A China-linked hacking group has been caught targeting edge routers across Southeast Asia with a Linux malware implant designed to hijack DNS traffic and maintain long-term access to compromised networks.
According to researchers at Qiita, the campaign targets border routers and network infrastructure rather than traditional endpoints, allowing attackers to operate unseen by most security tools. The main payload is a custom Linux ELF binary named router.elf, which is deployed directly onto compromised devices.
The malware establishes encrypted command-and-control (C&C) communications over HTTPS on port 443. It sends DNS requests through Cloudflare’s DNS over HTTPS (DoH) service, disguising malicious traffic as normal encrypted web activity in order to avoid detection.
Researchers said the attackers also abuse the router’s built-in Linux iptables firewall system. The implant creates persistent NAT rules that redirect all DNS queries from devices behind the router to attacker-controlled DNS servers. This allows the threat actors to manipulate website traffic, intercept software update requests, and selectively redirect users based on a dynamic targeting list called evil_fix.
Several technical artifacts suggest a China-based origin, including Mandarin-language strings embedded inside the malware, a hardcoded zh-CN language setting in the implant’s communication profile, and a cracked offensive security tool previously associated with China-linked operations.
The attackers deploy a secondary backdoor called client_rc_start, which allows continued access even if the main malware is removed from the router.
Additionally, researchers have observed the threat actors targeting Windows systems using a cracked version of Cobalt Strike Beacon delivered through DLL sideloading, a technique that abuses legitimate applications to load malicious code while avoiding detection.
Qiita’s report also provides recommendations for network defenders and Indicators of Compromise (IoCs) related to the above campaign.