APT

The cyber threat landscape targeting Chinese-speaking users has intensified with the detection of multiple malware campaigns. Two recent reports highlight the sophistication of threat actors using the Gh0st RAT remote access trojan, a malware known for its versatility. One of the campaigns involves the threat actor known as Dragon Breath (also APT-Q-27 or Golden Eye), which uses a multi-phase loader called RONINGLOADER to deliver a modified variant of Gh0st RAT. Simultaneously, another series of large-scale phishing campaigns have been distributing the same malware. ...

The threat group known as Dragon Breath, also tracked as APT-Q-27 and Golden Eye, has been detected using a multi-stage loader called RONINGLOADER to deliver a modified variant of the Gh0st RAT remote access Trojan. This campaign primarily targets Chinese-speaking users and uses Trojanized NSIS installers that impersonate legitimate software such as Google Chrome and Microsoft Teams. According to researchers at Elastic Security Labs, the infection chain employs a multi-stage delivery mechanism that incorporates advanced evasion techniques. These techniques are specifically designed to neutralize popular endpoint security products in the Chinese market. ...

 The PlushDaemon threat actor has been identified using a new Go-based network backdoor, called EdgeStepper, to facilitate Adversary in the Middle (AitM) attacks. EdgeStepper has the ability to redirect all DNS queries to an external malicious node, diverting traffic from legitimate software update infrastructure to attacker-controlled infrastructure. About Threat Actor PlushDaemon PlushDaemon is a China-aligned threat group, active since at least 2018. It is known for directing attacks against entities in the United States, New Zealand, Cambodia, Hong Kong, Taiwan, South Korea, and mainland China. ...

 The threat group known as PlushDaemon has been detected using a new Go-based network backdoor, called EdgeStepper, to facilitate Adversary in the Middle (AitM) attacks and hijack software update mechanisms. EdgeStepper, a previously undocumented implant, has been designed to reroute victims’ DNS queries to attacker-controlled infrastructure. This backdoor allows PlushDaemon to redirect legitimate software update traffic to malicious nodes, facilitating the delivery of second-stage payloads. The Threat Actor PlushDaemon and His Objectives PlushDaemon is a China-aligned advanced persistent threat (APT) group, active since at least 2018. It has targeted entities in various regions, including the US, New Zealand, Cambodia, Hong Kong, Taiwan, South Korea, and mainland China. ...