{ "id": "1a8be6d0-18ff-4de5-9018-4e51904f101e", "created_at": "2026-04-06T00:18:42.384069Z", "updated_at": "2026-04-10T03:24:23.970761Z", "deleted_at": null, "sha1_hash": "621ded63b22c0ff2eb5faed74ac8e130411db6d2", "title": "Mongolian certificate authority hacked eight times, compromised with malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 94548, "plain_text": "Mongolian certificate authority hacked eight times, compromised\r\nwith malware\r\nBy Catalin Cimpanu\r\nPublished: 2023-01-18 · Archived: 2026-04-05 13:44:12 UTC\r\nHackers have breached a server belonging to MonPass, one of Mongolia's largest certificate authorities (CA), and\r\nhave backdoored the company's official client with a Cobalt Strike-based backdoor.\r\nThe backdoor was active inside the company's official certificate installer app between February 8 and March 3\r\nthis year, security firm Avast said in a report today.\r\nIncident has the hallmarks of a cyber-espionage campaign\r\nThe security breach came to light in late March when Avast discovered the backdoored installer and backdoor on\r\none of its customers' systems.\r\nFrom March to June, the security firm has been working with the CERT Mongolia team and MonPass to\r\ninvestigate the intrusion, with MonPass providing a cloned image of the compromised server to Avast for further\r\ninvestigations.\r\nOur analysis beginning in April 2021 indicates that a public web server hosted by MonPass was\r\nbreached potentially eight separate times: we found eight different webshells and backdoors on this\r\nserver.\r\nAvast research team of Luigino Camastra, Igor Morgenstern, and Jan Vojtěšek\r\nBut despite having access to the compromised server, the Avast team said it was not able to attribute the intrusion\r\n\"with an appropriate level of confidence\" to any specific threat actor.\r\n\"However it's clear that the attackers clearly intended to spread malware to users in Mongolia by compromising a\r\ntrustworthy source, which in this case is a CA in Mongolia,\" researchers added.\r\nSigns point to a Chinese threat actor\r\nBut while Avast was not able to link the intrusion to a specific threat actor, previous cyber-espionage activity\r\nrecorded in Mongolia and other Asian countries point the finger towards Beijing.\r\nFor example, in December 2020, security firm ESET discovered that a Chinese hacking group compromised a\r\nsoftware company that supplied software to multiple Mongolian government agencies.\r\nIn the same month, Avast also disclosed details about a Chinese cyber-espionage campaign that targeted\r\ngovernment agencies using spear-phishing emails, during which the threat actor tried to install backdoors and\r\nkeyloggers on employee workstations.\r\nhttps://therecord.media/mongolian-certificate-authority-hacked-eight-times-compromised-with-malware/\r\nPage 1 of 3\n\nIn an incident eerily similar to the MonPass breach, a Chinese cyber-espionage group also breached and inserted\r\nmalware inside the certificate installation app provided by the Vietnam Government Certification Authority\r\n(VGCA), a Vietnamese CA that provided digital certificates to local companies and government agencies.\r\nThese past campaigns and the fact that the threat actor removed the backdoor on its own, most likely after\r\ninfecting the desired target, suggest this was a highly targeted attack against a high-profile Mongolian entity rather\r\nthan a run-of-the-mill financially-themed malware distribution scheme.\r\nA MonPass spokesperson was not available for comment on the Avast report, but Avast said the company appears\r\nto have cleaned up its server and notified customers who downloaded its backdoored client app earlier this year.\r\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nhttps://therecord.media/mongolian-certificate-authority-hacked-eight-times-compromised-with-malware/\r\nPage 2 of 3\n\nSource: https://therecord.media/mongolian-certificate-authority-hacked-eight-times-compromised-with-malware/\r\nhttps://therecord.media/mongolian-certificate-authority-hacked-eight-times-compromised-with-malware/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://therecord.media/mongolian-certificate-authority-hacked-eight-times-compromised-with-malware/" ], "report_names": [ "mongolian-certificate-authority-hacked-eight-times-compromised-with-malware" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434722, "ts_updated_at": 1775791463, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/621ded63b22c0ff2eb5faed74ac8e130411db6d2.pdf", "text": "https://archive.orkl.eu/621ded63b22c0ff2eb5faed74ac8e130411db6d2.txt", "img": "https://archive.orkl.eu/621ded63b22c0ff2eb5faed74ac8e130411db6d2.jpg" } }