Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two Chinese Advanced Persistent Threat (APT) groups targeting entities and member countries of the Association of Southeast Asian Nations (ASEAN).

This alarming development underscores the escalating cyber threats faced by nations in the Southeast Asian region, highlighting the intricate web of digital espionage activities that continue to challenge global cybersecurity norms.

Palo Alto Networks’ Unit 42 identified cyberespionage activities by two Chinese hacking groups targeting the region for the past 90 days.

The Attackers:

  • Stately Taurus (aka Mustang Panda): A known Chinese APT group active since at least 2012, targeting government entities, nonprofits, and NGOs globally.
  • Second Unidentified Chinese APT Group: Recently compromised an ASEAN-affiliated entity, with similar activity observed in other member states.

The activity of Stately Taurus:

Coinciding with the ASEAN-Australia Special Summit (March 4-6, 2024), Stately Taurus created two malware packages likely targeting entities in Myanmar, the Philippines, Japan, and Singapore.

The report states that ASEAN-affiliated entities are particularly attractive targets for espionage operations due to their pivotal role in handling sensitive information related to diplomatic relations and economic decisions within the region.

Package 1: The Talking_Points_for_China.zip

          Talking_Points_for_China.zip          Talking_Points_for_China.zip
Talking_Points_for_China.zip
  • A ZIP archive containing a renamed, signed anti-keylogging program that sideloads malicious code.
  • Targets attempt to connect to a malicious server (103.27.109.157:433).
  • Similar to a campaign reported by CSIRT-CTI.

Package 2: Note PSO.scr:

  • A screensaver executable targeting Myanmar.
  • Downloads a benign executable (WindowsUpdate.exe) and a malicious DLL (EACore.dll).
  • Attempts to connect to a different C2 server ([invalid URL removed] at 146.70.149.36).

Second Activity: the unidentified Chinese APT Group

  • Unit 42 discovered compromised systems within an ASEAN-affiliated entity linked to the APT group’s command-and-control (C2) infrastructure.
  • This pattern of network connections has been observed in other government entities throughout the region.
  • The targeted infrastructure includes IP addresses and domains specifically used for C2 communication.
A pattern of life: working hours (+08:00 time adjusted).
  • Interestingly, the attackers seem to follow a “work schedule” with activity concentrated on weekdays in China Standard Time (UTC+08:00) and a noticeable pause during holidays like Lunar New Year.

Mitigation:

Palo Alto Networks recommends utilizing their various security solutions to help organizations defend against these threats, including:

  • DNS Security and Advanced URL Filtering
  • WildFire threat detection engine
  • Prisma Cloud Defender agents with WildFire integration

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter

Sneka

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

17 hours ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

17 hours ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

17 hours ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

17 hours ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

21 hours ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

22 hours ago