{
	"id": "3baf8f0b-474d-4a8d-86ea-025342949884",
	"created_at": "2026-04-06T00:06:54.792977Z",
	"updated_at": "2026-04-10T13:12:08.36954Z",
	"deleted_at": null,
	"sha1_hash": "c3da622133926e6f86647b7de7b14d9ccdf9c963",
	"title": "ChamelGang \u0026 Friends | Cyberespionage Groups Attacking Critical Infrastructure with Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 463408,
	"plain_text": "ChamelGang \u0026 Friends | Cyberespionage Groups Attacking\r\nCritical Infrastructure with Ransomware\r\nBy Aleksandar Milenkoski \u0026 Julian-Ferdinand Vögele (Recorded Future)\r\nPublished: 2024-06-26 · Archived: 2026-04-05 15:33:22 UTC\r\nExecutive Summary\r\nThreat actors in the cyberespionage ecosystem are engaging in an increasingly disturbing trend of using\r\nransomware as a final stage in their operations for the purposes of financial gain, disruption, distraction,\r\nmisattribution, or removal of evidence.\r\nThis report introduces new findings about notable intrusions in the past three years, some of which were\r\ncarried out by a Chinese cyberespionage actor but remain publicly unattributed.\r\nOur findings indicate that ChamelGang, a suspected Chinese APT group, targeted the major Indian\r\nhealthcare institution AIIMS and the Presidency of Brazil in 2022 using the CatB ransomware. Attribution\r\ninformation on these attacks has not been publicly released to date.\r\nChamelGang also targeted a government organization in East Asia and critical infrastructure sectors,\r\nincluding an aviation organization in the Indian subcontinent.\r\nIn addition, a separate cluster of intrusions involving off-the-shelf tools BestCrypt and BitLocker have\r\naffected a variety of industries in North America, South America, and Europe, primarily the US\r\nmanufacturing sector.\r\nWhile attribution for this secondary cluster remains unclear, overlaps exist with past intrusions that involve\r\nartifacts associated with suspected Chinese and North Korean APT clusters.\r\nRead the Full Report\r\nOverview\r\nIn collaboration with Recorded Future, SentinelLABS has been tracking two distinct activity clusters targeting\r\ngovernment and critical infrastructure sectors globally between 2021 and 2023. We associate one activity cluster\r\nwith the suspected Chinese APT group ChamelGang (also known as CamoFei), while the second cluster resembles\r\nprevious intrusions involving artifacts linked to suspected Chinese and North Korean APT groups. The majority of\r\nthe activities we analyzed involve ransomware or data encryption tooling.\r\nChamelGang\r\nWe identified indicators suggesting that in 2023, ChamelGang targeted a government organization in East Asia\r\nand an aviation organization in the Indian subcontinent. This aligns with known ChamelGang victimology –\r\nprevious ChamelGang attacks have impacted critical sectors in Russia, including aviation, as well as government\r\nand private organizations in other countries such as the United States, Taiwan, and Japan. The activities we\r\nhttps://www.sentinelone.com/labs/chamelgang-attacking-critical-infrastructure-with-ransomware/\r\nPage 1 of 3\n\nobserved involve the use of the group’s known TTPs, publicly available tooling seen in previous engagements,\r\nand their custom malware BeaconLoader.\r\nFurther, we suspect that in late 2022, ChamelGang was responsible for attacks on the Presidency of Brazil and the\r\nAll India Institute of Medical Sciences (AIIMS), a major Indian healthcare institution. These attacks were publicly\r\ndisclosed as ransomware incidents and attribution information regarding the perpetrators has never been released.\r\nWe discovered strong indicators pointing to these institutions as being targeted using ChamelGang’s CatB\r\nransomware. TeamT5 associates CatB with ChamelGang based on overlaps in code, staging mechanisms, and\r\nmalware artifacts such as certificates, strings, and icons found in custom malware used in intrusions attributed to\r\nChamelGang.\r\nBestCrypt \u0026 BitLocker\r\nIn addition to the ChamelGang activities, we have observed intrusions involving abuse of Jetico BestCrypt and\r\nMicrosoft BitLocker to encrypt endpoints as a means to demand ransom. BestCrypt and BitLocker are used\r\nlegitimately for data protection purposes.\r\nOur telemetry data revealed that these intrusions occurred between early 2021 and mid-2023, affecting 37\r\norganizations. The majority of the affected organizations are located in North America, predominantly in the\r\nUnited States, with others in South America and Europe. The manufacturing sector was the most significantly\r\naffected, with other sectors, including education, finance, healthcare, and legal, being impacted to a lesser extent.\r\nBestCrypt \u0026 BitLocker targets\r\nOur full report provides extensive details, including victimology, discussions on attribution, an overview of the\r\nmalware and techniques used, as well as a comprehensive list of indicators of compromise.\r\nRansomware as a Strategic \u0026 Operational Tool in Cyber Espionage\r\nhttps://www.sentinelone.com/labs/chamelgang-attacking-critical-infrastructure-with-ransomware/\r\nPage 2 of 3\n\nThis research highlights the strategic use of ransomware by cyberespionage actors for financial gain, disruption, or\r\nas a tactic for distraction or misattribution, blurring the lines between cybercrime and cyberespionage.\r\nMisattributing cyberespionage activities as cybercriminal operations can result in strategic repercussions,\r\nespecially in the context of attacks on government or critical infrastructure organizations. Insufficient information\r\nsharing between the local law enforcement organizations that typically handle ransomware cases and intelligence\r\nagencies could result in missed intelligence opportunities, inadequate risk assessment, and diminished situational\r\nawareness.\r\nWe emphasize the importance of sustained exchange of data and knowledge between the different entities\r\nhandling cybercriminal and cyberespionage incidents, detailed examination of observed artifacts, and analysis of\r\nthe broader context surrounding incidents involving ransomware. These are crucial towards identifying the true\r\nperpetrators, motive, and objectives.\r\nSentinelLABS continues to monitor cyberespionage groups that challenge traditional categorization practices. We\r\nremain committed to sharing our insights to equip organizations and other relevant stakeholders with the\r\nnecessary knowledge to better understand and defend against this threat. We are grateful to Still Hsu from TeamT5\r\nfor providing invaluable insights that contributed to our research on the ChamelGang APT group.\r\nRead the Full Report\r\nSource: https://www.sentinelone.com/labs/chamelgang-attacking-critical-infrastructure-with-ransomware/\r\nhttps://www.sentinelone.com/labs/chamelgang-attacking-critical-infrastructure-with-ransomware/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.sentinelone.com/labs/chamelgang-attacking-critical-infrastructure-with-ransomware/"
	],
	"report_names": [
		"chamelgang-attacking-critical-infrastructure-with-ransomware"
	],
	"threat_actors": [
		{
			"id": "4434c71b-c424-4c06-b923-4f3f54f24f40",
			"created_at": "2022-10-25T16:07:23.453526Z",
			"updated_at": "2026-04-10T02:00:04.611408Z",
			"deleted_at": null,
			"main_name": "ChamelGang",
			"aliases": [
				"CamoFei"
			],
			"source_name": "ETDA:ChamelGang",
			"tools": [
				"7-Zip",
				"Agentemis",
				"BeaconLoader",
				"Cobalt Strike",
				"CobaltStrike",
				"DoorMe",
				"FRP",
				"Fast Reverse Proxy",
				"ProxyT",
				"Tiny SHell",
				"cobeacon",
				"tsh"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a0673493-5872-49a0-8d0d-4391302cff01",
			"created_at": "2023-03-04T02:01:54.10107Z",
			"updated_at": "2026-04-10T02:00:03.358084Z",
			"deleted_at": null,
			"main_name": "Chamelgang",
			"aliases": [
				"CamoFei"
			],
			"source_name": "MISPGALAXY:Chamelgang",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434014,
	"ts_updated_at": 1775826728,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c3da622133926e6f86647b7de7b14d9ccdf9c963.pdf",
		"text": "https://archive.orkl.eu/c3da622133926e6f86647b7de7b14d9ccdf9c963.txt",
		"img": "https://archive.orkl.eu/c3da622133926e6f86647b7de7b14d9ccdf9c963.jpg"
	}
}