{ "id": "a737380b-3536-413a-a658-d8f0cdea6c21", "created_at": "2026-04-06T00:09:00.249126Z", "updated_at": "2026-04-10T03:33:45.870816Z", "deleted_at": null, "sha1_hash": "a562f6a1e42f9ed51072c09c830ec9e8b02af609", "title": "Chinese hackers abuse VLC Media Player to launch malware loader", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2425123, "plain_text": "Chinese hackers abuse VLC Media Player to launch malware loader\r\nBy Ionut Ilascu\r\nPublished: 2022-04-05 · Archived: 2026-04-05 19:55:46 UTC\r\nSecurity researchers have uncovered a long-running malicious campaign from hackers associated with the Chinese\r\ngovernment who are using VLC Media Player to launch a custom malware loader.\r\nThe campaign appears to serve espionage purposes and has targeted various entities involved in government, legal, and\r\nreligious activities, as well as non-governmental organizations (NGOs) on at least three continents.\r\nThis activity has been attributed to a threat actor tracked as Cicada (a.k.a. menuPass, Stone Panda, Potassium, APT10, Red\r\nApollo) that has been active for more than 15 years, since at least 2006.\r\nhttps://www.bleepingcomputer.com/news/security/chinese-hackers-abuse-vlc-media-player-to-launch-malware-loader/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/chinese-hackers-abuse-vlc-media-player-to-launch-malware-loader/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nUsing VLC to deploy custom malware loader\r\nThe start of Cicada’s current campaign has been tracked to mid-2021 and was still active in February 2022. Researchers say\r\nthat this activity may continue today.\r\nThere is evidence that some initial access to some of the breached networks was through a Microsoft Exchange server,\r\nindicating that the actor exploited a known vulnerability on unpatched machines.\r\nResearchers at Symantec, a division of Broadcom, found that after gaining access to the target machine the attacker\r\ndeployed a custom loader on compromised systems with the help of the popular VLC media player.\r\nBrigid O Gorman of Symantec Threat Hunter Team told BleepingComputer that the attacker uses a clean version of VLC\r\nwith a malicious DLL file in the same path as the media player's export functions.\r\nThe technique is known as DLL side-loading and it is widely used by threat actors to load malware into legitimate processes\r\nto hide the malicious activity.\r\nApart from the custom loader, which O Gorman said Symantec does not have a name but has been seen in previous attacks\r\nattributed to Cicada/APT10, the adversary also deployed a WinVNC server to gain remote control over victim systems.\r\nThe attacker also executed the Sodamaster backdoor on compromised networks, a tool believed to be used exclusively by\r\nthe Cicada threat group since at least 2020.\r\nSodamaster runs in the system memory (fileless) and is equipped to evade detection by looking in the registry for clues of a\r\nsandbox environment or by delaying its execution.\r\nThe malware can also collect details about the system, search for running processes, and download and execute various\r\npayloads from the command and control server.\r\nSeveral other utilities have been observed in this campaign include:\r\nRAR archiving tool - helps compress, encrypt, or archive files, likely for exfiltration\r\nSystem/Network discovery - a way for attackers to learn about the systems or services connected to an infected\r\nmachine\r\nWMIExec - Microsoft command-line tool that can be used to execute commands on remote computers\r\nNBTScan - an open-source tool that has been observed being used by APT groups for reconnaissance in a\r\ncompromised network\r\nThe attackers’ dwell time on the networks of some of the discovered victims lasted for as long as nine months, the\r\nresearchers note in a report today.\r\nA wider focus\r\nMany of the organizations targeted in this campaign appear to be government-related or NGOs (involved in educational or\r\nreligious activities), as well as companies in the telecommunications, legal, and pharmaceutical sectors.\r\nSymantec researchers highlight the wide geography of this Cicada campaign, which counts victims in the U.S., Canada,\r\nHong Kong, Turkey, Israel, India, Montenegro, and Italy.\r\nTo note, only one victim is from Japan, a country that has been the focus of the Cicada group for many years.\r\nCompared to the previous targeting from this group, which focused on Japanese-linked companies, the victims in this\r\ncampaign indicate that the threat actor has broadened its interest.\r\nWhile focused on Japanese-linked companies, Cicada has targeted in the past healthcare, defense, aerospace, finance,\r\nmaritime, biotechnology, energy, and government sectors.\r\nhttps://www.bleepingcomputer.com/news/security/chinese-hackers-abuse-vlc-media-player-to-launch-malware-loader/\r\nPage 3 of 4\n\nAt least two members of the APT10 threat group have been charged in the U.S. for computer hacking activity to help the\r\nChinese Ministry of State Security's (MSS) Tianjin State Security Bureau get intellectual property and confidential business\r\ninformation from managed service providers, U.S. government agencies, and over 45 technology companies.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/chinese-hackers-abuse-vlc-media-player-to-launch-malware-loader/\r\nhttps://www.bleepingcomputer.com/news/security/chinese-hackers-abuse-vlc-media-player-to-launch-malware-loader/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/chinese-hackers-abuse-vlc-media-player-to-launch-malware-loader/" ], "report_names": [ "chinese-hackers-abuse-vlc-media-player-to-launch-malware-loader" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434140, "ts_updated_at": 1775792025, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a562f6a1e42f9ed51072c09c830ec9e8b02af609.pdf", "text": "https://archive.orkl.eu/a562f6a1e42f9ed51072c09c830ec9e8b02af609.txt", "img": "https://archive.orkl.eu/a562f6a1e42f9ed51072c09c830ec9e8b02af609.jpg" } }