{
	"id": "a248429b-e86d-4282-a1a8-1685d1e4875b",
	"created_at": "2026-04-11T02:23:21.204648Z",
	"updated_at": "2026-04-11T02:24:15.561095Z",
	"deleted_at": null,
	"sha1_hash": "20a8dc620dc278c1dc075d0b205187c85cee8cde",
	"title": "'Stayin' Alive' Campaign in Asia - Check Point Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 62142,
	"plain_text": "'Stayin' Alive' Campaign in Asia - Check Point Blog\r\nBy etal\r\nPublished: 2023-10-09 · Archived: 2026-04-11 02:16:49 UTC\r\nHighlights:\r\nCheck Point Research has been tracking “Stayin’ Alive”, an ongoing espionage campaign operating in\r\nAsia, and primarily targeting the Telecom industry, as well as government organizations.\r\nThe “Stayin’ Alive” campaign used against high-profile Asian organizations, initially targeted\r\norganizations in Vietnam, Uzbekistan, and Kazakhstan. As we conducted our analysis, we realized that it\r\nis part of a much wider campaign targeting the region.\r\nTools observed in the campaign are linked to ‘ToddyCat’- a Chinese affiliated actor operating in the\r\nregion\r\nCheck Point customers using Check Point Harmony Endpoint and Threat Emulation remain protected\r\nagainst the campaign detailed in this report\r\nIn recent months, Check Point Research have diligently monitored an ongoing cyber campaign dubbed “Stayin’\r\nAlive.” This relentless campaign, which has been active since at least 2021, has primarily set its sights on the\r\nAsian telecommunications industry and government organizations. As we delve into the intricacies of this\r\ncampaign, we uncover a web of activities that shed light on its tactics, targets, and potential origins.\r\nCampaign Overview\r\nThe “Stayin’ Alive” campaign revolves around the deployment of downloaders and loaders, often utilized as initial\r\ninfection vectors against high-profile Asian entities. The campaign’s initial discovery, a downloader called\r\nCurKeep, zeroed in on countries like Vietnam, Uzbekistan, and Kazakhstan. However, our ongoing analysis has\r\nunveiled a much broader operation encompassing the entire region.\r\nWhat makes this campaign particularly intriguing is the simplistic nature of the tools involved. They exhibit a\r\nwide variation and appear to be disposable, primarily serving as conduits for downloading and executing\r\nadditional malicious payloads. These tools do not share code similarities with any known cyber actor’s products\r\nand exhibit little resemblance to each other. Yet, they all trace back to a common infrastructure, linked to\r\nToddyCat, a threat actor with Chinese affiliations operating within the region.\r\nKey Highlights\r\n1. Targets and Geography: “Stayin’ Alive” primarily targets the telecommunications industry across Asia,\r\nwith a focus on countries such as Kazakhstan, Uzbekistan, Pakistan, and Vietnam.\r\n2. Infection Tactics: The campaign employs spear-phishing emails to deliver archive files using DLL side-loading techniques. Notably, it exploits a vulnerability in Audinate’s Dante Discovery software (CVE-2022-23748) by hijacking dal_keepalives.dll.\r\nhttps://blog.checkpoint.com/security/unveiling-stayin-alive-a-closer-look-at-an-ongoing-campaign-in-asia-targeting-telecom-and-governmental-entities/\r\nPage 1 of 3\n\n3. Loader Diversity: Threat actors behind the campaign leverage multiple unique loaders and downloaders, all\r\nlinked to the same infrastructure.\r\n4. Basic Yet Variable Functionality: Backdoors and loaders used in the campaign exhibit basic functionality\r\nthat varies widely. This suggests they are considered disposable and are primarily used to gain initial\r\naccess.\r\nVictimology\r\nThroughout our investigation, a consistent pattern of targeting has emerged, focusing on Asian countries such as\r\nVietnam, Pakistan, Uzbekistan, and Kazakhstan. Evidence points to spear-phishing emails, VirusTotal\r\nsubmissions, and file naming conventions as indications of this campaign’s primary targets within the telecom\r\nsector.\r\nThe Telecommunications sector is a lucrative target for nation state-backed espionage campaigns. According to\r\nCheck Point Research, since the beginning of 2023, we have seen a global weekly average of 1,504 attacks per\r\norganization in the communication industry. In Asia, we observed an average of 1,978 attacks in the same\r\nindustry, which is 32% higher.\r\nThe telecommunications sector consistently face such large numbers of attacks due to the connectivity and control\r\nthese telcos have of different key infrastructures, as well as storage of sensitive information about individuals that\r\nuse these telco services, which could be sold on the dark web for a huge profit.\r\nMoreover, domains associated with various loaders and downloaders suggest that at least some of the targets, or\r\ntheir final targets, belong to government-affiliated organizations, predominantly in Kazakhstan. These domains\r\ninclude mimics of the Kazakhstan National Certificate Authority (pki.gov.kz) and certexvpn, a VPN software used\r\nby the Kazakh government.\r\nAttribution\r\nThe “Stayin’ Alive” campaign represents only a fraction of a more extensive operation involving numerous\r\nunknown tools and techniques. These custom-made tools are likely highly disposable, with no discernible code\r\noverlaps to known toolsets, including each other. However, they all share ties to infrastructure associated with\r\nToddyCat, a threat actor previously linked to Chinese espionage activities.\r\nWhile it’s not definitively confirmed that ToddyCat is behind the “Stayin’ Alive” campaign, there is a clear\r\nconnection through shared infrastructure. Furthermore, ToddyCat has been reported operating in the same\r\ncountries as the “Stayin’ Alive” campaign.\r\nConclusions\r\nIn our report, we have provided insights into the tools and techniques used in this campaign, unraveling the\r\nconnections between various backdoors through their infrastructure fingerprints. Additionally, we’ve highlighted a\r\npotential link to ToddyCat, a known Chinese – affiliated actor in the region. While absolute certainty about\r\nToddyCat’s involvement remains elusive, the shared infrastructure and similar targeting objectives suggest a\r\nsignificant connection.\r\nhttps://blog.checkpoint.com/security/unveiling-stayin-alive-a-closer-look-at-an-ongoing-campaign-in-asia-targeting-telecom-and-governmental-entities/\r\nPage 2 of 3\n\nCheck Point customers remain protected against this campaign and the threats involved by while using Check\r\nPoint Harmony Endpoint, and Threat Emulation– which provides comprehensive coverage of attack tactics, file-types, and operating systems\r\nFor a more detailed analysis, we encourage readers to explore our full report on [research.checkpoint.com]\r\n(https://research.checkpoint.com).\r\nSource: https://blog.checkpoint.com/security/unveiling-stayin-alive-a-closer-look-at-an-ongoing-campaign-in-asia-targeting-telecom-and-gover\r\nnmental-entities/\r\nhttps://blog.checkpoint.com/security/unveiling-stayin-alive-a-closer-look-at-an-ongoing-campaign-in-asia-targeting-telecom-and-governmental-entities/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.checkpoint.com/security/unveiling-stayin-alive-a-closer-look-at-an-ongoing-campaign-in-asia-targeting-telecom-and-governmental-entities/"
	],
	"report_names": [
		"unveiling-stayin-alive-a-closer-look-at-an-ongoing-campaign-in-asia-targeting-telecom-and-governmental-entities"
	],
	"threat_actors": [],
	"ts_created_at": 1775874201,
	"ts_updated_at": 1775874255,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/20a8dc620dc278c1dc075d0b205187c85cee8cde.pdf",
		"text": "https://archive.orkl.eu/20a8dc620dc278c1dc075d0b205187c85cee8cde.txt",
		"img": "https://archive.orkl.eu/20a8dc620dc278c1dc075d0b205187c85cee8cde.jpg"
	}
}