{ "id": "faf77880-749b-4106-82cd-ed09bdbaa1bf", "created_at": "2026-04-06T00:22:14.643182Z", "updated_at": "2026-04-10T03:37:19.307509Z", "deleted_at": null, "sha1_hash": "55cbeed18460693a8eeeb204e5425af89312c2f2", "title": "Chinese Cyberspies Target Military Organizations in Asia With New Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 100278, "plain_text": "Chinese Cyberspies Target Military Organizations in Asia With\r\nNew Malware\r\nBy Ionut Arghire\r\nPublished: 2021-04-29 · Archived: 2026-04-05 17:22:04 UTC\r\nA cyber-espionage group believed to be sponsored by the Chinese government has been observed targeting\r\nmilitary organizations in Southeast Asia in attacks involving previously undocumented malware,\r\nBitdefender reported on Wednesday.\r\nLinked to the Chinese People’s Liberation Army (PLA) over half a decade ago, the Naikon advanced persistent\r\nthreat (APT) was revealed last year to have conducted a five-year stealth campaign against targets in Australia,\r\nIndonesia, the Philippines, Vietnam, Thailand, Myanmar, and Brunei. The group has been known to focus on\r\ngovernment and military organizations.\r\nAlthough reports on Naikon’s activity were so far published only in 2015 and 2020, the persistent APT has been\r\nquietly operational for at least a decade, making changes to its infrastructure and toolset to ensure it can stay under\r\nthe radar.\r\nLast year, after its activity was exposed, Naikon made a similar move: it switched to a new backdoor, although it\r\ncontinued to use previously known malware for the first stages of attack. The group has also been abusing\r\nlegitimate software for nefarious purposes.\r\nThe latest campaign ran between June 2019 and March 2021, and one of the new backdoors, dubbed RainyDay,\r\nwas first used in attacks in September 2020, Bitdefender says. To remain undetected, the APT would mimic\r\nlegitimate software running on the infected machines. The purpose of the attacks remains espionage and data\r\nexfiltration, and the group continues to focus on Southeast Asian targets.\r\nThe RainyDay backdoor allows the attackers to perform reconnaissance on the infected machines, deploy reverse\r\nproxies, install scanners, execute tools for password dumping, move laterally on the victim’s network, and achieve\r\npersistence.\r\nAdvertisement. Scroll to continue reading.\r\nhttps://www.securityweek.com/chinese-cyberspies-target-military-organizations-asia-new-malware\r\nPage 1 of 3\n\nNaikon has always used DLL side-loading for the RainyDay execution, “and there was always a vulnerable\r\nexecutable along with a DLL file and the rdmin.src file containing the encrypted backdoor payload,” Bitdefender\r\nexplains.\r\nThe same execution technique along with the use of rdmin.src are employed by China-linked Cycldek (Goblin\r\nPanda, Conimes) for the deployment of the FoundCore RAT. Furthermore, the shellcode used for payload\r\nextraction and other payload characteristics suggest a close connection between the two malware families and a\r\npossible overlap in activity between the two groups.\r\nThe similarities are not surprising, considering that Chinese threat actors are known to be sharing infrastructure\r\nand tools, and because Naikon was previously observed using exploits attributed to other threat groups, in an\r\nattempt to evade detection.\r\nAs part of the latest attacks, the adversary also deployed a second new backdoor called Nebulae, likely as a\r\nprecautionary measure.\r\nAttempting to impersonate a legitimate application, the Nebulae backdoor can harvest drive information, list and\r\nmodify files and directories, execute and terminate processes, and download and run files from the command and\r\ncontrol (C\u0026C) server.\r\n“The data we obtained so far tell almost nothing about the role of the Nebulae in this operation, but the presence\r\nof a persistence mechanism could mean that it is used as a backup access point to victims in the case of a negative\r\nscenario for actors,” Bitdefender notes.\r\nFurthermore, admin domain credentials were used for lateral movement, likely after being stolen at an early stage\r\nof the attack. Persistence was typically achieved manually, while data of interest was exfiltrated to Dropbox.\r\n“Our research confidently points to an operation conducted by the Naikon group based on the extraction of the\r\nC\u0026C addresses from Nebulae samples. The particular domain dns.seekvibega.com obtained from such a sample\r\npoints out to the Naikon infrastructure,” Bitdefender concludes.\r\nRelated: FireEye CEO: Reckless Microsoft Hack Unusual for China\r\nhttps://www.securityweek.com/chinese-cyberspies-target-military-organizations-asia-new-malware\r\nPage 2 of 3\n\nRelated: Cyber Attack Tied to China Boosts Development Bank’s Chief\r\nSource: https://www.securityweek.com/chinese-cyberspies-target-military-organizations-asia-new-malware\r\nhttps://www.securityweek.com/chinese-cyberspies-target-military-organizations-asia-new-malware\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.securityweek.com/chinese-cyberspies-target-military-organizations-asia-new-malware" ], "report_names": [ "chinese-cyberspies-target-military-organizations-asia-new-malware" ], "threat_actors": [ { "id": "b69484be-98d1-49e6-aed1-a28dbf65176a", "created_at": "2022-10-25T16:07:23.886782Z", "updated_at": "2026-04-10T02:00:04.779029Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "G0019", "Hellsing", "ITG06", "Lotus Panda", "Naikon", "Operation CameraShy" ], "source_name": "ETDA:Naikon", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "AR", "ARL", "Agent.dhwf", "Aria-body", "Aria-body loader", "Asset Reconnaissance Lighthouse", "BackBend", "Creamsicle", "Custom HDoor", "Destroy RAT", "DestroyRAT", "Flashflood", "FoundCore", "Gemcutter", "HDoor", "JadeRAT", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LadonGo", "Lecna", "Living off the Land", "NBTscan", "Naikon", "NetEagle", "Neteagle_Scout", "NewCore RAT", "Orangeade", "PlugX", "Quarks PwDump", "RARSTONE", "RainyDay", "RedDelta", "RoyalRoad", "Sacto", "Sandboxie", "ScoutEagle", "Shipshape", "Sisfader", "Sisfader RAT", "Sogu", "SslMM", "Sys10", "TIGERPLUG", "TVT", "TeamViewer", "Thoper", "WinMM", "Xamtrav", "XsFunction", "ZRLnk", "nbtscan", "nokian", "norton", "xsControl", "xsPlus" ], "source_id": "ETDA", "reports": null }, { "id": "a2912fc0-c34e-4e4b-82e9-665416c8fe32", "created_at": "2023-04-20T02:01:50.979595Z", "updated_at": "2026-04-10T02:00:02.913011Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "BRONZE STERLING", "G0013", "PLA Unit 78020", "OVERRIDE PANDA", "Camerashy", "BRONZE GENEVA", "G0019", "Naikon" ], "source_name": "MISPGALAXY:Naikon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f1ce7e3-77cd-4af0-bedb-1643f55c9baf", "created_at": "2022-10-25T15:50:23.31611Z", "updated_at": "2026-04-10T02:00:05.370146Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "Naikon" ], "source_name": "MITRE:Naikon", "tools": [ "ftp", "netsh", "WinMM", "Systeminfo", "RainyDay", "RARSTONE", "HDoor", "Sys10", "SslMM", "PsExec", "Tasklist", "Aria-body" ], "source_id": "MITRE", "reports": null }, { "id": "7d553b83-a7b2-431f-9bc9-08da59f3c4ea", "created_at": "2023-01-06T13:46:39.444946Z", "updated_at": "2026-04-10T02:00:03.331753Z", "deleted_at": null, "main_name": "GOBLIN PANDA", "aliases": [ "Conimes", "Cycldek" ], "source_name": "MISPGALAXY:GOBLIN PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "578e92ed-3eda-45ef-b4bb-b882ec3dbb62", "created_at": "2025-08-07T02:03:24.604463Z", "updated_at": "2026-04-10T02:00:03.798481Z", "deleted_at": null, "main_name": "BRONZE GENEVA", "aliases": [ "APT30 ", "BRONZE STERLING ", "CTG-5326 ", "Naikon ", "Override Panda ", "RADIUM ", "Raspberry Typhoon" ], "source_name": "Secureworks:BRONZE GENEVA", "tools": [ "Lecna Downloader", "Nebulae", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39", "created_at": "2022-10-25T16:07:23.690871Z", "updated_at": "2026-04-10T02:00:04.709966Z", "deleted_at": null, "main_name": "Goblin Panda", "aliases": [ "1937CN", "Conimes", "Cycldek", "Goblin Panda" ], "source_name": "ETDA:Goblin Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "BackDoor-FBZT!52D84425CDF2", "BlueCore", "BrowsingHistoryView", "ChromePass", "CoreLoader", "Custom HDoor", "Destroy RAT", "DestroyRAT", "DropPhone", "FoundCore", "HDoor", "HTTPTunnel", "JsonCookies", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "NBTscan", "NewCore RAT", "PlugX", "ProcDump", "PsExec", "QCRat", "RainyDay", "RedCore", "RedDelta", "RoyalRoad", "Sisfader", "Sisfader RAT", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Win32.Staser.ytq", "USBCulprit", "Win32/Zegost.BW", "Xamtrav", "ZeGhost", "nbtscan" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434934, "ts_updated_at": 1775792239, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/55cbeed18460693a8eeeb204e5425af89312c2f2.pdf", "text": "https://archive.orkl.eu/55cbeed18460693a8eeeb204e5425af89312c2f2.txt", "img": "https://archive.orkl.eu/55cbeed18460693a8eeeb204e5425af89312c2f2.jpg" } }