{ "id": "f1f9c44d-ba64-4812-a1dc-12cf89d68ad8", "created_at": "2026-04-06T01:29:11.866247Z", "updated_at": "2026-04-10T03:36:33.971855Z", "deleted_at": null, "sha1_hash": "f1b4fe6f07e32aa7dc2d63e14cf07c2704b0d4e8", "title": "Chinese state hackers target Hong Kong Catholic Church", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 478461, "plain_text": "Chinese state hackers target Hong Kong Catholic Church\r\nBy Catalin Cimpanu\r\nPublished: 2020-07-15 ยท Archived: 2026-04-06 00:19:42 UTC\r\nImage: Mateus Campos Felipe\r\nChina's government hackers have targeted members of the Hong Kong Catholic Church in a series of spear-phishing operations traced back to May this year.\r\nThe attacks have come to light after reports [1, 2, 3] that some of Hong Kong's church leaders and clergy have\r\nbeen directly involved in supporting pro-democracy protests despite orders from the Vatican to remain neutral.\r\nThe spear-phishing campaign fits recent reports that Chinese government hacking groups focusing cyber-espionage efforts on the Hong Kong region after pro-democracy protests begun last year [1, 2].\r\nThe spear-phishing campaign\r\nThe current attacks were revealed earlier this week by a malware analyst who goes online by the pseudonym of\r\nArkbird.\r\nIn an interview, the researcher told ZDNet he discovered malware samples typically associated with Chinese state\r\ngroups uploaded on VirusTotal.\r\nThe malware files were ZIP and RAR archives containing Windows executable files [1, 2, 3].\r\nAccording to sandbox analysis, unpacking and running the files starts a legitimate app like Microsoft Word or\r\nAdobe Reader.\r\nThe legitimate apps load a lure document, such as communications from Vatican officials or news articles from\r\nthe Union of Catholic Asian News, a news portal dedicated to tracking the affairs of the Catholic church and\r\nhttps://www.zdnet.com/article/chinese-state-hackers-target-hong-kong-catholic-church/\r\nPage 1 of 3\n\ncommunities across Asia.\r\nhk-apt-lure.png\r\nArkbird says that alongside the legitimate apps and the lure documents, a malicious DLL file is also loaded that\r\ninstalls malware on the victim's computer, using a technique known as DLL-sideloading.\r\nIn a phone interview today, Fred Plan, malware analyst at Mandiant Threat Intelligence, part of US cyber-security\r\nfirm FireEye, said that this particular version of the DLL-sideloading technique has been a staple of Chinese\r\nnation-state hacking groups for years.\r\nPlan, who reviewed Arkbird's findings, said the final payload was a malware commonly known as PlugX, a\r\nremote access trojan that grants attackers control over infected hosts.\r\nBased on previous public reporting, Arkbird attributed the malware samples to a group known as Mustang Panda,\r\na Chinese hacking group known for its widespread use of DLL-sideloading (according to Lab52) and its targeting\r\nof religious groups, including Catholic organizations (according to Anomali).\r\nMandiant, who uses a more strict group-tracking system, said this particular cluster of activity around these\r\nattacks was not connected to existing clusters but confirmed its connection to Chinese cyber-espionage efforts.\r\nArkbird published his findings on Twitter this week after receiving the go-ahead from Italian law enforcement,\r\nwhere a colleague also reported the attacks.\r\nA spokesperson for the Hong Kong Catholic Diocese did not return a request for comment sent yesterday. A\r\nspokesperson for the Rome Holy See did not want to comment.\r\nThe complicated China-Vatican relations\r\nRelations between China and the Vatican have improved in recent years but are still on thin ice. The two broke all\r\ndiplomatic ties in 1951. At the time, Beijing's fledgling communist rule begun cracking down on all religious\r\ngroups with the aim of bringing local leadership structures under the Communist Party's control.\r\nAfter the fallout, China began appointing its own party-approved bishops across the country, a move that split the\r\nChinese Catholic community.\r\nA part continued attending masses at official government-mandated churches with party-imposed bishops, while\r\nthe other attended underground churches -- unrecognized by both China and the Vatican, but believed to have\r\noperated all these years with the Holy See's blessing.\r\nRelations between the China and the Holy See eventually thawed in the 2000s, as China sought a more prominet\r\nrole in international affairs, and both parties began brokering an agreement of collaboration.\r\nThe agreement, signed in September 2018, allowed the Pope to resume the Vatican's control over the Chinese\r\nCatholic Church by giving it the power to appoint bishops -- with the caveat that the bishops also had to receive a\r\ngreen light from by the Communist Party.\r\nhttps://www.zdnet.com/article/chinese-state-hackers-target-hong-kong-catholic-church/\r\nPage 2 of 3\n\nThis agreement stands to be renewed in September later this year, and Hong Kong Holy See officials have used it\r\nas a reasoning point not to show public support for the protests, fearing Chinese leadership might isolate the\r\nChinese Catholic Community again, as they did in previous decades.\r\nArticle updated to remove a link to a report about the Hong Kong Archbishop of the Anglican Church that was\r\nerroneously cited. ZDNet regrets the error.\r\nSource: https://www.zdnet.com/article/chinese-state-hackers-target-hong-kong-catholic-church/\r\nhttps://www.zdnet.com/article/chinese-state-hackers-target-hong-kong-catholic-church/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.zdnet.com/article/chinese-state-hackers-target-hong-kong-catholic-church/" ], "report_names": [ "chinese-state-hackers-target-hong-kong-catholic-church" ], "threat_actors": [ { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438951, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f1b4fe6f07e32aa7dc2d63e14cf07c2704b0d4e8.pdf", "text": "https://archive.orkl.eu/f1b4fe6f07e32aa7dc2d63e14cf07c2704b0d4e8.txt", "img": "https://archive.orkl.eu/f1b4fe6f07e32aa7dc2d63e14cf07c2704b0d4e8.jpg" } }