{ "id": "98677c1c-81b0-42e6-9273-dd29f987b271", "created_at": "2026-04-06T01:32:38.898659Z", "updated_at": "2026-04-10T13:11:46.94234Z", "deleted_at": null, "sha1_hash": "8db0b5e42bfd2c023e94b7764464d342485edb61", "title": "Researchers Disclose Undocumented Chinese Malware Used in Recent Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 332450, "plain_text": "Researchers Disclose Undocumented Chinese Malware Used in\r\nRecent Attacks\r\nBy The Hacker News\r\nPublished: 2021-01-15 · Archived: 2026-04-06 00:44:37 UTC\r\nCybersecurity researchers have disclosed a series of attacks by a threat actor of Chinese origin that has targeted\r\norganizations in Russia and Hong Kong with malware — including a previously undocumented backdoor.\r\nAttributing the campaign to Winnti (or APT41), Positive Technologies dated the first attack to May 12, 2020,\r\nwhen the APT used LNK shortcuts to extract and run the malware payload. A second attack detected on May 30\r\nused a malicious RAR archive file consisting of shortcuts to two bait PDF documents that purported to be a\r\ncurriculum vitae and an IELTS certificate.\r\nThe shortcuts themselves contain links to pages hosted on Zeplin, a legitimate collaboration tool for designers and\r\ndevelopers that are used to fetch the final-stage malware that, in turn, includes a shellcode loader (\"svchast.exe\")\r\nand a backdoor called Crosswalk (\"3t54dE3r.tmp\").\r\nCrosswalk, first documented by FireEye in 2017, is a bare-bones modular backdoor capable of carrying out\r\nsystem reconnaissance and receiving additional modules from an attacker-controlled server as shellcode.\r\nhttps://thehackernews.com/2021/01/researchers-disclose-undocumented.html\r\nPage 1 of 3\n\nWhile this modus operandi shares similarities with that of the Korean threat group Higaisa — which was\r\nfound exploiting LNK files attached in an email to launch attacks on unsuspecting victims in 2020 — the\r\nresearchers said the use of Crosswalk suggests the involvement of Winnti.\r\nThis is also supported by the fact that the network infrastructure of the samples overlaps with previously known\r\nAPT41 infrastructure, with some of the domains traced back to Winnti attacks on the online video game industry\r\nin 2013.\r\nThe new wave of attacks is no different. Notably, among the targets include Battlestate Games, a Unity3D game\r\ndeveloper from St. Petersburg.\r\nFurthermore, the researchers found additional attack samples in the form of RAR files that contained Cobalt Strike\r\nBeacon as the payload, with the hackers in one case referencing the U.S. protests related to the death of George\r\nFloyd last year as a lure.\r\nIn another instance, Compromised certificates belonging to a Taiwanese company called Zealot Digital were\r\nabused to strike organizations in Hong Kong with Crosswalk and Metasploit injectors, as well as ShadowPad,\r\nParanoid PlugX, and a new .NET backdoor called FunnySwitch.\r\nhttps://thehackernews.com/2021/01/researchers-disclose-undocumented.html\r\nPage 2 of 3\n\nThe backdoor, which appears to be still under development, is capable of collecting system information and\r\nrunning arbitrary JScript code. It also shares a number of common features with Crosswalk, leading the\r\nresearchers to believe that they were written by the same developers.\r\nPreviously, Paranoid PlugX had been linked to attacks on companies in the video games industry in 2017. Thus,\r\nthe deployment of the malware via Winnti's network infrastructure adds credence to the \"relationship\" between the\r\ntwo groups.\r\n\"Winnti continues to pursue game developers and publishers in Russia and elsewhere,\" the researchers concluded.\r\n\"Small studios tend to neglect information security, making them a tempting target. Attacks on software\r\ndevelopers are especially dangerous for the risk they pose to end users, as already happened in the well-known\r\ncases of CCleaner and ASUS.\"\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2021/01/researchers-disclose-undocumented.html\r\nhttps://thehackernews.com/2021/01/researchers-disclose-undocumented.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://thehackernews.com/2021/01/researchers-disclose-undocumented.html" ], "report_names": [ "researchers-disclose-undocumented.html" ], "threat_actors": [ { "id": "873919c0-bc6a-4c19-b18d-c107e4aa3d20", "created_at": "2023-01-06T13:46:39.138138Z", "updated_at": "2026-04-10T02:00:03.227223Z", "deleted_at": null, "main_name": "Higaisa", "aliases": [], "source_name": "MISPGALAXY:Higaisa", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "30c9c492-afc6-4aa1-8fe6-cecffed946e0", "created_at": "2022-10-25T15:50:23.400822Z", "updated_at": "2026-04-10T02:00:05.350302Z", "deleted_at": null, "main_name": "Higaisa", "aliases": [ "Higaisa" ], "source_name": "MITRE:Higaisa", "tools": [ "PlugX", "certutil", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775439158, "ts_updated_at": 1775826706, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8db0b5e42bfd2c023e94b7764464d342485edb61.pdf", "text": "https://archive.orkl.eu/8db0b5e42bfd2c023e94b7764464d342485edb61.txt", "img": "https://archive.orkl.eu/8db0b5e42bfd2c023e94b7764464d342485edb61.jpg" } }