CL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia
Essential information
- Published
- 30/01/2025 00:39
- Modified
- 30/01/2025 10:04
- Tags
- 2025-01-30 apt cobalt strike plugx south asia
- Related entities
- 2 vulnerabilities (cve), 21 observables, 1 intrusion sets (apt), 12 techniques (mitre), 12 malware, 2 others
Description
A sophisticated cyberespionage campaign targeting high-value entities in South Asia, particularly a telecommunications organization, has been identified. The threat actor, tracked as CL-STA-0048, employed rare techniques like 'Hex Staging' for payload delivery and DNS-based data exfiltration. The operation, likely originating from China, aimed to obtain personal information of government employees and sensitive organizational data. The attackers systematically exploited vulnerabilities in IIS, Apache Tomcat, and MSSQL services. They utilized various tools including PlugX backdoor, Cobalt Strike, and privilege escalation tools. The campaign's sophistication and objectives suggest a nation-state advanced persistent threat operation.