Sophos's threat hunting team has uncovered an extensive Chinese state-sponsored cyberespionage campaign, dubbed “Operation Crimson Palace,” targeting a high-profile government organization in Southeast Asia.
The operation is believed to have begun in early 2022, with activity intensifying from March to December 2023.
The investigation into the operation started after Sophos stumbled upon a sophisticated DLL sideloading technique that exploited VMNat.exe, a VMware component. This led to the discovery of at least three distinct clusters of intrusion activity, tracked as Cluster Alpha (STAC1248), Cluster Bravo (STAC1807), and Cluster Charlie (STAC1305).
Despite limited visibility into the targeted network, uncovered evidence suggested long-standing access by the threat actors to unmanaged assets.
The campaign leveraged previously unreported malware, now tracked as CCoreDoor (also discovered by BitDefender) and PocoProxy, as well as an updated variant of the Eagerbee malware capable of blackholing communications to antivirus vendor domains.
Other malware variants observed included Nupackage, Merlin C2 Agent, Cobalt Strike, the PhantomNet backdoor, Rudebird, and the PowHeartBeat backdoor.
Over 15 distinct DLL sideloading scenarios were identified, abusing Windows Services, legitimate Microsoft binaries, and antivirus software.
The threat actors employed advanced evasion techniques, such as overwriting ntdll.dll in memory to unhook the AV agent process from the kernel. Other methods included abusing antivirus software for sideloading and testing various techniques to efficiently execute the malicious payloads.
The tools and infrastructure used in Operation Crimson Palace showed significant overlap with other Chinese threat actors, including BackdoorDiplomacy, REF5961, Worok, TA428 aka Unfading Sea Haze, and the APT41 (a subgroup of Earth Longzhi cyberespionage actor). This overlap was particularly evident in the actors' attempts to collect documents of intelligence value, including military documents related to strategies in the South China Sea.
The primary objective of the Crimson Palace campaign appears to be cyberespionage in support of Chinese state interests. This included accessing critical IT systems, performing reconnaissance of specific users, collecting sensitive military and technical information, and deploying various malware implants for command-and-control (C2) communications. While Sophos has moderate confidence that these activity clusters were part of a coordinated campaign under a single organization, the evidence points to a highly sophisticated and persistent effort.