High-value organizations located in South, Southeast, and East Asia have been targeted by a Chinese threat actor as part of a years-long campaign.
The activity, which has targeted aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications sectors, has been attributed by Palo Alto Networks Unit 42 to a previously undocumented threat activity group dubbed
However, the security vendor has assessed with "moderate-to-high confidence" that the primary objective of the campaign is cyber espionage.
"Our analysis reveals a multi-faceted tool set that includes custom malware, modified open-source utilities, and living-off-the-land binaries (LOLBINs)," security researcher Tom Fakterman said .
"These provide a simple, effective way for the attackers to maintain a persistent presence within targeted environments."
The tools are designed to target both Windows and Linux environments, with the adversary relying on a mix of open-source utilities and malware families such as Godzilla , ANTSWORD , Xnote, and Fast Reverse Proxy ( FRP ), all of which have been put to use by various Chinese hacking groups.
While both Godzilla and ANTSWORD function as web shells, Xnote is a Linux backdoor that's been detected in the wild since 2015 and has been deployed by an adversarial collective known as Earth Berberoka (aka GamblingPuppet ) in attacks aimed at online gambling sites.