The China-based cyber-espionage threat actor APT41 has been targeting government organizations in Hong Kong as part of an ongoing campaign dubbed Operation CuckooBees.
Active since at least 2007, APT41 (also tracked as Barium, Bronze Atlas, Double Dragon, Wicked Panda, or Winnti) is a prolific Chinese cyber threat group that carries out state-sponsored espionage activity in parallel with financially motivated operations. APT41 differs from other known China-aligned hacker groups in that it uses non-public malware typically reserved for espionage campaigns in what appears to be cyber crime activity for personal gain.
Operation CuckooBees was first reported in May 2022 by cybersecurity firm Cybereason, who said the intelligence-gathering campaign had been operating under the radar since at least 2019, stealing intellectual property and other sensitive data from technology and manufacturing companies mainly located in East Asia, Western Europe, and North America. During the intrusions the hackers stole hundreds of gigabytes of information, the researchers said.
Now, Symantec’s Threat Hunter Team has observed a new wave of attacks that deployed the Spyder Loader malware on target networks, likely to gather intelligence.
SpyderLoader first came to light in March 2021 and is said to have been used “for targeted attacks on information storage systems, collecting information about corrupted devices, executing mischievous payloads, coordinating script execution, and C&C server communication.”
Symantec says that APT41 remained active on some victim networks for over a year. Besides Spyder Loader, the attackers used a variety of tools to carry out other activity on victim networks, such as a modified SQLite DLL with the malicious export sqlite3_extension_init, the Mimikatz credential dumper, as well as a trojanized ZLib DLL used for communication with a command-and-control (C&C) server and loading additional payloads.
“The fact that this campaign has been ongoing for several years, with different variants of the Spyder Loader malware deployed in that time, indicates that the actors behind this activity are persistent and focused adversaries, with the ability to carry out stealthy operations on victim networks over a long period of time. Companies that hold valuable intellectual property should ensure that they have taken all reasonable steps to keep their networks protected from this kind of activity,” Symantec has warned.