{ "id": "b05d88dd-2bd0-480c-a57a-160e01098989", "created_at": "2026-04-06T01:30:03.803721Z", "updated_at": "2026-04-10T03:33:22.370961Z", "deleted_at": null, "sha1_hash": "146effdaf3eaffc82e313a11ecc88ed7d1daebd4", "title": "Chinese Hacking Group Codoso Team Uses Forbes.com As Watering Hole", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 194864, "plain_text": "Chinese Hacking Group Codoso Team Uses Forbes.com As\r\nWatering Hole\r\nBy Ericka Chickowski, Contributing Writer\r\nPublished: 2015-02-10 · Archived: 2026-04-06 00:39:33 UTC\r\nAnother day, another cyberespionage campaign attributed to a Chinese hacking group. Today's newly identified\r\nhacking push is a watering hole attack against Forbes and other targets last November that's been attributed by\r\niSIGHT Partners and Invincea to likely be the handiwork of a long-running group they call Codoso Team, but\r\nwhich has also been named as Sunshop Group. The campaign was made possible by a zero-day attack that strung\r\ntogether a now-patched Adobe vulnerability with a bypass vulnerability in Microsoft's ASLR technology for\r\nInternet Explorer that the company patched today.\r\nResearch evidence only showed the attack to occur over a couple of days, but in addition to some highly targeted\r\nweb properties it infected the Thought of the Day widget on Forbes.com with the intent to perform drive-by-download attacks via the Flash vulnerability. In spite of the mainstream appeal via Forbes, which is ranked by\r\nAlexa as the 61st most popular website on the Internet, the targets of this attack were fairly narrow. Attackers\r\nseemed to be going after defense sector firms, Chinese dissident groups and other political target, as well as\r\ncertain financial targets and other commercial targets in pharmaceutical and energy sectors that could benefit the\r\nChinese economy.\r\n\"So what’s really interesting about this is it separates a lot of cyber espionage activity from say criminal activity. \r\nThese guys don’t typically just put drive-bys anywhere,\" says John Hultquist, senior manager of cyber espionage\r\nthreat intelligence for iSIGHT.  \"They don’t want anybody’s information.  What they want is information\r\nassociated with the requirements that they have.  Usually those requirements are gathering intelligence on\r\nintellectual property, gathering strategic intelligence, gathering information on say dissidents or security issues\r\nthat they’re working.\"\r\nFirst publicly identified as the Sunshop Group by FireEye in 2013, Codoso Team has been on security research\r\nradars since 2010 as it perpetrated numerous targeted attacks using zero-day vulnerabilities.\r\n\"You may remember in 2010 the prize was actually awarded to a noted Chinese dissident,\" says Hultquist. \r\n\"Shortly after that these operators went in, popped the website, and used that website to serve up exploits to\r\nvisitors, again a very targeted concept.  Since then they don’t only operate this way or through this manner, they’re\r\nalso carrying out targeted spearphishing attacks.\" \r\nIt also shares attack techniques with Deep Panda, which like Codoso, leans heavily on the use of the Derusbi\r\nmalware to carry out attacks. While they may be sharing resources, iSIGHT believes them to be two distinct\r\ngangs.\r\nAccording to Anup Ghosh, CEO at Invincea, his team first noticed activity around the Forbes.com site through a\r\ndefense firm customer. Typically used to tracking broad malvertising campaigns using similar media sites, his\r\nhttps://www.darkreading.com/attacks-breaches/chinese-hacking-group-codoso-team-uses-forbescom-as-watering-hole-/d/d-id/1319059\r\nPage 1 of 2\n\nteam was surprised to see the attack only going after specific customer types, primarily in the defense sector. He\r\nalso says the attack was unique through the use of chained zero-day exploits. Not only was it attacking a Flash\r\nzero-day, but it was also leveraging a zero-day in ASLR to bypass that mitigation technique.\r\n\"Effectively in modern operating systems and browsers there is a layer of technology that Microsoft has added to\r\nthe mix that really makes it much more difficult for a particular exploit to figure out what address base it’s\r\noperating in.  So it makes it more difficult or nearly impossible to execute a buffer overflow,\" explains Patrick\r\nMcBride, vice president at iSIGHT. \"In this case the team was able to exploit that ASLR, get outside of that box, if\r\nyou will, and then directly exploit the flash vulnerability. \"\r\nAbout the Author\r\nEricka Chickowski specializes in coverage of information technology and business innovation. She has focused on\r\ninformation security for the better part of a decade and regularly writes about the security industry as a contributor\r\nto Dark Reading.\r\nSource: https://www.darkreading.com/attacks-breaches/chinese-hacking-group-codoso-team-uses-forbescom-as-watering-hole-/d/d-id/1319059\r\nhttps://www.darkreading.com/attacks-breaches/chinese-hacking-group-codoso-team-uses-forbescom-as-watering-hole-/d/d-id/1319059\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "references": [ "https://www.darkreading.com/attacks-breaches/chinese-hacking-group-codoso-team-uses-forbescom-as-watering-hole-/d/d-id/1319059" ], "report_names": [ "1319059" ], "threat_actors": [ { "id": "1f3cf3d1-4764-4158-a216-dd6352e671bb", "created_at": "2022-10-25T15:50:23.837615Z", "updated_at": "2026-04-10T02:00:05.322197Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "APT19", "Codoso", "C0d0so0", "Codoso Team", "Sunshop Group" ], "source_name": "MITRE:APT19", "tools": [ "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "64ca1755-3883-4173-8e0a-6e5cf92faafd", "created_at": "2022-10-25T15:50:23.636456Z", "updated_at": "2026-04-10T02:00:05.389234Z", "deleted_at": null, "main_name": "Deep Panda", "aliases": [ "Deep Panda", "Shell Crew", "KungFu Kittens", "PinkPanther", "Black Vine" ], "source_name": "MITRE:Deep Panda", "tools": [ "Mivast", "StreamEx", "Sakula", "Tasklist", "Derusbi" ], "source_id": "MITRE", "reports": null }, { "id": "0639667a-fb3f-43d9-a38c-6c123fd19c7f", "created_at": "2022-10-25T16:07:23.335869Z", "updated_at": "2026-04-10T02:00:04.547702Z", "deleted_at": null, "main_name": "APT 19", "aliases": [ "APT 19", "Bronze Firestone", "C0d0so0", "Checkered Typhoon", "Codoso", "Deep Panda", "G0009", "G0073", "Operation Kingslayer", "Red Pegasus", "Sunshop Group", "TG-3551" ], "source_name": "ETDA:APT 19", "tools": [ "Agentemis", "C0d0so0", "Cobalt Strike", "CobaltStrike", "Derusbi", "EmPyre", "EmpireProject", "Fire Chili", "PowerShell Empire", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d", "created_at": "2025-08-07T02:03:24.595597Z", "updated_at": "2026-04-10T02:00:03.740023Z", "deleted_at": null, "main_name": "BRONZE FIRESTONE", "aliases": [ "APT19 ", "C0d0s0", "Checkered Typhoon ", "Chlorine ", "Deep Panda ", "Pupa ", "TG-3551 " ], "source_name": "Secureworks:BRONZE FIRESTONE", "tools": [ "9002", "Alice's Rabbit Hole", "Cobalt Strike", "Derusbi", "PlugX", "PoisonIvy", "PowerShell Empire", "Trojan Briba", "Zuguo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775439003, "ts_updated_at": 1775792002, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/146effdaf3eaffc82e313a11ecc88ed7d1daebd4.pdf", "text": "https://archive.orkl.eu/146effdaf3eaffc82e313a11ecc88ed7d1daebd4.txt", "img": "https://archive.orkl.eu/146effdaf3eaffc82e313a11ecc88ed7d1daebd4.jpg" } }