{
	"id": "0a129558-da85-4c3d-a9d6-84f7e84b04bf",
	"created_at": "2026-04-06T00:12:32.656705Z",
	"updated_at": "2026-04-10T13:11:21.857513Z",
	"deleted_at": null,
	"sha1_hash": "0477b3c4a22417b05d5a39c6e9b876408fcae6d0",
	"title": "Sharp Dragon Expands Towards Africa and The Caribbean - Check Point Research",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 102776,
	"plain_text": "Sharp Dragon Expands Towards Africa and The Caribbean -\r\nCheck Point Research\r\nBy etal\r\nPublished: 2024-05-23 · Archived: 2026-04-05 14:31:55 UTC\r\nKey Findings\r\nSharp Dragon’s (Formerly referred to as Sharp Panda) operations continue, expanding their focus now to\r\nnew regions – Africa and the Caribbean.\r\nSharp Dragon, a Chinese threat actor, utilizes trusted government entities to infect new ones and establish\r\ninitial footholds in new territories.\r\nThe threat actors demonstrate increased caution in selecting their targets, broadening their reconnaissance\r\nefforts, and adopting Cobalt Strike Beacon over custom backdoors.\r\nThroughout their operation, Sharp Dragon exploited 1-day vulnerabilities to compromise infrastructure\r\nlater used as Command and Control (C2) infrastructure.\r\nIntroduction\r\nSince 2021, Check Point Research has been closely monitoring the activities of Sharp Dragon (Formerly referred\r\nto as Sharp Panda*), a Chinese threat actor. Historical activities mostly consist of highly-targeted phishing emails,\r\npreviously leading to the deployment of VictoryDLL or Soul framework.\r\nWhile the final payloads Sharp Dragon operators have deployed overtime changed, their modus operandi has been\r\npersistent, and more so, their targets, who have remained within the confines of South-East Asia in the years we\r\nwere tracking them, up until recently.\r\nIn recent months, we have observed a significant shift in Sharp Dragon’s activities and lures, now targeting\r\ngovernmental organizations in Africa and the Caribbean. Those activities very much align with known Sharp\r\nDragon modus operandi, and were characterized by compromising a high-profile email account to spread a\r\nphishing word document that leverages a remote template weaponized using RoyalRoad. Unlike previous\r\nactivities, those lures were used to deploy Cobalt Strike Beacon.\r\n* As part of an ongoing effort to avoid confusion with other vendors naming conventions, the name was\r\nchanged.\r\nInter-Government Relations as an Attack Vector\r\nStarting November 2023, we observed Sharp Dragon’s increased interest in governmental entities in Africa and\r\nthe Caribbean. This interest manifested by directly targeting government organizations within the two regions, by\r\nexploiting previously compromised entities in Southeast Asia. Utilizing highly-tailored lures that deal with\r\nhttps://research.checkpoint.com/2024/sharp-dragon-expands-towards-africa-and-the-caribbean/\r\nPage 1 of 9\n\nrelations between countries in South-East Asia and the two regions, Sharp Dragon threat actors have established\ntheir first footholds in two new territories.\nFigure 1- Sharp Dragon’s shift to target Africa and the Caribbean\n\n**Sharp\nDragon’s Cyber Activities in Africa** Figure 1- Sharp Dragon’s shift to target Africa and the Caribbean\nSharp Dragon’s Cyber Activities in Africa\nThe first identified phishing attack targeting Africa was sent out from Country A (South-East Asia) to Country\nB (Africa) in November of 2023, using a lure about industrial relations between countries in South-East Asia and\nAfrica. The document is very thorough, and its contents were likely taken from an authentic correspondence\nbetween the two countries.\nFigure 2 – Lure document targeting Country B in Africa\nFollowing those lures, we’ve also observed direct targeting within Africa in January of 2024, originating\nfrom Country B, originally targeted in November, likely indicating some of the phishing attacks were successful.\nSharp Dragon’s interest in Africa does not come in a vacuum, as we’ve observed a set of Chinese affiliated threat\nactors targeting the region lately. This is also correlated with observations made by other vendors, who observe\nsustained tasking toward targeting in the region. It appears that Sharp Dragon’s activities are part of a larger effort\ncarried out by Chinese threat actors.\nSharp Dragon’s Activity in the Caribbean\nIn a similar manner to Africa, Sharp Dragon’s operators have utilized their previous access to compromised\ngovernmental entities in South-East Asia Country A to target governmental organizations in Country C, which is\nin the Caribbean. The first set of identified malicious documents sent out from the compromised network was sent\nout in December of 2023 and used a Caribbean Commonwealth meeting lure, named “Caribbean Clerks\nProgramme”. This lure was sent out to a Foreign Affairs ministry of Country C.\nhttps://research.checkpoint.com/2024/sharp-dragon-expands-towards-africa-and-the-caribbean/\nPage 2 of 9\n\nFigure 3 – Caribbean-themed lure sent to a Southeast Asian government.\r\nNot long afterwards, in January of 2024, much like in Africa, Country C compromised governmental email\r\ninfrastructure was used to send out a large-scale phishing campaign targeting a wide set of governments in the\r\nCaribbean, this time, using a lure of a legitimate – looking survey around the Opioid threat in the Eastern\r\nCaribbean.\r\nFigure 4 - One of the lures sent to governmental entities in the Caribbean region\r\nFigure 4 – One of the lures sent to governmental entities in the Caribbean region\r\nTechnical Analysis\r\nhttps://research.checkpoint.com/2024/sharp-dragon-expands-towards-africa-and-the-caribbean/\r\nPage 3 of 9\n\nFigure 5 – Sharp Dragon’s Infection chain since May 2023 campaign\r\nIn our ongoing efforts to track Sharp Dragon activities, we’ve identified various minor changes in their Tactics,\r\nTechniques, and Procedures (TTPs), while the core functionality remains consistent. Those changes reflect a more\r\ncareful target selection and operational security (OPSEC) awareness. Among those changes are:\r\nWider Recon Collection\r\nThe 5.t downloader now conducts more thorough reconnaissance on target systems, this includes examining\r\nprocess lists and enumerating folders, leading to a more discerning selection of potential victims.\r\nITF:NetworkCard:1 \u003cNetwork card info\u003e NetworkCard:2 \u003cNetwork card info\u003e ... ;\r\nPGF:[Program Files]-\u003e\u003clist of subfolders\u003e|[Program Files (x86)]-\u003e\u003clist of subfolders\u003e\r\nPSL:([System Process])\u003clist of running processes\u003e\r\nHTN:\u003chostname\u003e OSN:\u003cos name\u003e OSV:\u003cos version\u003e URN:\u003cusername\u003e ITF:NetworkCard:1 \u003cNetwork card\r\ninfo\u003e NetworkCard:2 \u003cNetwork card info\u003e ... ; PGF:[Program Files]-\u003e\u003clist of subfolders\u003e|[Program Files (x86)]-\r\n\u003e\u003clist of subfolders\u003e PSL:([System Process])\u003clist of running processes\u003e\r\nHTN:\u003chostname\u003e\r\nOSN:\u003cos name\u003e\r\nOSV:\u003cos version\u003e\r\nURN:\u003cusername\u003e\r\nITF:NetworkCard:1 \u003cNetwork card info\u003e NetworkCard:2 \u003cNetwork card info\u003e ... ;\r\nPGF:[Program Files]-\u003e\u003clist of subfolders\u003e|[Program Files (x86)]-\u003e\u003clist of subfolders\u003e\r\nPSL:([System Process])\u003clist of running processes\u003e\r\nCobalt Strike Payload\r\nAdditionally, we observed a change in the delivered payload: if the machine is deemed attractive by the attackers,\r\na payload is sent. When Check Point Research first exposed this operation in 2021, the payload was VictoryDll, a\r\ncustom and unique malware enabling remote access and data collection from infected devices. Subsequently, as\r\nwe continued tracking Sharp Dragon’s operations, we observed the adoption of the SoulSearcher framework.\r\nhttps://research.checkpoint.com/2024/sharp-dragon-expands-towards-africa-and-the-caribbean/\r\nPage 4 of 9\n\nPresently, we are witnessing the use of Cobalt Strike Beacon as the payload of the 5.t downloader. This choice\r\nprovides backdoor functionalities, such as C2 communication and command execution, without the risk of\r\nexposing their custom tools. However, we assume that the Cobalt Strike beacon serves as their primary tool for\r\nassessing the attacked environment, while their custom tools come into play at a later stage, which we have yet to\r\nwitness. This refined approach indicates a deeper understanding of their targets and a desire to minimize exposure,\r\nlikely resulting from public disclosures of their activities.\r\nCobalt Strike Configuration:\r\n\"spawnto_x64\": \"%windir%\\\\sysnative\\\\Locator.exe\",\r\n\"spawnto_x86\": \"%windir%\\\\syswow64\\\\Locator.exe\",\r\n\"proxy_behavior\": \"Use IE settings\",\r\n\"server,get-uri\": \"103.146.78.152,/ajax/libs/json2/20160511/json_parse_state.js\",\r\n\"Const_header Accept: application/*, image/*, text/html\",\r\n\"Const_header Accept-Language: es\",\r\n\"Const_header Accept-Encoding: compress, br\",\r\n\"XOR mask w/ random key\",\r\n\"Base64 URL-safe decode\",\r\n\"Prepend JV6_IB4QESMW4TOIQLJRX69Q7LPGNXW594C5=\",\r\n{ \"config_type\": \"static\", \"spawnto_x64\": \"%windir%\\\\sysnative\\\\Locator.exe\", \"spawnto_x86\":\r\n\"%windir%\\\\syswow64\\\\Locator.exe\", \"uses_cookies\": \"True\", \"bstagecleanup\": \"True\", \"crypto_scheme\": 0,\r\n\"proxy_behavior\": \"Use IE settings\", \"server,get-uri\":\r\n\"103.146.78.152,/ajax/libs/json2/20160511/json_parse_state.js\", \"http_get_header\": [ \"Const_header Accept:\r\napplication/*, image/*, text/html\", \"Const_header Accept-Language: es\", \"Const_header Accept-Encoding:\r\ncompress, br\", \"Build Metadata\", \"XOR mask w/ random key\", \"Base64 URL-safe decode\", \"Prepend\r\nJV6_IB4QESMW4TOIQLJRX69Q7LPGNXW594C5=\", \"Build End\", \"Header Cookie\" ] }\r\n{\r\n\"config_type\": \"static\",\r\n\"spawnto_x64\": \"%windir%\\\\sysnative\\\\Locator.exe\",\r\n\"spawnto_x86\": \"%windir%\\\\syswow64\\\\Locator.exe\",\r\n\"uses_cookies\": \"True\",\r\n\"bstagecleanup\": \"True\",\r\n\"crypto_scheme\": 0,\r\n\"proxy_behavior\": \"Use IE settings\",\r\n\"server,get-uri\": \"103.146.78.152,/ajax/libs/json2/20160511/json_parse_state.js\",\r\n\"http_get_header\": [\r\n\"Const_header Accept: application/*, image/*, text/html\",\r\nhttps://research.checkpoint.com/2024/sharp-dragon-expands-towards-africa-and-the-caribbean/\r\nPage 5 of 9\n\n\"Const_header Accept-Language: es\",\r\n\"Const_header Accept-Encoding: compress, br\",\r\n\"Build Metadata\",\r\n\"XOR mask w/ random key\",\r\n\"Base64 URL-safe decode\",\r\n\"Prepend JV6_IB4QESMW4TOIQLJRX69Q7LPGNXW594C5=\",\r\n\"Build End\",\r\n\"Header Cookie\"\r\n]\r\n}\r\nEXE Loaders\r\nAnother notable change is observed in the 5.t downloaders: some of the latest samples deviate from the usual\r\nDLL-based loaders, incorporating EXE-based 5.t loader samples. While not all the latest samples have shifted to\r\nDLLs, this change underscores the dynamic nature of their evolving strategies.\r\nRecently Sharp Dragon has also introduced another executable, altering the initial phase of the infection chain.\r\nInstead of relying on a Word document utilizing remote template to download an RTF file weaponized with\r\nRoyalRoad, they started using executables disguised as documents. This new method closely resembles the\r\nprevious infection chain, as the executable writes 5.t DLL loader and executes it, while also creating a scheduled\r\ntask for persistence.\r\nFigure 6 – Sharp Dragon’s new infection chain\r\nCompromised Infrastructure\r\nSharp Dragon not only utilized compromised government infrastructure to target other governments but also\r\nshifted from dedicated servers to using compromised servers as C\u0026C servers. During a campaign conducted in\r\nhttps://research.checkpoint.com/2024/sharp-dragon-expands-towards-africa-and-the-caribbean/\r\nPage 6 of 9\n\nMay 2023, our team observed that certain servers used by Sharp Dragon as C2 were likely legitimate servers that\r\nwere compromised. Our suspicion is that Sharp Dragon exploited the CVE-2023-0669 vulnerability, which is a\r\nflaw in the GoAnywhere platform allowing for pre-authentication command injection, this vulnerability was\r\ndisclosed shortly before the incidents occurred.\r\nThe data collected from the affected machine was subsequently sent to the following\r\naddress:  https://\u003cC2_addres\u003e:\u003cport\u003e/G0AnyWhere_up.jsp?Data= . This address masquerades as belonging to\r\nthe GoAnywhere service, a file transfer software.\r\nConclusion\r\nThis research highlights Sharp Dragon’s strategic shift towards Africa and the Caribbean, suggesting its part in a\r\nbroader effort carried out by Chinese cyber actors to enhance their presence and influence in these two regions.\r\nThis move comes after a considerable period of activity in South-East Asia, which was leveraged by Sharp\r\nDragon actors, to establish initial footholds in countries in Africa and the Caribbean.\r\nThese changes in Sharp Dragon’s tactics, showing more careful selection of targets and the use of publicy and\r\nreadily available tools, is an indication of a refined approach by this threat actor to target high-profile\r\norganizations. These findings bring attention to the evolving nature of Chinese threat actors, especially towards\r\nregions that have been somewhat overlooked in global cybersecurity and by the threat intelligence community.\r\nCheck Point Customers Remain Protected Against the Threats Described in this Report.\r\nHarmony Endpoint provides comprehensive endpoint protection at the highest security level and protects with\r\nthe following:\r\nTrojan.Win.SharpDragon.B\r\nTrojan.Win.SharpDragon.C\r\nThreat Emulation:\r\nTrojan.Wins.Royalroad.ta.A\r\nAPT.Wins.SharpPanda.*\r\nIndicators of Compromise\r\nHashes:\r\nArchives\r\nda78602c2a4490d445706f8f111daba9519fece8\r\n6783545b9fa8dd14890644c166a35f3cee78329f9522c6ee53149698e5889695\r\ncd737ac8d66a47d341dd4a3c98ab0d2c77c7558d9a0161f7d08a4ab310d440ba\r\nDocx\r\n57b64a1ef1b04819ca9473e1bb74e1cf4be76b89b144e030dc1ef48f446ff95b\r\nhttps://research.checkpoint.com/2024/sharp-dragon-expands-towards-africa-and-the-caribbean/\r\nPage 7 of 9\n\n2faf9615227728b2e7b9cfc548d4210452adc08b3ec500c1b46f2e04fa165816\r\n0373ef0a7874bd8506dc64dd82ef2c6d7661a3250c8a9bb8cb8cb75a7330c1d2\r\nbff674439ea8333b227f6d05caa05b2e3fe592825abd63272d4f1e4c2dfa88ea\r\n362b9f497fce52a3f14ad9de2a027d974cc810473c929fed7c37526d2f13f83a\r\nRTF\r\n180f5a0f9210698b54dcafb9a230b12e3eaf199889e5377a2acb7124c2d48d69\r\nc1e403dd787f197f928960c723866424e343789a0422dbe8c98ed2214500d151\r\nff35cfed656c0cac5571beae7170a2fec007e75417c1d0c4fd7af4185759ec38\r\n9885b220b9654ac4743fe907e67da38d723fee2abf2dcd5944aa3a00c4a59c31\r\n708722bafe35a9fdc94ac33b1970776c464f1bb4e9c2ea1c1dba3a9e1ba03ab3\r\n9885b220b9654ac4743fe907e67da38d723fee2abf2dcd5944aa3a00c4a59c31\r\n5.t loader DLL\r\n21f173a347ed111ce67e4c0f2c0bd4ee34bb7ca765da03635ca5c0df394cd7e6\r\n7575ebdd90aa0ab66c4eeaecd628c475e406ac9bcc54de5e01a3d372a050aec7\r\nb952a459dac430d006a4d573612ca8474a410310792ea8141f9ab339214f4e57\r\n42095521622c055db8d79441317952c0899c34d7b776f6f45855581fb86522dc\r\n941e52ce5ce89b7307bdfe1b88657dfd76892b475971b86683cfc6fbca23e209\r\ne848355359de1e59901aa387f2d208889c368663438909fd3bb0a97566de2b2d\r\ncc805511e106a9b5302a4db4bfbb98609aca3dcbd2f709aee8ae316f479dfd49\r\nea72011929dece4684a2dcb5b76f34cef437dbe50306f19c531d632bf26e7f32\r\n7b21b95c4256308e8089bff38d5d20845f2dc28fa9e536de979ceab9b7962afa\r\ne6faf05234ceaaba3bdcca60285a7ba83eea229a0ca241e94fb314a73ad98d87\r\n5.t loader EXE\r\n20a4256443957fbae69c7c666ae025522533b849e01680287177110603a83a41\r\n1c2a10f282f1a24d88c74d8d324fb59b172cee4ee2e3e3996d9a62ba979812a6\r\nNew EXE Loader\r\n8e72c9517b0220f8ed6973cfc36f478fc7837fe536c5859554661bc1e7ee4254\r\n59a9d10eba81d62337f38d8f72a15f283e1f4bc9daa99fe0c08f780f3e4da839\r\n1db1cf2df0551762eaef0a92923da2f3d032663fdcb331d9474f5398b8ae4398\r\nCobalt-Strike\r\n04f7ae8042e0ed457dd6b86d6e8a40bd361357724b38d3aac7358f5e643299c6\r\n2c7e52eb8290d76780b6ac15a134b58a74c95bc616fd0d91a3f9514409a12846\r\nC\u0026C servers\r\n103.146.78[.]152\r\n185.239.226[.]91\r\nhttps://research.checkpoint.com/2024/sharp-dragon-expands-towards-africa-and-the-caribbean/\r\nPage 8 of 9\n\n38.54.96[.]97\r\n38.54.50[.]182\r\n45.76.193[.]171\r\n45.251.241[.]12\r\n103.56.17[.]192\r\nschemas.openxmlformats[.]shop\r\ndueog[.]xyz\r\nhttp://13.236.189[.]80:8000/res/translate.res\r\nhttps://13.236.189[.]80:8001/G0AnyWhere_up.jsp?Data=\r\nhttp://52.236.140[.]86:8000/res/translation.res\r\nhttps://52.236.140[.]86:8001/G0AnyWhere_up.jsp?Data=\r\nCobalt-Strike path\r\nhttps://\u003cc2 addres\u003e/ajax/libs/json2/20160511/json_parse_state.js\r\nMutex\r\nmt_app_http_get_zed2vsp\r\nPDB\r\nD:\\Project\\0_new_plain\\0_start\\01_XXX_64bit\\01_XXX\\x64\\Release\\01_XXX.pdb\r\nd:\\project\\downloader\\dll_rls\\downloader.pdb\r\nSource: https://research.checkpoint.com/2024/sharp-dragon-expands-towards-africa-and-the-caribbean/\r\nhttps://research.checkpoint.com/2024/sharp-dragon-expands-towards-africa-and-the-caribbean/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/2024/sharp-dragon-expands-towards-africa-and-the-caribbean/"
	],
	"report_names": [
		"sharp-dragon-expands-towards-africa-and-the-caribbean"
	],
	"threat_actors": [
		{
			"id": "8a3bd03a-f69b-455b-b88b-3842a3528bfd",
			"created_at": "2022-10-25T16:07:24.178007Z",
			"updated_at": "2026-04-10T02:00:04.89066Z",
			"deleted_at": null,
			"main_name": "SharpPanda",
			"aliases": [
				"Sharp Dragon",
				"SharpPanda"
			],
			"source_name": "ETDA:SharpPanda",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"RoyalRoad",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e7ef34b6-e7b6-46f3-8dd8-2708c1659cd6",
			"created_at": "2023-11-08T02:00:07.107758Z",
			"updated_at": "2026-04-10T02:00:03.415268Z",
			"deleted_at": null,
			"main_name": "SharpPanda",
			"aliases": [
				"Sharp Dragon"
			],
			"source_name": "MISPGALAXY:SharpPanda",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434352,
	"ts_updated_at": 1775826681,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0477b3c4a22417b05d5a39c6e9b876408fcae6d0.pdf",
		"text": "https://archive.orkl.eu/0477b3c4a22417b05d5a39c6e9b876408fcae6d0.txt",
		"img": "https://archive.orkl.eu/0477b3c4a22417b05d5a39c6e9b876408fcae6d0.jpg"
	}
}