216.73.217.139

CL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia

· Published 30/01/2025 00:39 · Modified 30/01/2025 10:04

Export JSON

Essential information

Published
30/01/2025 00:39
Modified
30/01/2025 10:04
Tags
2025-01-30 apt cobalt strike plugx south asia
Related entities
2 vulnerabilities (cve), 21 observables, 1 intrusion sets (apt), 12 techniques (mitre), 12 malware, 2 others

Description

A sophisticated cyberespionage campaign targeting high-value entities in , particularly a telecommunications organization, has been identified. The threat actor, tracked as CL-STA-0048, employed rare techniques like 'Hex Staging' for payload delivery and DNS-based data exfiltration. The operation, likely originating from China, aimed to obtain personal information of government employees and sensitive organizational data. The attackers systematically exploited vulnerabilities in IIS, Apache Tomcat, and MSSQL services. They utilized various tools including backdoor, , and privilege escalation tools. The campaign's sophistication and objectives suggest a nation-state advanced persistent threat operation.

External references