Chinese Bronze President APT targets government agencies and NGOs in South and East Asia

Chinese Bronze President APT targets government agencies and NGOs in South and East Asia

An extensive cyber espionage campaign has been uncovered that is aimed at NGOs (non-governmental organizations) and law enforcement and government agencies located in South and East Asia. In the course of the campaign the threat actor leveraged custom code, as well as publicly available exploits and malware to compromise target networks, researchers at Secureworks’ Counter Threat Unit warn.

The bad actor, referred to as Bronze President, has been active since at least 2014 and is thought to be a China-based cyberespionage group that uses both proprietary and publicly available tools to target NGO networks, monitor their activities, discredit their work, or to steal their intellectual property. According to researchers, the group uses custom remote access tools alongside publicly available remote access and post-compromise toolsets.

Once a target network is compromised, the Bronze President group elevates its privileges, installs remote access tools on most systems in the network and runs custom batch scripts to collect specific file types (files with .pptx, .xlsx, .pdf extensions), or all files from a targeted NGO’s systems, as well as credentials from high-privilege network accounts and sensitive accounts, including social media and webmail.

The Secureworks’ team said that the latest attacks mainly targeted entities in major Asian countries such as Mongolia, India and China with the focus on the national security, humanitarian, and law enforcement organizations.

“It is likely that BRONZE PRESIDENT is sponsored or at least tolerated by the PRC government. The threat group's systemic long-term targeting of NGO and political networks does not align with patriotic or criminal threat groups,” the researchers said.

In addition to custom batch scripts, the group uses a variety of remote access tools, including ones that were not previously observed by researchers. Its hacking arsenal also includes widely available or modified open-source tools likely to thwart an attribution or to minimize the need for tool development resources. Bronze President was observed using tools such as the Cobalt Strike penetration testing tool, the PlugX remote access trojan (RAT), ORat loader, the RCSession basic RAT, Nbtscan command-line tool, Nmap network scanning tool, and Wmiexec.

Post-compromise tools observed on the compromised computers include a Powerview.ps1 (PowerShell-based module for network reconnaissance), PVE Find AD User (command-line tool to indificate login locations of Active Directory (AD) users), AdFind (command-line tool to conduct AD queries), NetSess (enumerates NetBIOS sessions), Netview (enumerates networks), and TeamViewer (remote control and desktop-sharing tool).

“BRONZE PRESIDENT has demonstrated intent to steal data from organizations using tools such as Cobalt Strike, PlugX, ORat, and RCSession. The concurrent use of so many tools during a single intrusion suggests that the group could include threat actors with distinct tactics, roles, and tool preferences. It is likely that BRONZE PRESIDENT has additional unobserved operational tools and capabilities,” the team concluded.

Additional information on the observed cyberespionage campaign, as well as IOCs, is available in a Secureworks’ Counter Threat Unit write-up here.

 

 

Back to the list

Latest Posts

Researchers caught embedding hidden AI prompts to sway research reviewers

Researchers caught embedding hidden AI prompts to sway research reviewers

The investigation analyzed English-language preprints published on the research platform arXiv and found concealed AI instructions in 17 papers.
7 July 2025
Brazilian programmer arrested for role in $185 million bank hack

Brazilian programmer arrested for role in $185 million bank hack

João Nazareno Roque, a junior back-end developer at C&M, was allegedly recruited by hackers in a bar in São Paulo.
7 July 2025
APT36 cyber-espionage campaign targeting Indian defense sector via BOSS Linux

APT36 cyber-espionage campaign targeting Indian defense sector via BOSS Linux

More recently, APT36 has shifted its focus to Linux-based environments.
7 July 2025