/i/k.php?data= ScanBox URL \r\nhxxp://image[.]australianmorningnews[.]com/i/p.php?data= ScanBox URL \r\nhxxp://image[.]australianmorningnews[.]com/i/v.php?m=a\u0026data= ScanBox URL \r\nhxxp://image[.]australianmorningnews[.]com/i/v.php?m=p\u0026data= ScanBox URL \r\nhxxp://image[.]australianmorningnews[.]com/i/v.php?m=plug ScanBox URL \r\nares_ambassador away 25 sept until 25 october 2021.doc.rtf |\r\nF55c020d55d64d9188c916dcbece901bc6eb373ed572d349ff61758bd212857f \r\nRTF Template\r\nInjection\r\nAttachment\r\nFilename | SHA-256 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea\r\nPage 25 of 30\n\n0325.rtf | 5681cf40c3f00c1a0dc89c05d983c0133cc6bf198bce59acfef788d25bcd9f69 \r\nRTF Template\r\nInjection\r\nAttachment\r\nFilename | SHA-256 \r\n0325.rtf | 22df809c1f47cb8d685f9055ad478991387016f03efd302fdde225215494eb83 \r\nRTF Template\r\nInjection\r\nAttachment\r\nFilename | SHA-256 \r\n20220324.rtf |\r\nb7e435ccded277740d643309898d344268010808e0582f34ae07e879ac32cf1e \r\nRTF Template\r\nInjection\r\nAttachment\r\nFilename | SHA-256 \r\nonline remote meeting invitation.rtf |\r\n3909ae9b64b281cca55fc2cd6d92a11b882d1a58e4c34a59a997a7cb65aba8ef \r\nRTF Template\r\nInjection\r\nAttachment\r\nFilename | SHA-256 \r\nonline remote meeting invitation.rtf |\r\n54ad4c1853179a59d5e9c48b1cfa880c91c5bf390fcfb94e700259b3f8998cb3 \r\nRTF Template\r\nInjection\r\nAttachment\r\nFilename | SHA-256 \r\nonline remote meeting invitation.rtf |\r\nc4471540b811f091124c166ab51d6d03b6757f71e29c61a0e360e5c64957fcdd \r\nRTF Template\r\nInjection\r\nAttachment\r\nFilename | SHA-256 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea\r\nPage 26 of 30\n\nonline remote meeting invitation.rtf |\r\n400be1d28d966ba8491f54237adad52ad4eea8a051f45f49774b92cbfdfcf1ea \r\nRTF Template\r\nInjection\r\nAttachment\r\nFilename | SHA-256 \r\nonline remote meeting invitation.rtf |\r\n8033a52b327ad6635fc75f6c2c17b2cb4d56e1fd00081935541c0fb020e2582f \r\nRTF Template\r\nInjection\r\nAttachment\r\nFilename | SHA-256 \r\nonline remote meeting invitation.rtf |\r\na115051a02e4faa8eb06d3870af44560274847c099d8e2feb2ef8db8885edf5e \r\nRTF Template\r\nInjection\r\nAttachment\r\nFilename | SHA-256 \r\nonline remote meeting invitation.rtf |\r\n57c8123dd505dadb640872f83cf0475871993e99fdb40d8b821a9120e3479f53 \r\nRTF Template\r\nInjection\r\nAttachment\r\nFilename | SHA-256 \r\n139.59.60[.]116:443   IP  C2 IP\r\n172.105.114[.]27:80   IP  C2 IP\r\nPhase 1 \u0026 2 IOCs Type of IOC\r\nhxxps://regionail[.]xyz/  \r\nRTF Template\r\nInjection \u0026\r\nPayload Delivery\r\nURL\r\nhttps://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea\r\nPage 27 of 30\n\nhxxps://regionail[.]xyz/austrade.au  \r\nRTF Template\r\nInjection \u0026\r\nPayload Delivery\r\nURL\r\nhxxps://magloball[.]com/nDo3SB   \r\nRTF Template\r\nInjection \u0026\r\nPayload Delivery\r\nURL\r\nhxxps://theaustralian[.]in/europa.eeas   \r\nRTF Template\r\nInjection \u0026\r\nPayload Delivery\r\nURL\r\nhxxps://theaustralian[.]in/office   \r\nRTF Template\r\nInjection \u0026\r\nPayload Delivery\r\nURL\r\nhxxps://theaustralian[.]in/word   \r\nRTF Template\r\nInjection \u0026\r\nPayload Delivery\r\nURL\r\nhxxp://172.105.114[.]27/v\u003cvictim identifier\u003e  \r\nRTF Template\r\nInjection \u0026\r\nPayload Delivery\r\nURL\r\nhxxp://walmartsde[.]com/UpdateConfig  \r\nRTF Template\r\nInjection \u0026\r\nPayload Delivery\r\nURL\r\nhttps://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea\r\nPage 28 of 30\n\naustrade[1].zip |\r\n981c762ce305cd5221e8757bafa50a00fff8fbc92db5612b311c458d48c29793 \r\nPayload Filename |\r\nSHA-256\r\nGoogleDesktop.exe\r\n|6d2b301e77839fff1c74425b37d02c3f3837ce50e856c21ae4cf7ababb04addc \r\nPayload Filename |\r\nSHA-256\r\nLegitimate PE used\r\nin DLL\r\nSideloading\r\nregionail[.]xyz[.]url |\r\n13f593f217b4686d736bcfce3917964632e824cb0d054248b9ffcacc59b470d4 \r\nPayload Filename |\r\nSHA-256\r\nGoogleServices.dll |\r\nc4f6fedb636f07e1e53eaef9f18334122cb9da4193c843b4d31311347290a78f \r\nPayload Filename |\r\nSHA-256\r\npassport form.zip |\r\nab963bf7b1567190b8e5f48e7c88d53c02d7a3a57bd2294719595573a1f2b7c7 \r\nPayload Filename |\r\nSHA-256\r\npassport form.doc.rtf |\r\ne3f1519db0039e7423f49d92d43d549b152b534856a7efde1a7eda7a9276bb22 \r\nPayload Filename |\r\nSHA-256\r\nv9 | e1f34cb031bac517796c363c2b31366509bf1367599fd5583c6bc2b0314758bb \r\nPayload Filename |\r\nSHA-256\r\nMicrosoftEdgeSvc.exe |\r\nd357502511352995e9523c746131f8ed38457c38a77381c03dda1a1968abce42 \r\nPayload Filename |\r\nSHA-256\r\nLegitimate PE used\r\nin DLL\r\nSideloading\r\nmsedgeupdate.dll |\r\n55a5871b36109a38eed8aef943ccddf1ae9945f27f21b1c62210a810bb0f7196 \r\nPayload Filename |\r\nSHA-256\r\nhttps://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea\r\nPage 29 of 30\n\nDesProc.exe |\r\n98fbd5eb6ae126fda8e36e3602e6793c1f719ef3fdbf792689035104b39f14ac \r\nPayload Filename |\r\nSHA-256\r\nLegitimate PE used\r\nin DLL\r\nSideloading\r\nMicrosoft.VisualStudio.CodeMarkers.Dll |\r\n7e1ab1b08eb4b69df11955c3dfe3050be467a374adb704a917ee1a69abcc58a5 \r\nPayload Filename |\r\nSHA-256\r\nET Signatures\r\n2811686 - ETPRO CURRENT_EVENTS SUSPICIOUS Encoded Plugin Detect (Previously observed inscanbox)\r\n2021544 - ET CURRENT_EVENTS scanbox Jun 06 2015 M3 T1\r\n2021543 - ET CURRENT_EVENTS scanbox Jun 06 2015 M2 T1\r\n2021542 - ET CURRENT_EVENTS scanbox Jun 06 2015 M1 T1\r\n2021229 - ET TROJAN scanbox Sending Host Data\r\n2019096 - ET CURRENT_EVENTS scanbox Framework used in WateringHole Attacks KeepAlive\r\n2019095 - ET CURRENT_EVENTS scanbox Framework used in WateringHole Attacks (POST) PluginData\r\n2019094 - ET CURRENT_EVENTS scanbox Framework used in WateringHole Attacks Initial (POST)\r\n2019093 - ET CURRENT_EVENTS scanbox Framework used in WateringHole Attacks\r\n2851357 - ETPRO MALWARE TA423 Related Maldoc Activity (GET)\r\n2851358 - ETPRO MALWARE TA423 Related Activity (GET)\r\n2851658 - ETPRO MALWARE TA423 Related Activity M1 (GET)\r\n2851659 - ETPRO MALWARE TA423 Related Activity M2 (GET)\r\n2851660 - ETPRO MALWARE TA423 Related Activity M3 (GET)\r\n2851661 - ETPRO MALWARE TA423 Related Activity M4 (GET)\r\n2851662 - ETPRO MALWARE TA423 Related Activity M5 (GET)\r\n2851663 - ETPRO MALWARE Suspected TA423 Related Activity (GET)\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea\r\nhttps://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea\r\nPage 30 of 30\n\n https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea \nInfection Chain and ScanBox Control Flow \nFigure 7. A diagram of the infection chain and ScanBox control flow\n Page 10 of 30\n\nThe ScanBox C2 IP address domain image[.]australianmorningnews[.]com First seen has resolved to three IP addresses: Last seen\n198.13.45[.]227 2022-06-06 2022-07-08\n139.180.161[.]195 2022-04-26 2022-06-05\n45.77.237[.]243 2022-04-25 2022-04-25\n Page 12 of 30", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea" ], "report_names": [ "chasing-currents-espionage-south-china-sea" ], "threat_actors": [ { "id": "f0ebaf6d-5e1a-4ed7-aa2c-0e69a648acea", "created_at": "2022-10-25T16:07:23.597455Z", "updated_at": "2026-04-10T02:00:04.683154Z", "deleted_at": null, "main_name": "Evil Eye", "aliases": [], "source_name": "ETDA:Evil Eye", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "13354d3f-3f40-44ec-b42a-3cda18809005", "created_at": "2022-10-25T15:50:23.275272Z", "updated_at": "2026-04-10T02:00:05.36519Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "APT3", "Gothic Panda", "Pirpi", "UPS Team", "Buckeye", "Threat Group-0110", "TG-0110" ], "source_name": "MITRE:APT3", "tools": [ "OSInfo", "schtasks", "PlugX", "LaZagne", "SHOTPUT", "RemoteCMD" ], "source_id": "MITRE", "reports": null }, { "id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4", "created_at": "2023-01-06T13:46:38.269054Z", "updated_at": "2026-04-10T02:00:02.90356Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "GOTHIC PANDA", "TG-0110", "Buckeye", "Group 6", "Boyusec", "BORON", "BRONZE MAYFAIR", "Red Sylvan", "Brocade Typhoon" ], "source_name": "MISPGALAXY:APT3", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "52973e5f-9656-4b60-b7f8-457e32ac4bbe", "created_at": "2023-01-06T13:46:39.056888Z", "updated_at": "2026-04-10T02:00:03.198866Z", "deleted_at": null, "main_name": "POISON CARP", "aliases": [ "Evil Eye", "Red Dev 16", "Earth Empusa" ], "source_name": "MISPGALAXY:POISON CARP", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "cf826655-5fcb-4331-bdc5-5ef267db9d3c", "created_at": "2025-08-07T02:03:24.631402Z", "updated_at": "2026-04-10T02:00:03.608938Z", "deleted_at": null, "main_name": "BRONZE MAYFAIR", "aliases": [ "APT3 ", "Gothic Panda ", "Pirpi", "TG-0110 ", "UPSTeam" ], "source_name": "Secureworks:BRONZE MAYFAIR", "tools": [ "Cookiecutter", "HUC Proxy Malware (Htran)", "Pirpi", "PlugX", "SplitVPN", "UPS", "ctt", "ctx" ], "source_id": "Secureworks", "reports": null }, { "id": "3b1367ff-99dc-41f0-986f-4a1dcb41bbbf", "created_at": "2022-10-25T16:07:24.273478Z", "updated_at": "2026-04-10T02:00:04.918037Z", "deleted_at": null, "main_name": "TA413", "aliases": [ "White Dev 9" ], "source_name": "ETDA:TA413", "tools": [ "Exile RAT", "ExileRAT", "Sepulcher" ], "source_id": "ETDA", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9792e41f-4165-474b-99fa-e74ec332bd87", "created_at": "2023-01-06T13:46:38.986789Z", "updated_at": "2026-04-10T02:00:03.172308Z", "deleted_at": null, "main_name": "Lucky Cat", "aliases": [ "TA413", "White Dev 9" ], "source_name": "MISPGALAXY:Lucky Cat", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86182dd7-646c-49c5-91a6-4b62fd2119a7", "created_at": "2025-08-07T02:03:24.617638Z", "updated_at": "2026-04-10T02:00:03.738499Z", "deleted_at": null, "main_name": "BRONZE HOBART", "aliases": [ "APT23", "Earth Centaur ", "KeyBoy ", "Pirate Panda ", "Red Orthrus ", "TA413 ", "Tropic Trooper " ], "source_name": "Secureworks:BRONZE HOBART", "tools": [ "Crowdoor", "DSNGInstaller", "KeyBoy", "LOWZERO", "Mofu", "Pfine", "Sepulcher", "Xiangoop Loader", "Yahaoyah" ], "source_id": "Secureworks", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "d2a5c949-7ae0-4610-8bb8-047ab03b1574", "created_at": "2022-10-25T16:07:24.064197Z", "updated_at": "2026-04-10T02:00:04.856578Z", "deleted_at": null, "main_name": "Poison Carp", "aliases": [ "Earth Empusa", "Evil Eye", "EvilBamboo", "Poison Carp", "Red Dev 16", "Sentinel Taurus" ], "source_name": "ETDA:Poison Carp", "tools": [ "ActionSpy", "AxeSpy", "BADSIGNAL", "BADSOLAR", "BadBazaar", "IRONSQUIRREL", "IceCube", "MOONSHINE", "PoisonCarp" ], "source_id": "ETDA", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null }, { "id": "06f622cb-3a78-49cf-9a4c-a6007a69325f", "created_at": "2022-10-25T16:07:23.315239Z", "updated_at": "2026-04-10T02:00:04.537826Z", "deleted_at": null, "main_name": "APT 3", "aliases": [ "APT 3", "Boron", "Brocade Typhoon", "Bronze Mayfair", "Buckeye", "G0022", "Gothic Panda", "Group 6", "Operation Clandestine Fox", "Operation Clandestine Fox, Part Deux", "Operation Clandestine Wolf", "Operation Double Tap", "Red Sylvan", "TG-0110", "UPS Team" ], "source_name": "ETDA:APT 3", "tools": [ "APT3 Keylogger", "Agent.dhwf", "BKDR_HUPIGON", "Backdoor.APT.CookieCutter", "Badey", "Bemstour", "CookieCutter", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EXL", "EternalBlue", "HTran", "HUC Packet Transmit Tool", "Hupigon", "Hupigon RAT", "Kaba", "Korplug", "LaZagne", "MFC Huner", "OSInfo", "Pirpi", "PlugX", "RedDelta", "RemoteCMD", "SHOTPUT", "Sogu", "TIGERPLUG", "TTCalc", "TVT", "Thoper", "Xamtrav", "remotecmd", "shareip", "w32times" ], "source_id": "ETDA", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433989, "ts_updated_at": 1775826706, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/00311cd932c635381929af6b471c2006dcac4481.pdf", "text": "https://archive.orkl.eu/00311cd932c635381929af6b471c2006dcac4481.txt", "img": "https://archive.orkl.eu/00311cd932c635381929af6b471c2006dcac4481.jpg" } }