{
	"id": "66f4f870-55c2-4d21-9f0f-f73ccfc8e2cc",
	"created_at": "2026-04-06T00:16:01.521041Z",
	"updated_at": "2026-04-10T13:11:35.454737Z",
	"deleted_at": null,
	"sha1_hash": "c05a805917b119c6a5d11626ae1e4b8f1b067bb3",
	"title": "Hacking activity of SectorB Group in 2021 – Red Alert",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 711481,
	"plain_text": "Hacking activity of SectorB Group in 2021 – Red Alert\r\nArchived: 2026-04-05 18:54:13 UTC\r\nChinese government supported hacking group SectorB\r\nSectorB is a hacking group supported by the Chinese government in which 48 subgroups have been identified as\r\nof now. They carry out hacking activities targeted on the entire world with the purpose of collecting advanced\r\ninformation regarding political, diplomatic activities of governments. The subgroups show a trend of sharing\r\nmalwares or vulnerabilities among themselves for their hacking activities.\r\n[Figure 1 : SectorB subgroup activities identified in 2021]\r\nThey targeted their attacks on workers of government institutions and national defense to collect advanced\r\ninformation and were identified to have been expanding their targets to national finances and IT industries related\r\nto “One Belt and One Road”, the Chinese diplomatic and economic policy.\r\nAmong the 48 subgroups of SectorB, hacking groups that showed most activities in 2021 was SectorB22 group,\r\nfollowed by SectorB01 group, SectorB03 and SectorB35 groups.\r\nThe following figure is the map of targeted countries of SectorB groups in 2021. A darker shade of red represents\r\na higher number of attacks.\r\nhttps://redalert.nshc.net/2022/04/14/hacking-activity-of-sectorb-group-in-2021/\r\nPage 1 of 10\n\n[Figure 2 : Map of mainly targeted countries by SectorB groups in 2021]\r\nFrom the results, it could be deduced that SectorB carried out the greatest number of hacking activities targeted on\r\nHong Kong, a neighboring country of China, followed by the United States and Russia.\r\nHong Kong has been independent of China in terms of political and economic fields, but recently, democracy\r\nmovements have emerged in the country against introduction of China’s socialist political system. With regards to\r\nthis, some of the hacking groups supported by the Chinese government launched hacking activities targeted on\r\nHong Kong’s liberalist personnel for surveillance purposes.\r\nAdditionally, China launched hacking attacks on Russian research institutions with the purpose of stealing\r\nadvanced science technologies related to latest military technologies such as aircraft carriers and jet planes.\r\nActivity details of SectorB groups in 2021\r\nThe following is the timeline and monthly activity details of hacking activities by SectorB groups identified in\r\n2021.\r\nhttps://redalert.nshc.net/2022/04/14/hacking-activity-of-sectorb-group-in-2021/\r\nPage 2 of 10\n\nhttps://redalert.nshc.net/2022/04/14/hacking-activity-of-sectorb-group-in-2021/\r\nPage 3 of 10\n\nhttps://redalert.nshc.net/2022/04/14/hacking-activity-of-sectorb-group-in-2021/\r\nPage 4 of 10\n\n[Figure 3 : Timeline of main activities by SectorB group in 2021]\r\nJanuary Hacking Activities\r\nAmong the SectorB groups supported by the Chinese government, activities by a total of 4 hacking groups were\r\nidentified this January, and the groups are SectorB01, SectorB07, SectorB22 and SectorB31 groups.\r\nSectorB01 group was found to be active in China, Hong Kong, and the Philippines. In this activity, user mode\r\nRootkit malwares created to attack Linux systems were identified.\r\nSectorB07 group was found to be active in China and Brazil. The attackers used MS Word document malwares\r\ndisguised as resumes, using the template injection technique for their attacks.\r\nSectorB22 group was found to be active in Australia. In this activity, a modified PlugX malware used by the\r\nattackers were identified.\r\nSectorB31 group was found to be active in Germany. In this activity, IP addresses used in hacking activities\r\ntargeted on Germany’s public and governmental institutions were identified.\r\nFebruary Hacking Activities\r\nAmong the SectorB groups supported by the Chinese government, activities by a total of 3 hacking groups were\r\nidentified this February, and the groups are SectorB04, SectorB22 and SectorB32 groups.\r\nSectorB04 group was found to be active in Japan, Turkey, and the United States. The main targets of this activity\r\nwere Japanese corporations located in Japan or having overseas branches, and the attacker used vulnerabilities of\r\nSSL-VPN as their initial access methods.\r\nSectorB22 group was found to be active in Taiwan, Hong Kong, Sri Lanka, Uganda, Poland, and Canada. The\r\nattackers intruded the update process of NoxPlayer, an Android emulator, to lead the users to download update\r\nprograms containing malicious functions.\r\nSectorB32 group was found to be active in Russia. LNK format malwares were identified in this activity, which\r\ncarries out various commands through PowerShell upon execution. The LNK file was disguised as a regular\r\nprogram using the file name ‘adobeagent.lnk’.\r\nMarch Hacking Aactivities\r\nAmong the SectorB groups supported by the Chinese government, activities by a total of 7 hacking groups were\r\nidentified this March, and the groups are SectorB01, SectorB03, SectorB10, SectorB22, SectorB23, SectorB25\r\nand SectorB35 groups.\r\nhttps://redalert.nshc.net/2022/04/14/hacking-activity-of-sectorb-group-in-2021/\r\nPage 5 of 10\n\nSectorB01 group was found to be active in India, Taiwan, the United States, the Philippines, Indonesia, and Iran.\r\nThe group attacked main infrastructures such as India’s electricity providing power plants, and multiple domains\r\ndeduced to have been used in the attacks were identified. During this period, attacks using vulnerabilities of MS\r\nExchange were found, and along with the previously used ShadowPad malware, various tools such as Mimikatz\r\nwere found to have been used by SectorB01 groups in the attack.\r\nSectorB03 group was found to be active in Hong Kong, Taiwan, China, and the United States. The group also used\r\nMS exchange server vulnerabilities, along with SysUpdate backdoor, tools to search NETBIOS name servers and\r\ntools to serve HTTP Tunneling functions.\r\nSectorB10 group used the vulnerabilities of MS exchange server, and malwares written in Delphi that were used\r\nby the group in the past were identified together.\r\nSectorB22 group was found to be active in Pakistan and Vietnam. The group also used MS exchange server\r\nvulnerabilities to attack public resource providing companies. In this attack, they used malwares disguised as\r\ninstallation programs of Adobe Flash Player.\r\nSectorB23 group was found to be active in Germany. The group also used MS exchange server vulnerabilities for\r\ntheir attacks, and PlugX malware was identified in the attack as well.\r\nSectorB25 group was found to be active in Netherlands and Russia. The group also used MS exchange server\r\nvulnerabilities for their attacks targeted on cybersecurity consulting companies in Eastern Europe.\r\nSectorB35 group was found to be active in India, Italy, Canada, Iran, Belgium, the United States, Spain,\r\nSwitzerland, Finland, Arab Emirates, Israel, Netherlands, Poland, Austria, Turkey, Germany, Hungary, China, and\r\nSouth Korea. The group used MS exchange server vulnerabilities to disseminate Cryptomining malwares. They\r\nused the same vulnerability with the intent to disseminate ransomware and botnet malwares as well.\r\nApril Hacking Activities\r\nAmong the SectorB groups supported by the Chinese government, activities by a total of 5 hacking groups were\r\nidentified this April, and the groups are SectorB09, SectorB14, SectorB23, SectorB25 and SectorB37 groups.\r\nSectorB09 group was found to be active in Taiwan and Germany. The group used PLEAD malwares in ELF\r\n(Executable and Linkable Format) format to collect system information from infected systems and used OpenSSL\r\nto communicate with the encrypted C2 server.\r\nSectorB14 group was found to be active in Germany, Spain, China, Hong Kong, Slovakia, and Vietnam. The\r\ngroup used MS word documents with various subjects such as COVID-19, and the macro inserted in the document\r\nexecutes a normal executing program, a malware in DLL format, a normal document, and a CAB file including\r\nthe encoded data. In the final stage, the normal executable program loads the malicious DLL file and\r\ncommunicates with the C2 server.\r\nSectorB23 group was found to be active in Nepal, Russia, Macedonia, Australia, Kazakhstan, Switzerland,\r\nUkraine, the United States, Afghanistan, Italy, India, and Czech Republic. The group used MS exchange server\r\nhttps://redalert.nshc.net/2022/04/14/hacking-activity-of-sectorb-group-in-2021/\r\nPage 6 of 10\n\nvulnerabilities to attack various industries. They distributed PlugX malwares in the infected systems, and most of\r\nthe domains used in the activity were registered using a specific hosting company.\r\nSectorB25 group was found to be active in Russia, the United States and Mongolia. The group used spear phishing\r\nemails attached with RTF (Rich Text Format) files with vulnerabilities and served hacking activities targeted on a\r\nsubmarine designing company in Russia.\r\nSectorB37 group was found to be active in Czech Republic, Bangladesh, and China. The group used MS word\r\ndocuments with macro scripts inserted for their attacks, disguised as a document about expressway of a certain\r\ncountry in Southeast Asia. The VBS file created by the macro script was encoded using Microsoft script encoder\r\nand uses WMI service to collect system information and serves encrypted C2 communications upon execution of\r\nthe file.\r\nMay Hacking Activities\r\nAmong the SectorB groups supported by the Chinese government, activities by a total of 1 hacking group was\r\nidentified this May, and the group was SectorB23 group.\r\nSectorB23 group was found to be active in China, Hong Kong, and Italy. The group used malwares written\r\nthrough Pyinstaller, and disguised the file as an Adobe Flash Player installation file. Upon execution of the\r\nmalware, communication with C2 server is established and additional files related to network tunneling are\r\ndownloaded.\r\nJune Hacking Activities\r\nAmong the SectorB groups supported by the Chinese government, activities by a total of 2 hacking groups were\r\nidentified this June, and the groups are SectorB22 and SectorB38 groups.\r\nSectorB22 group was found to be active in Myanmar, Japan, Netherlands, Taiwan, the Philippines, China,\r\nSingapore, Thailand, and the United States. Supply chain attacks targeted on the official website of Myanmar’s\r\npresident was identified, and ZIP format malwares were disseminated on the website.\r\nSectorB38 group was found to be active in Vietnam and China. The group used MS word malwares with reports\r\nby audit committee of the Vietnamese government as the subject, which uses the template injection technique to\r\ndownload RTF (Rich Text File) including MS office equation editor vulnerabilities from a remote server.\r\nJuly Hacking Activities\r\nAmong the SectorB groups supported by the Chinese government, activities by a total of 4 hacking groups were\r\nidentified this July, and the groups are SectorB08, SectorB22, SectorB25 and SectorB27 groups.\r\nSectorB08 group was found to be active in Taiwan. The MS word malware identified in this activity contained a\r\nmacro script, which, in the final stage, executes PowerShell to download malwares uploaded in Google drives,\r\nand uses normal WinRAR programs to extract the downloaded files.\r\nSectorB22 group was found to be active in Vietnam, South Korea, and China. In this activity, malware like the\r\nmalware used in supply chain attacks on the Vietnamese government certification authority in December 2020\r\nhttps://redalert.nshc.net/2022/04/14/hacking-activity-of-sectorb-group-in-2021/\r\nPage 7 of 10\n\nwas identified. Malwares identified in these two activities have a similar code structure, Rich Header hash, PDB\r\n(Program Database) path, and both uses service DLL files disguised as NLS (National Language Support)\r\nextension.\r\nSectorB25 group was found to be active in Russia, Japan, France, and England. In this activity, RTF documents\r\nwritten in Royal Road were found, and the document disguised as “Statement by non-departmental expert\r\ncommittee on Aerospace” contains equation editor vulnerabilities.\r\nSectorB27 group was found to be active in the United States, Russia, and China. In this activity, Netfilter Rootkit\r\nmalware signed by Microsoft were found, and the hacking group was deduced to have created the malware to\r\ntarget on online game industry. The malware was signed and disseminated using Microsoft and other companies’\r\ncertifications.\r\nAugust Hacking Activities\r\nAmong the SectorB groups supported by the Chinese government, activities by a total of 2 hacking groups were\r\nidentified this August, and the groups are SectorB31 and SectorB35 groups.\r\nSectorB31 group was found to be active in France and China. In this activity, attacks affecting numerous\r\ninstitutions in France were identified. Various custom opensource tools were used to steal information, and ELF\r\nmalwares were used to make use of the router’s vulnerabilities.\r\nSectorB35 group was found to be active in Spain, Ireland, Italy, and England. The group used ProxyShell\r\nvulnerabilities often used against Microsoft exchange servers, and used CVE-2021-31207, CVE-2021-34523 and\r\nCVE-2021-34473 vulnerabilities to execute their remote code in the Microsoft exchange servers.\r\nSeptember Hacking Activities\r\nAmong the SectorB groups supported by the Chinese government, activities by a total of 4 hacking groups were\r\nidentified this September, and the groups are SectorB01, SectorB04, SectorB22 and SectorB43 groups.\r\nSectorB01 group was found to be active in Canada, India, England, France, Austria, Luxembourg, Hong Kong,\r\nBahrain, the United States, South Korea, and Singapore. The group targeted their attacks on workers of various\r\nfields such as government institutions, academy, religion, and IT. They used .NET loaders to load malware in the\r\nmemory of infected user system to serve their attacks.\r\nSectorB04 group was found to be active in England, the United States, Hong Kong, Germany, France, and India.\r\nThe group took advantage of vulnerabilities to launch attacks on various industries such as manufacturing,\r\nfinance, travelling and tourism. They used MS exchange serves to connect to the target’s network and\r\ncontinuously monitors their victims.\r\nSectorB22 group was found to be active in Japan, England, and the United States. The group used documents\r\ndisguised as China’s national meeting and constitutional laws to serve their attacks. The malware delivered in the\r\nform of compressed files used DLL side loading techniques to load malicious DLL on a normal program to serve\r\ntheir functions, to avoid suspicion from users.\r\nhttps://redalert.nshc.net/2022/04/14/hacking-activity-of-sectorb-group-in-2021/\r\nPage 8 of 10\n\nSectorB43 group was found to be active in Russia. In this activity, a malware was found to be continuously\r\nupdated by a certain user at a specific time interval. New updates are added to the malware in every update and\r\nserves various RAT (Remote Administration Tool) functions.\r\nOctober Hacking Activities\r\nAmong the SectorB groups supported by the Chinese government, activities by a total of 2 hacking groups were\r\nidentified this October, and the groups are SectorB09 and SectorB46 groups.\r\nSectorB09 group launched attacks on a certain company in this activity and used malwares using the MFC\r\n(Microsoft foundation class) libraries. The malware contained functions to collect information from the infected\r\nsystem and to download and execute additional malwares.\r\nSectorB46 group was found to be active in Russia. The group used Zero-day vulnerabilities in the Window Kernel\r\ndrive to launch attacks targeted on workers of defense industries and diplomatic institutions.\r\nNovember Hacking Activities\r\nAmong the SectorB groups supported by the Chinese government, activities by a total of 1 hacking group was\r\nidentified this November, and the groups was SectorB03 group.\r\nSectorB03 group was found to be active in China, Czech Republic, and the United States. The group used\r\nvulnerabilities of password management solutions to distribute payload containing malwares to workers in various\r\nindustries such as defense industry, energy, education, and consulting services.\r\nDecember Hacking Activities\r\nAmong the SectorB groups supported by the Chinese government, activities by a total of 5 hacking groups were\r\nidentified this December, and the groups are SectorB03, SectorB09, SectorB22, SectorB35 and SectorB43 groups.\r\nSectorB03 group was found to be active in Hong Kong, Denmark, and Netherlands. The group used\r\nvulnerabilities of corporate IT operation and service managing software to launch their attacks on medical,\r\nelectronics and IT industries.\r\nSectorB09 group was found to be active in China. The group used MS excel format malwares disguised as weekly\r\nwork reports in this activity.\r\nSectorB22 group was found to be active in Vietnam, Taiwan, Myanmar, and Russia. The group used malwares in\r\ncompressed file formats disguised as Adobe library files in this activity.\r\nSectorB35 group was found to be active in the United States. The group used RCE (Remote Code Execution)\r\nvulnerabilities that allows one to execute unknown codes in the framework of Apache software.\r\nSectorB43 group was found to be active in Mongolia. In this activity, the group used RTF (Rich Text File) format\r\nmalwares containing equation editor vulnerabilities, which were disguised as featured news.\r\nThe full report detailing each event together with IoCs (Indicators of Compromise) and recommendations is\r\navailable to existing NSHC ThreatRecon customers. For more information, please contact service@nshc.net.\r\nhttps://redalert.nshc.net/2022/04/14/hacking-activity-of-sectorb-group-in-2021/\r\nPage 9 of 10\n\nSource: https://redalert.nshc.net/2022/04/14/hacking-activity-of-sectorb-group-in-2021/\r\nhttps://redalert.nshc.net/2022/04/14/hacking-activity-of-sectorb-group-in-2021/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://redalert.nshc.net/2022/04/14/hacking-activity-of-sectorb-group-in-2021/"
	],
	"report_names": [
		"hacking-activity-of-sectorb-group-in-2021"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434561,
	"ts_updated_at": 1775826695,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c05a805917b119c6a5d11626ae1e4b8f1b067bb3.pdf",
		"text": "https://archive.orkl.eu/c05a805917b119c6a5d11626ae1e4b8f1b067bb3.txt",
		"img": "https://archive.orkl.eu/c05a805917b119c6a5d11626ae1e4b8f1b067bb3.jpg"
	}
}