A China-linked cyber-espionage group has deployed a new backdoor in attacks targeting military organizations located in Southeast Asia with the goal of collecting data.

The culprit behind the attacks has been identified as Naikon, a threat actor known for targeting organizations from multiple countries around the South China Sea, including the Philippines, Malaysia, Indonesia, Singapore, and Thailand. The group, which has been active since at least 2010, is mainly focused on high-profile organizations, including government entities and military orgs.

During the campaign, which was conducted between June 2019 and March 2021, the hacker group abused legitimate software to side-load the second-stage backdoor dubbed Nebulae that allowed attackers to collect system information, manipulate files and folders, download files from the command-and-control server, and execute, list, or terminate processes on compromised devices.

“The data we obtained so far tell almost nothing about the role of the Nebulae in this operation, but the presence of a persistence mechanism could mean that it is used as backup access point to victim in the case of a negative scenario for actors,” according to researchers at Bitdefender's Cyber Threat Intelligence Lab.

In the observed attacks the Nebulae malware was used as the first stage of the attack along with the Aria-Body loader. Nebulae was discovered while analyzing the main instrument used in this operation, the RainyDay backdoor through which several other custom-made or public tools were brought during the attack life cycle.

The RainyDay backdoor allowed the threat actor to perform reconnaissance, upload reverse proxy tools and scanners, execute the password dump tools, perform lateral movement, achieve persistence, and to get to the information of interest.

The researchers attributed this cyber-espionage campaign to the Naikon hacker group based on command-and-control servers and malicious payloads belonging to the Aria-Body loader malware family used in Naikon's past attacks.