Chinese-linked hackers employ two new backdors in attacks on gambling and betting companies in Southeast Asia

Chinese-linked hackers employ two new backdors in attacks on gambling and betting companies in Southeast Asia

Since the summer of 2019, a nation-state threat actor that has links with Chinese hackers has been targeting gambling and betting companies located in Southeast Asia using previously undocumented backdoors, as well as publicly available and custom tools, according to a new Trend Micro research. While there’s been some reporting about Europe and the Middle East also being targeted the researchers could not confirm hacks.

The group which Trend Micro calls "DRBControl" appears to be interested in information theft seeing as exfiltrated data was mostly comprised of databases and source codes suggesting that the main goal of the operation is likely cyber-espionage, rather than monetary gain.

Trend Micro said the group's malware and operational tactics overlap with similar MO used by Winnti and Emissary Panda, two hacking groups that previously have been linked by researchers to Chinese government. Apart from new unknown backdoors (both of which use DLL side-loading through the Microsoft-signed MSMpEng.exe file), the threat actor uses known malware such as PlugX and the HyperBro backdoor, Trochilus RAT, as well as post-exploitation tools and Cobalt Strike software.

Interestingly, one of the deployed malware uses Dropbox file hosting and file sharing service as its command-and-control (C&C) channel and as a storage medium for second-stage payloads and exfiltrated data.

The attackers use spear-phishing emails with weaponized .DOCX files as a means to deliver malware. Trend Micro said DRBControl distributes three versions of the infecting documents.

The first version, when double-clicked by the user, embeds an executable file that is launched and acts as a dropper for the malware, a second version of the document embeds a .BAT file, which also acts as a downloader for the same malware, and the third version of the document uses PowerShell to download the malware.

“The threat actor described here shows solid and quick development capabilities regarding the custom malware used, which appears to be exclusive to them. The campaign exhibits that once an attacker gains a foothold in the targeted entity, the use of public tools can be enough to elevate privileges, perform lateral movements in the network, and exfiltrate data,” the researchers said.

More technical information about observed campaign and its relations to known APT groups provided in a Trend Micro whitepaper “Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations.”

Back to the list

Latest Posts

Russian-linked hackers exploit Google App passwords in email espionage campaign

Russian-linked hackers exploit Google App passwords in email espionage campaign

Victims were tricked into creating and sharing ASPs under the mistaken belief that they are enabling secure communication with the US Department of State.
19 June 2025
FBI-wanted member of ransomware gang arrested in Ukraine, extradited to the US

FBI-wanted member of ransomware gang arrested in Ukraine, extradited to the US

Using custom-developed malware, including ransomware such as LockerGoga, MegaCortex, HIVE and Dharma, the hackers encrypted data on corporate networks.
18 June 2025
Russian crypto executive sentenced to prison in US for market manipulation scheme

Russian crypto executive sentenced to prison in US for market manipulation scheme

In a 2019 interview, Andriunin openly described building algorithms to carry out these fake trades.
18 June 2025