{
	"id": "9fcea0be-ff05-4b94-9a7f-1baa7253767b",
	"created_at": "2026-04-06T00:08:14.027275Z",
	"updated_at": "2026-04-10T03:35:55.920591Z",
	"deleted_at": null,
	"sha1_hash": "3e6a7e2cf65523b7b2378e654ca8d9da148cd7dd",
	"title": "Chinese Espionage Campaign Expands to Target Africa and The Caribbean",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 55668,
	"plain_text": "Chinese Espionage Campaign Expands to Target Africa and The\r\nCaribbean\r\nBy gmcdouga\r\nPublished: 2024-05-23 · Archived: 2026-04-05 21:57:49 UTC\r\nCheck Point Research (CPR) sees an ongoing cyber espionage campaign focuses on targeting governmental\r\norganizations in Africa and the Caribbean. Attributed to a Chinese threat actor Sharp Dragon (formerly\r\nSharp Panda), the campaign adopts Cobalt Strike Beacon as the payload, enabling backdoor functionalities\r\nlike C2 communication and command execution while minimizing the exposure of their custom tools. This\r\nrefined approach suggests a deeper understanding of their targets.\r\nKey Findings\r\nSharp Dragon’s (formerly referred to as Sharp Panda) operations continues, expanding their focus now to\r\nnew regions – Africa and the Caribbean.\r\nSharp Dragon utilizes trusted government entities to infect new ones and establish initial footholds in new\r\nterritories.\r\nThe threat actors demonstrate increased caution in selecting their targets, broadening their reconnaissance\r\nefforts, and adopting Cobalt Strike Beacon over custom backdoors.\r\nThroughout their operation, Sharp Dragon exploited 1-day vulnerabilities to compromise infrastructure\r\nlater used as Command and Control (C2) infrastructure.\r\nSince 2021, Check Point Research has closely monitored the activities of Sharp Dragon, a Chinese threat actor\r\nformerly known as Sharp Panda. Their historical tactics primarily involve highly-targeted phishing emails, which\r\nhave previously resulted in the deployment of malware such of VictoryDLL or the Soul framework.\r\nHowever, a significant shift has been observed in recent months. Sharp Dragon redirected its focus towards\r\ngovernmental organizations in Africa and the Caribbean, demonstrating a clear expansion of their operations\r\nbeyond their original scope. These activities are consistent with Sharp Dragon’s established modus operandi,\r\ncharacterized by the compromise of high-profile email accounts to disseminate phishing documents leveraging a\r\nremote template weaponized using RoyalRoad. However, unlike previous tactics, these lures now deploy Cobalt\r\nStrike Beacon, indicating a strategic adaptation to enhance their infiltration capabilities.\r\nhttps://blog.checkpoint.com/research/chinese-espionage-campaign-expands-to-target-africa-and-the-caribbean/\r\nPage 1 of 3\n\nFigure 1 : Sharp Dragon’s shift to target Africa and the Caribbean\r\nInfection Chain\r\nFirst, the threat actors leverage highly tailored phishing emails, often disguised as legitimate correspondence, to\r\nentice victims into opening malicious attachments or clicking on malicious links. These attachments or links\r\nexecute payloads, which have evolved over time from custom malware like VictoryDLL and the Soul framework\r\nto more widely used tools such as Cobalt Strike Beacon. Upon successful execution, the malware establishes a\r\nfoothold on the victim’s system, allowing the threat actors to conduct reconnaissance and gather information about\r\nthe target environment. This reconnaissance phase enables Sharp Dragon to identify high-value targets and tailor\r\ntheir attack strategies accordingly.\r\nhttps://blog.checkpoint.com/research/chinese-espionage-campaign-expands-to-target-africa-and-the-caribbean/\r\nPage 2 of 3\n\nFigure 2 : Infection Chain Example\r\nThis infection chain highlights Sharp Dragon’s sophisticated approach to cyber operations, emphasizing careful\r\nplanning, reconnaissance, and exploitation of vulnerabilities to achieve their objectives while minimizing\r\ndetection.\r\nTactics, Techniques, and Procedures\r\nWhile the core functionality remains consistent, CPR has identified changes in their Tactics, Techniques, and\r\nProcedures (TTPs). Those changes reflect a more careful target selection and operational security (OPSEC)\r\nawareness. Some changes include:\r\nWider Recon Collection: The 5.t downloader now conducts more thorough reconnaissance on target\r\nsystems, this includes examining process lists and enumerating folders, leading to a more discerning\r\nselection of potential victims.\r\nCobalt Strike Payload: Sharp Dragon has transitioned from using VictoryDll and the SoulSearcher\r\nframework to adopting Cobalt Strike Beacon as the payload for the 5.t downloader, providing backdoor\r\nfunctionalities while minimizing exposure of custom tools, suggesting a refined approach to target\r\nassessment and minimizing exposure.\r\nEXE Loaders: Recent observations indicate a notable change in 5.t downloaders, with some latest samples\r\nincorporating EXE-based loaders instead of the typical DLL-based ones, highlighting the dynamic\r\nevolution of their strategies. Additionally, Sharp Dragon has introduced a new executable, shifting from the\r\nprevious Word document-based infection chain to executables disguised as documents, closely resembling\r\nthe prior method while enhancing persistence through scheduled tasks.\r\nCompromised Infrastructure: Sharp Dragon shifts from dedicated servers to using compromised servers\r\nas Command and Control (C\u0026C) servers, specifically using CVE-2023-0669 vulnerability, which is a flaw\r\nin the GoAnywhere platform allowing for pre-authentication command injection\r\nConclusion\r\nSharp Dragon’s strategic expansion towards Africa and the Caribbean signifies a broader effort by Chinese cyber\r\nactors to enhance their presence and influence in these regions. The evolving tactics of Sharp Dragon underscore\r\nthe dynamic nature of cyber threats, especially towards regions that have been historically overlooked.\r\nThese findings emphasize the importance of vigilant cybersecurity measures, with products like Check Point\r\nHarmony Endpoint providing comprehensive protection against emerging threats.\r\nSource: https://blog.checkpoint.com/research/chinese-espionage-campaign-expands-to-target-africa-and-the-caribbean/\r\nhttps://blog.checkpoint.com/research/chinese-espionage-campaign-expands-to-target-africa-and-the-caribbean/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blog.checkpoint.com/research/chinese-espionage-campaign-expands-to-target-africa-and-the-caribbean/"
	],
	"report_names": [
		"chinese-espionage-campaign-expands-to-target-africa-and-the-caribbean"
	],
	"threat_actors": [
		{
			"id": "8a3bd03a-f69b-455b-b88b-3842a3528bfd",
			"created_at": "2022-10-25T16:07:24.178007Z",
			"updated_at": "2026-04-10T02:00:04.89066Z",
			"deleted_at": null,
			"main_name": "SharpPanda",
			"aliases": [
				"Sharp Dragon",
				"SharpPanda"
			],
			"source_name": "ETDA:SharpPanda",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"RoyalRoad",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e7ef34b6-e7b6-46f3-8dd8-2708c1659cd6",
			"created_at": "2023-11-08T02:00:07.107758Z",
			"updated_at": "2026-04-10T02:00:03.415268Z",
			"deleted_at": null,
			"main_name": "SharpPanda",
			"aliases": [
				"Sharp Dragon"
			],
			"source_name": "MISPGALAXY:SharpPanda",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434094,
	"ts_updated_at": 1775792155,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3e6a7e2cf65523b7b2378e654ca8d9da148cd7dd.pdf",
		"text": "https://archive.orkl.eu/3e6a7e2cf65523b7b2378e654ca8d9da148cd7dd.txt",
		"img": "https://archive.orkl.eu/3e6a7e2cf65523b7b2378e654ca8d9da148cd7dd.jpg"
	}
}