{ "id": "9d16b9c2-6fd7-46b5-83fa-9b9085b09e86", "created_at": "2026-04-06T01:31:51.05561Z", "updated_at": "2026-04-10T03:35:47.259233Z", "deleted_at": null, "sha1_hash": "8178b16b31ea8ab91ace6c1bb6ac9c40d27da1d7", "title": "Cyberspies target military organizations with new Nebulae backdoor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 962048, "plain_text": "Cyberspies target military organizations with new Nebulae backdoor\r\nBy Sergiu Gatlan\r\nPublished: 2021-04-28 · Archived: 2026-04-06 00:39:02 UTC\r\nA Chinese-speaking threat actor has deployed a new backdoor in multiple cyber-espionage operations spanning roughly two\r\nyears and targeting military organizations from Southeast Asia.\r\nFor at least a decade, the hacking group known as Naikon has actively spied on organizations in countries around the South\r\nChina Sea, including the Philippines, Malaysia, Indonesia, Singapore, and Thailand, for at least a decade, since 2010.\r\nNaikon is likely a state-sponsored threat actor tied to China, mostly known for focusing its efforts on high-profile orgs,\r\nincluding government entities and military orgs.\r\nhttps://www.bleepingcomputer.com/news/security/cyberspies-target-military-organizations-with-new-nebulae-backdoor/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/cyberspies-target-military-organizations-with-new-nebulae-backdoor/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nBackdoor used for persistence backup after detection\r\nDuring their attacks, Naikon abused legitimate software to side-load the second-stage malware dubbed Nebulae likely used\r\nto achieve persistence, according to research published today by security researchers at Bitdefender's Cyber Threat\r\nIntelligence Lab.\r\nNebulae provides additional capabilities allowing attackers to collect system information, manipulate files and folders,\r\ndownload files from the command-and-control server, and execute, list, or terminate processes on compromised devices.\r\nThe malware is also designed to gain persistence by adding a new registry key to relaunch automatically on system restarts\r\nafter login.\r\n\"The data we obtained so far tell almost nothing about the role of the Nebulae in this operation, but the presence of a\r\npersistence mechanism could mean that it is used as backup access point to victim in the case of a negative scenario for\r\nactors,\" Bitdefender researcher Victor Vrabie said.\r\nNebulae side-loading (Bitdefender)\r\nFirst-stage backdoor used as a swiss-army knife\r\nIn the same series of attacks, the Naikon threat actors also delivered first-stage malware known as RainyDay or\r\nFoundCore used to deploy second-stage payloads and tools used for various purposes, including the Nebulae backdoor.\r\n\"Using the RainyDay backdoor, the actors performed reconnaissance, uploaded its reverse proxy tools and scanners,\r\nexecuted the password dump tools, performed lateral movement, achieved persistence, all to compromise the victims’\r\nnetwork and to get to the information of interest,\" Vrabie added [PDF].\r\nBesides deploying additional payloads on compromised systems, attackers can also send RainyDay commands over TCP or\r\nHTTP to manipulate services, access a command shell, uninstall the malware, taking and collecting screen captures, and\r\nmanipulate, download, or upload files.\r\nhttps://www.bleepingcomputer.com/news/security/cyberspies-target-military-organizations-with-new-nebulae-backdoor/\r\nPage 3 of 5\n\nRainyDay backdoor (Bitdefender)\r\nDuring attacks observed between June 2019 and March 2021, Naikon dropped malicious payloads using side-loading and\r\nDLL hijacking vulnerabilities impacting:\r\nSandboxie COM Services (BITS) (SANDBOXIE L.T.D)\r\nOutlook Item Finder (Microsoft Corporation)\r\nVirusScan On-Demand Scan Task Properties (McAfee, Inc.)\r\nMobile Popup Application (Quick Heal Technologies (P) Ltd.)\r\nARO 2012 Tutorial\r\nBitdefender confidently attributed this operation to the Naikon threat actor based on command-and-control servers and\r\nmalicious payloads belonging to the Aria-Body loader malware family used in the group's past operations.\r\nhttps://www.bleepingcomputer.com/news/security/cyberspies-target-military-organizations-with-new-nebulae-backdoor/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/cyberspies-target-military-organizations-with-new-nebulae-backdoor/\r\nhttps://www.bleepingcomputer.com/news/security/cyberspies-target-military-organizations-with-new-nebulae-backdoor/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/cyberspies-target-military-organizations-with-new-nebulae-backdoor/" ], "report_names": [ "cyberspies-target-military-organizations-with-new-nebulae-backdoor" ], "threat_actors": [ { "id": "b69484be-98d1-49e6-aed1-a28dbf65176a", "created_at": "2022-10-25T16:07:23.886782Z", "updated_at": "2026-04-10T02:00:04.779029Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "G0019", "Hellsing", "ITG06", "Lotus Panda", "Naikon", "Operation CameraShy" ], "source_name": "ETDA:Naikon", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "AR", "ARL", "Agent.dhwf", "Aria-body", "Aria-body loader", "Asset Reconnaissance Lighthouse", "BackBend", "Creamsicle", "Custom HDoor", "Destroy RAT", "DestroyRAT", "Flashflood", "FoundCore", "Gemcutter", "HDoor", "JadeRAT", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LadonGo", "Lecna", "Living off the Land", "NBTscan", "Naikon", "NetEagle", "Neteagle_Scout", "NewCore RAT", "Orangeade", "PlugX", "Quarks PwDump", "RARSTONE", "RainyDay", "RedDelta", "RoyalRoad", "Sacto", "Sandboxie", "ScoutEagle", "Shipshape", "Sisfader", "Sisfader RAT", "Sogu", "SslMM", "Sys10", "TIGERPLUG", "TVT", "TeamViewer", "Thoper", "WinMM", "Xamtrav", "XsFunction", "ZRLnk", "nbtscan", "nokian", "norton", "xsControl", "xsPlus" ], "source_id": "ETDA", "reports": null }, { "id": "a2912fc0-c34e-4e4b-82e9-665416c8fe32", "created_at": "2023-04-20T02:01:50.979595Z", "updated_at": "2026-04-10T02:00:02.913011Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "BRONZE STERLING", "G0013", "PLA Unit 78020", "OVERRIDE PANDA", "Camerashy", "BRONZE GENEVA", "G0019", "Naikon" ], "source_name": "MISPGALAXY:Naikon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f1ce7e3-77cd-4af0-bedb-1643f55c9baf", "created_at": "2022-10-25T15:50:23.31611Z", "updated_at": "2026-04-10T02:00:05.370146Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "Naikon" ], "source_name": "MITRE:Naikon", "tools": [ "ftp", "netsh", "WinMM", "Systeminfo", "RainyDay", "RARSTONE", "HDoor", "Sys10", "SslMM", "PsExec", "Tasklist", "Aria-body" ], "source_id": "MITRE", "reports": null }, { "id": "578e92ed-3eda-45ef-b4bb-b882ec3dbb62", "created_at": "2025-08-07T02:03:24.604463Z", "updated_at": "2026-04-10T02:00:03.798481Z", "deleted_at": null, "main_name": "BRONZE GENEVA", "aliases": [ "APT30 ", "BRONZE STERLING ", "CTG-5326 ", "Naikon ", "Override Panda ", "RADIUM ", "Raspberry Typhoon" ], "source_name": "Secureworks:BRONZE GENEVA", "tools": [ "Lecna Downloader", "Nebulae", "ShadowPad" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775439111, "ts_updated_at": 1775792147, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8178b16b31ea8ab91ace6c1bb6ac9c40d27da1d7.pdf", "text": "https://archive.orkl.eu/8178b16b31ea8ab91ace6c1bb6ac9c40d27da1d7.txt", "img": "https://archive.orkl.eu/8178b16b31ea8ab91ace6c1bb6ac9c40d27da1d7.jpg" } }