Monday, May 5, 2025
HomeCyber AttackChinese Hackers Attacking Semiconductor Industries using Cobalt Strike beacon

Chinese Hackers Attacking Semiconductor Industries using Cobalt Strike beacon

Published on

SIEM as a Service

Follow Us on Google News

A cyber espionage campaign has been discovered in which threat actors use a variant of the HyperBro loader along with a Taiwan Semiconductor Manufacturing (TSMC) lure in order to target semiconductor industries in regions like Taiwan, Hong Kong, and Singapore.

The tactics, techniques, procedures, and activities of this threat actor are attributed to and overlap with the People’s Republic of China (PRC) backed cyber espionage group. 

Technical Analysis

The HyperBro loader variant used a digitally signed CyberArk binary for a DLL-Side Loading attack, resulting in the in-memory execution of a Cobalt Strike beacon.

- Advertisement - Google News

Further analysis from EclecticIQ revealed another undocumented malware downloader using the PowerShell BitsTransfer module to fetch malicious binaries from a compromised Cobra DocGuard server.

The malware downloader also uses a DLL Side-Loading technique, which uses a signed McAfee binary, mcods.exe, to run the Cobalt Strike shellcode. This shellcode, however, uses the same Cobalt Strike C2 server linked with the HyperBro loader variant.

Cobra DocGuard’s compromised web server also hosted a Go language-based backdoor which has been termed “ChargeWeapon”. This backdoor was found to be uploaded by the same threat actor and is designed to get remote access. It also sends device and network information from a victim’s computer to a C2 server controlled by an attacker.

Graph view of the threat actor activities
Graph view of the threat actor activities (Source: Eclecticiq)

ChargeWeapon – GO Language-Based Backdoor

Once infected, the ChargeWeapon backdoor starts to transmit the data about the compromised host in JSON format and obfuscated by a base64 encoding. The information includes Hostname, IP address (Ipv4 and Ipv6 format), and Process tree. It also employs a POST request for C2 communication over 45[.]77[.]37[.]145:8443.

In addition to this, it also has capabilities that include interacting with remote devices over Windows default CLI, WMI execution, Base64 obfuscation during C2 connection, and Reading or writing files on the infected hosts. 

This backdoor uses multiple Go-language libraries like gopsutil, go-ole, wmi, and sys. A complete report about the malware downloader, backdoor, and other information has been published by Eclecticiq. 

Indicators of Compromise

HyperBro Loader 

  • 12e1f50d7c9cf546c90545588bc369fa90e03f2370883e7befd87e4d50ebf0df 
  • 7229bb62acc6feca55d05b82d2221be1ab0656431953012ebad7226adc63643b 
  • df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348 – (legitimate binary) 
  • 45e7ce7b539bfb4f780c33faa1dff523463907ec793ff5d1e94204a8a6a00ab5 
  • df6dd612643a778dca8879538753b693df04b9cf02169d04183136a848977ce9 

C2 IP: 

  • http://38[.]54[.]119[.]239:443/jquery-3.3.1.min.js 

ChargeWeapon 

  • 3195fe1a29d0d44c0eaec805a4769d506d03493816606f58ec49416d26ce5135 

C2 IP: 

  • 45[.]77[.]37[.]145:8443 

Generic Malware Downloader 

  • ee66ebcbe872def8373a4e5ea23f14181ea04759ea83f01d2e8ff45d60c65e51 
  • e26f8b8091bbe5c62b73f73b6c9c24c2a2670719cf24ef8772b496815c6a6ce0 – (loader module) 
  • e6bad7f19d3e76268a09230a123bb47d6c7238b6e007cc45c6bc51bb993e8b46 – (legitimate binary) 
  • ce226bd1f53819d6654caf04a7bb4141479f01f9225ac6fba49248920e57cb25 
  • 56f94f1df0338d254d0421e7baf17527817607a60c6f9c71108e60a12d7d6dcf 

IP Address of second stage malware artefacts:  

  • 45[.]32[.]33[.]17 
  • 23[.]224[.]61[.]12 
  • hxxp[://]154[.]93[.]7[.]99:8090/CDGServer3/images/zh/mcvsocfg[.]dll 
  • hxxp[://]154[.]93[.]7[.]99:8090/CDGServer3/images/zh/mcods[.]exe 
  • hxxp[://]154[.]93[.]7[.]99:8090/CDGServer3/images/zh/bin[.]config 

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...

RomCom RAT Targets UK Organizations Through Compromised Customer Feedback Portals

The Russian-based threat group RomCom, also known as Storm-0978, Tropical Scorpius, and Void Rabisu,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...