3 October 2024

New China-aligned threat actor CeranaKeeper steals data from Southeast Asian entities


New China-aligned threat actor CeranaKeeper steals data from Southeast Asian entities

A previously unknown threat actor named CeranaKeeper has been observed carrying out a series of data exfiltration attacks targeting governmental institutions in Southeast Asia.

Slovak cybersecurity firm ESET reports that CeranaKeeper, which has been active since 2022, is linked to campaigns in Thailand, Myanmar, the Philippines, Japan, and Taiwan, aligning its activities with Chinese state-sponsored groups.

The first identified campaigns, which took place in 2023, were aimed at governmental institutions in Thailand. The group's operations bear similarities to the notorious China-aligned threat actor Mustang Panda, known for cyber espionage activities, but ESET researchers believe that they are two separate clusters based on organizational and technical differences between the two.

CeranaKeeper is notable for its evolving backdoor techniques, which allow it to evade detection and facilitate extensive data theft. One of the group's  tactics involve the abuse of legitimate cloud and file-sharing services, including Dropbox and OneDrive, to create custom backdoors and data extraction tools.

Additionally, CeranaKeeper leverages GitHub’s pull request and issue comment features to stealthily create reverse shells, using the platform as a command-and-control (C2) server.

Beyond Thailand, the group has also targeted Myanmar, Japan, the Philippines, and Taiwan—countries that have previously been in the crosshairs of Chinese state-sponsored threat actors.

Once a foothold is established, CeranaKeeper spreads throughout the network, even turning some compromised systems into update servers for its backdoor.

CeranaKeeper’s toolkit includes a series of custom malware components, including TONEINS, TONESHELL, and PUBLOAD, which the group uses to carry out its attacks. These tools were previously attributed to Mustang Panda, but as it was mentioned above, CeranaKeeper appears to operate as a separate group.

The threat actor has also been observed disabling security measures on infected machines by leveraging legitimate software, such as Avast drivers, to mask their operations. Once embedded within a network, CeranaKeeper deploys backdoors across multiple machines and continuously updates its tools, making it difficult for defenders to detect or mitigate the attacks.


Back to the list

Latest Posts

Rockstar 2FA phishing-as-a-service targets Microsoft 365 users with AiTM attacks

Rockstar 2FA phishing-as-a-service targets Microsoft 365 users with AiTM attacks

Rockstar 2FA appears to be an updated version of the DadSec (also known as Phoenix) phishing kit.
2 December 2024
Phishing campaign targeting tax professionals in Ukraine with Litemanager malware

Phishing campaign targeting tax professionals in Ukraine with Litemanager malware

CERT-UA attributes the activity to the financially motivated group UAC-0050.
2 December 2024
Hackers steal $17M from Uganda's central bank

Hackers steal $17M from Uganda's central bank

The attackers breached the central bank’s IT systems earlier this month and transferred the funds to various accounts.
2 December 2024