Wednesday, April 23, 2025
HomeMalwareChinese APT's New Malware MirageFox Launch Cyber Attack on Government & Military...

Chinese APT’s New Malware MirageFox Launch Cyber Attack on Government & Military Sectors

Published on

SIEM as a Service

Follow Us on Google News

Chinese government affiliated APT15 cyberespionage group involving with new MirageFox malware campaign to attack various sectors including government contractors, Military base and other private industries across the world.

The researcher believes that this new sophisticated malware campaign is to reuse the code from advanced remote access Tool called Mirage which is activity attacking various sector since 2012.

This APT15 group best known as “living off the land,” which mean they are using already available tools and advanced software to infiltrate the victim’s computer and infect with malware.

- Advertisement - Google News

Also, this attacker involving a various cyber attack using different names such as Vixen Panda, Ke3chang, Royal APT, and Playful Dragon.

Also, researcher suspect that it Could be possible APT15 was responsible for hacking the US Navy contractor.

MirageFox code reuse Analysis

MirageFox malware campaign is using two other new version of RAT code called Mirage and Reaver which is also attributed to Chinese government affiliated groups.

Both binaries are newly uploaded in virustotal which contains few detection results and both were uploaded quite often on June 8 and June 9, 2018. and further analysis was done with analyzed them using Intezer Analyze to see if we could find any code reuse.

According to Intezer, On VirusTotal, we can see there are only 10/66 detections for this binary, 11/66 for another similar version of MirageFox (SHA256: 97813e76564aa829a359c2d12c9c6b824c532de0fc15f43765cf6b106a32b9a5), and 9/64 for the third MirageFox binary that was uploaded (SHA256: b7c1ae10f3037b7645541acb9f7421312fb1e164be964ee7acd6eb1299d6acb2).

It was unclear about the tools that used by this  APT15 group, original infection vector and other relative information.

Researchers named this campaign as MirageFox which is taken from the string that was found in the code which is reused from Mirage and Reaver.

Here, a module by McAfee that is loaded by a few of their executables that import and call this function that means the APT15 Performing some DLL Hijacking by distributing a legitimate McAfee binary with MirageFox to load up the DLL properly into a legitimate looking process.

Also, This version connected via command & control server by infiltrating the internal network of the targeted organization and connected to their internal network using VPN.

“Finally, its collected the various information including username, CPU information, architecture it sends this information to the C&C, opens a backdoor, and sits waiting for commands from the C&C with functionality such as modifying files, launching processes, terminating itself, and more functionality typically seen in APT15’s RATs” Intezer said.

Indicator of Compromise

MirageFox

  • 28d6a9a709b9ead84aece250889a1687c07e19f6993325ba5295410a478da30a
  • 97813e76564aa829a359c2d12c9c6b824c532de0fc15f43765cf6b106a32b9a5
  • b7c1ae10f3037b7645541acb9f7421312fb1e164be964ee7acd6eb1299d6acb2
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Hackers Exploit NFC Technology to Steal Money from ATMs and POS Terminals

In a disturbing trend, cybercriminals, predominantly from Chinese underground networks, are exploiting Near Field...

Threat Actors Leverage TAG-124 Infrastructure to Deliver Malicious Payloads

In a concerning trend for cybersecurity, multiple threat actors, including ransomware groups and state-sponsored...

Ransomware Actors Ramp Up Attacks Organizations with Emerging Extortion Trends

Unit 42’s 2025 Global Incident Response Report, ransomware actors are intensifying their cyberattacks, with...

New SMS Phishing Attack Weaponizes Google AMP Links to Evade Detection

Group-IB’s High-Tech Crime Trends Report 2025 reveals a sharp 22% surge in phishing websites,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

New Malware Hijacks Docker Images Using Unique Obfuscation Technique

A recently uncovered malware campaign targeting Docker, one of the most frequently attacked services...

Hackers Deploy New Malware Disguised as Networking Software Updates

A sophisticated backdoor has been uncovered targeting major organizations across Russia, including government bodies,...

Latest Lumma InfoStealer Variant Found Using Code Flow Obfuscation

Researchers have uncovered a sophisticated new variant of the notorious Lumma InfoStealer malware, employing...