{ "id": "d00a4e0a-eb6f-4b6f-ac0e-81d5e98c0921", "created_at": "2026-04-06T00:10:07.354151Z", "updated_at": "2026-04-10T13:11:43.455418Z", "deleted_at": null, "sha1_hash": "ee15c6885faca1b104971a2480f01107c2762a44", "title": "Malaysia warns of Chinese hacking campaign targeting government projects", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 868706, "plain_text": "Malaysia warns of Chinese hacking campaign targeting\r\ngovernment projects\r\nBy Written by Catalin Cimpanu, ContributorContributor Feb. 6, 2020 at 5:25 p.m. PT\r\nArchived: 2026-04-05 18:50:00 UTC\r\nImage:Azlan Baharudin\r\nSpecial feature\r\nA Chinese state-sponsored hacking group has been targeting Malaysian government officials, computer experts\r\nwith the Malaysian government said on Wednesday.\r\nThe purpose of the attacks has been to infect computers of government officials with malware and then steal\r\nconfidential documents from government networks, Malaysia's Computer Emergency Response Team (MyCERT)\r\nsaid in a security advisory.\r\nAttacks pattern\r\nThe attacks against government officials consist of highly-targeted spear-phishing emails.\r\nMyCERT says the attackers have been pretending to be a journalist, an individual from a trade publication, and\r\nrepresentatives for a military organization and non-governmental organization (NGO).\r\nThe emails contained links to documents stored on Google Drive. The documents, when opened, asked recipients\r\nto enable macros.\r\nThe malicious macros used two Office exploits (CVE-2014-6352 and CVE-2017-0199) to execute malicious code\r\non the victim's system to download and install malware.\r\nhttps://www.zdnet.com/article/malaysia-warns-of-chinese-hacking-campaign-targeting-government-projects/\r\nPage 1 of 2\n\n\"The group's operations tend to target government-sponsored projects and take large amounts of information\r\nspecific to such projects, including proposals, meetings, financial data, shipping information, plans and drawings,\r\nand raw data,\" MyCERT said.\r\nMyCERT officials didn't say if government officials were compromised in these attacks.\r\nIndirectly pointing the finger at China\r\nHowever, while MyCERT didn't accuse the Chinese government directly, their advisory included links to research\r\nfrom the cyber-security community.\r\nThe write-ups [1, 2, 3, 4] describe the hacking tools and modus operandi of a cyber-espionage group known as\r\nAPT40, known for its hacking activity alligned with the interests of the Chinese government.\r\nIn an exposé published last month, an online group of cyber-security analysts calling themselves Intrusion Truth\r\nhave claimed that APT40 are contractors hired and operating under the supervision of the Hainan department of\r\nthe Chinese Ministry of State Security.\r\nAccording to FireEye, besides Malaysia, the group has also targeted Cambodia, Belgium, Germany, Hong Kong,\r\nPhilippines, Norway, Saudi Arabia, Switzerland, the United States, and the United Kingdom.\r\nThe group has been primarily focused on \"engineering, transportation, and the defense industry, especially where\r\nthese sectors overlap with maritime technologies.\"\r\nThe APT40 group is also tracked by other security firms, but under other names, such as TEMP.Periscope,\r\nTEMP.Jumper, Leviathan, BRONZE MOHAWK, GADOLINIUM. The group has been active since 2014,\r\naccording to multiple reports.\r\nSecurity\r\nSource: https://www.zdnet.com/article/malaysia-warns-of-chinese-hacking-campaign-targeting-government-projects/\r\nhttps://www.zdnet.com/article/malaysia-warns-of-chinese-hacking-campaign-targeting-government-projects/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.zdnet.com/article/malaysia-warns-of-chinese-hacking-campaign-targeting-government-projects/" ], "report_names": [ "malaysia-warns-of-chinese-hacking-campaign-targeting-government-projects" ], "threat_actors": [ { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434207, "ts_updated_at": 1775826703, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ee15c6885faca1b104971a2480f01107c2762a44.pdf", "text": "https://archive.orkl.eu/ee15c6885faca1b104971a2480f01107c2762a44.txt", "img": "https://archive.orkl.eu/ee15c6885faca1b104971a2480f01107c2762a44.jpg" } }