Table of Contents
  • Home
  • /
  • Blog
  • /
  • Researchers Identified New Chinese Spying Campaign Targeting Southeast Asia
June 4, 2021

Researchers Identified New Chinese Spying Campaign Targeting Southeast Asia

New Chinese Spying Campaign

Researchers identified a new Chinese spying campaign targeting a Southeast Asian government, especially the Ministry of Foreign Affairs. Attackers have used spear-phishing techniques to implant the previously unknown backdoor on Victims. Further analysis reveals that attackers have used old Microsoft Office exploits and loaders with anti-analysis and anti-debugging techniques to access the victims machines.

Who Is Behind This New Chinese Spying Campaign?

Several facts made researchers suspects that this new Chinese spying campaign has been linked to a Chinese advanced persistent threat (APT) group SharpPanda.

Targets of This New Chinese Spying Campaign?

As we said earlier, these surveillance operations were seen targeting the Southeast Asian Government, interestingly more on the Ministry of Foreign Affairs department. Attackers were not just interested in spying on the official assets but also tried targeting the victims personal assets to gather more as much information as they can. Moreover, researchers warn that this spying campaign could be expanded to other targets around the world.

How Is This New ‘Chinese Spying Campaign’ Operated?

  1. Threat actors weaponize a DOCX file which impersonates official document from other departments of the government.

  2. That fake government document would be delivered to multiple members of the Ministry of Foreign Affairs using various social engineering techniques.

  3. When the person opens the document, the document will download a new next-level payload from the attackers remote server that contains an encrypted downloader. The downloader is an RTF file weaponized using a variant of a tool named RoyalRoad. A tool used to create custom Microsoft documents with embedded objects. Attackers used this tool to load the exploits of Microsoft Word. Threat actors decrypt the RTF file using the RC4 algorithm with the key 123456. The decrypted file is saved as 5.t in the %Temp% folder. Research revealed that the 5.t file creates the scheduled task named Windows Update that should run the exported function StartW from 5.t with rundll32.exe, once a day.

  4. The downloader (5.t) will start sharing information with the attackers remote server HTTPS://<C&C IP>/<working_folder>/Main.php?Data=<encrypted_data> and subsequently responds back with a shellcode loader HTTPS://<C&C IP>/<working_folder>/buy/<hostname>.html. The downloader can gather information such as the victims computer hostname, OS name, and version, system type (32/64 bit), user name, MAC addresses of the networking adapters. It also capable of querying WMI for anti-virus detection.

  5. At the last phase of the attack, the loader connects with the remote server from where an implant a backdoor dubbed VictoryDll_x86.dll will get downloaded and executed. Click here to read the full analysis.

This backdoor is capable of doing many operations like:

  • Delete/Create/Rename/Read/Write Files and get files attributes

  • Get processes and services information

  • Get screenshots

  • Pipe Read/Write run commands through cmd.exe

  • Create/Terminate Process

  • Get TCP/UDP tables

  • Get CDROM drives data

  • Get registry keys info

  • Get titles of all top-level windows

  • Get victims computer information computer name, user name, gateway address, adapter data, Windows version (major/minor version and build number), and type of user

  • Shutdown PC

Backdoor Commands

Message TypeType IDArgumentsSource
Send victim’s information0x2InfoVictim
CDROM drives data0x4– / Drives dataBoth
Get Files data0x5/0x6Path / Files dataBoth
Create Process0x7Command LineC&C server
Rename File0x8Old filename, New filenameC&C server
Delete File0x9FilenameC&C server
Read File0xaFilename, Offset / File’s contentBoth
Exit Pipe0xbC&C server
Create Pipe0xcC&C server
Write To Pipe0xdBufferC&C server
Get Uninstalled software data0xe– / Software dataBoth
Get windows text0xf– / Windows textBoth
Get active processes data0x10– / Processes dataBoth
Terminate Process0x11Process IDC&C server
Get screenshot0x12/0x13– / Screenshot temp fileBoth
Get services data0x14– / Services dataBoth
Get TCP/UDP tables0x15– / Tables dataBoth
Get registry key data0x16Registry path / Reg dataBoth
Shutdown0x17C&C server
Exit process0x18C&C server
Restart current process0x19C&C server
Write to file0x4C7Filename, BufferC&C server
Start Connection0x540Zero ByteVictim
Get victim’s information/Update XOR key0x541New XOR key / Victim’s infoBoth
None0x120EC&C server
Ack0x129D3Name (‘admin’ in our case)Victim

Indicators of Compromise




03a57262a2f3563cf0faef5cde5656da437d58ce 5.t
388b7130700dcc45a052b8cd447d1eb76c9c2c54 5.t
176a0468dd70abe199483f1af287e5c5e2179b8c 5.t
01e1913b1471e7a1d332bfc8b1e54b88350cb8ad loader
8bad3d47b2fc53dc6f9e48debac9533937c32609 ServExe (x64)
0a588f02e60de547969d000968a458dcdc341312 VictoryDll

C&C servers


Old backdoor versions






Researchers discovered that this Chinese spying campaign has been active for more than three years. And this campaign could be expanded to other targets around the world.

If you find this interesting please read more interesting articles here:

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Cloud & OS Platforms

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription