{
  "name": "Operation Crimson Palace: A Technical Deep Dive",
  "slug": "operation-crimson-palace-a-technical-deep-dive",
  "description": "Sophos Managed Detection and Response initiated a threat hunt across customers after detecting abuse of a vulnerable VMware executable. The hunt uncovered a complex, persistent cyberespionage campaign by Chinese state-sponsored actors targeting a high-profile government organization in Southeast Asia. Three distinct clusters of intrusion activity, designated Alpha, Bravo, and Charlie, were identified operating from at least March to December 2023. This report provides an in-depth technical analysis of the tactics, techniques, and procedures used by each cluster, including credential access, lateral movement, persistence mechanisms, command and control infrastructure, defense evasion tactics, and data exfiltration methods. It also details previous compromises observed within the same organization dating back to early 2022.",
  "published": "2024-06-06T05:55:53+00:00",
  "created_at": "2024-06-06T05:55:53+00:00",
  "modified_at": "2024-06-06T06:20:44+00:00",
  "created_at_opencti": "2024-06-06T05:55:53+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-06-06",
    "ccoredoor",
    "cobalt strike",
    "credential access",
    "cyberespionage",
    "eagerbee",
    "impersoni-fake-ator",
    "intrusion",
    "lateral movement",
    "malware",
    "nupakage",
    "phantomnet",
    "pocoproxy",
    "powheartbeat",
    "rudebird"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "66.42.56.233"
      },
      {
        "id": "",
        "name": "64.176.37.107"
      },
      {
        "id": "",
        "name": "45.9.191.183"
      },
      {
        "id": "",
        "name": "45.77.46.245"
      },
      {
        "id": "",
        "name": "45.15.143.151"
      },
      {
        "id": "",
        "name": "198.244.237.13"
      },
      {
        "id": "",
        "name": "192.142.18.25"
      },
      {
        "id": "",
        "name": "191.96.53.132"
      },
      {
        "id": "",
        "name": "178.128.221.202"
      },
      {
        "id": "",
        "name": "145.14.158.235"
      },
      {
        "id": "",
        "name": "141.136.44.219"
      },
      {
        "id": "",
        "name": "123.253.35.100"
      },
      {
        "id": "",
        "name": "103.56.5.224"
      },
      {
        "id": "",
        "name": "49.157.28.114"
      },
      {
        "id": "",
        "name": "192.142.18.27"
      },
      {
        "id": "",
        "name": "192.142.18.15"
      },
      {
        "id": "",
        "name": "107.148.41.114"
      },
      {
        "id": "",
        "name": "45.130.229.181"
      },
      {
        "id": "",
        "name": "185.201.8.187"
      },
      {
        "id": "",
        "name": "91.220.202.143"
      },
      {
        "id": "",
        "name": "89.44.197.74"
      },
      {
        "id": "",
        "name": "45.90.58.103"
      },
      {
        "id": "",
        "name": "185.195.237.121"
      },
      {
        "id": "",
        "name": "64.176.50.42"
      },
      {
        "id": "",
        "name": "195.123.247.50"
      },
      {
        "id": "",
        "name": "195.123.245.79"
      },
      {
        "id": "",
        "name": "185.82.217.164"
      },
      {
        "id": "",
        "name": "185.195.237.123"
      },
      {
        "id": "",
        "name": "185.167.116.30"
      },
      {
        "id": "",
        "name": "158.247.241.188"
      },
      {
        "id": "",
        "name": "154.39.137.29"
      },
      {
        "id": "",
        "name": "147.139.47.141"
      },
      {
        "id": "",
        "name": "146.190.93.250"
      },
      {
        "id": "",
        "name": "139.180.217.105"
      },
      {
        "id": "",
        "name": "139.162.18.97"
      },
      {
        "id": "",
        "name": "www.hpupdate.net"
      },
      {
        "id": "",
        "name": "https://www.hpupdate.net/us-en/drivers/printers"
      },
      {
        "id": "",
        "name": "www.msudapis.info"
      },
      {
        "id": "",
        "name": "www.googlespeedtest33.com"
      },
      {
        "id": "",
        "name": "https://cloud.keepasses.com"
      },
      {
        "id": "",
        "name": "test1.zhangliyong.cn"
      },
      {
        "id": "",
        "name": "hpupdate.net"
      },
      {
        "id": "",
        "name": "gsenergyspeedtest.com"
      },
      {
        "id": "",
        "name": "gandeste.net"
      },
      {
        "id": "",
        "name": "dmsz.org"
      },
      {
        "id": "",
        "name": "cancelle.net"
      },
      {
        "id": "",
        "name": "scancenter.trendrealtime.com"
      },
      {
        "id": "",
        "name": "associate.freeonlinelearning.com"
      },
      {
        "id": "",
        "name": "cloud.keepasses.com"
      },
      {
        "id": "",
        "name": "cloud.gti.mc"
      },
      {
        "id": "",
        "name": "associate.freeonlinelearningtech.com"
      },
      {
        "id": "",
        "name": "associate.feedfoodconcerning.info"
      },
      {
        "id": "",
        "name": "networkdevice.sc"
      },
      {
        "id": "",
        "name": "msudapis.info"
      },
      {
        "id": "",
        "name": "dnsspeedtest2022.com"
      },
      {
        "id": "",
        "name": "message.ooguy.com"
      },
      {
        "id": "",
        "name": "fbe0851792629f86b1d5a599a6bc29d82b3248462bebd8e47ee698e4f510308f"
      },
      {
        "id": "",
        "name": "fa7d4fb4b43e1672c7f4656cd4275c330c2e13aff8451d68e4f305e5e5aea395"
      },
      {
        "id": "",
        "name": "f30b04a9ebc95c50fdc116260068d4d8da8005104b6366c29d0f24dbbf798957"
      },
      {
        "id": "",
        "name": "e65645af3894ec55f0b55472302d288e860a10d97bc19b699facc400f778c4ee"
      },
      {
        "id": "",
        "name": "e5620b4b6371b786c72e830dc24012354642b7067bd5902da7073ce0421456b7"
      },
      {
        "id": "",
        "name": "e4b7a1372233aef6d495743bb726fcd5037d4e90e043085498c21587335d36c7"
      },
      {
        "id": "",
        "name": "da9a53ff7486cf128e5ba80e66fcf3b1d8993d553bd9634ae8e90cbab31fd8da"
      },
      {
        "id": "",
        "name": "d86790104f59b89edbdb1478f320d4589155d465d4710bcb57ff015383eefb38"
      },
      {
        "id": "",
        "name": "cc19c785702eea660a1dd7cbf9e4fef80b41384e8bd6ce26b7229e0251f24272"
      },
      {
        "id": "",
        "name": "c6e1bf2b7ac0fd3c34761099d2ec17fccd0604e2e62e94f297943260d15368ce"
      },
      {
        "id": "",
        "name": "c36173f28bfd99db86533d5fdb0ce4dd565488ca56d4b9df1997ee9201b3b704"
      },
      {
        "id": "",
        "name": "bdcedd81555c9c2eb9f4329626c27ec8c7b91a0f2a9f6e0c55dbcd3f99e82b5d"
      },
      {
        "id": "",
        "name": "b32de9f4f2a9bd08063c72fa84d5d44be5a3bf7859bfb6ceaf093cd03ff0240f"
      },
      {
        "id": "",
        "name": "a22b8ef40b8abe2bd7161f425484e82207f322fef1d0562de5bf98e2f642b477"
      },
      {
        "id": "",
        "name": "9ccf0e46f6aadbb20f4c269d8ac85cc9b4e6ce56bf226d45eda4347a20785c88"
      },
      {
        "id": "",
        "name": "8d54da0f807d771edb1197e463cdff8848651e14745c4c468386c31953c340ff"
      },
      {
        "id": "",
        "name": "8b16a3a3047f0eb93ef2b55613a76a9f5f19506428895a5ffbb3c1c44780aad7"
      },
      {
        "id": "",
        "name": "75403191ee834075ab5334e92bda8aab267545a03ed5ed3508db36f21f4acf50"
      },
      {
        "id": "",
        "name": "776d427a19d8389464f855b2f70e0ac11e896162a9f9b50bcb23f0f0aea5044f"
      },
      {
        "id": "",
        "name": "71ccc2c30dc43f20833c3e54d1fe86f8b68263d876461a3f7f7f8702e92cbe81"
      },
      {
        "id": "",
        "name": "6d94049b24c6ac2373d3b517515fcaeeb392458342bbb5ad4c4316e124805b5b"
      },
      {
        "id": "",
        "name": "609fc96700f49f7fdfa71248e642a4dfcd8b3d35f6da3b7c2ce7daad25a844a9"
      },
      {
        "id": "",
        "name": "5f959f480a66a33d37d9a0ef6c8f7d0059625ca2a8ae9236b49b194733622655"
      },
      {
        "id": "",
        "name": "58a7be39056c2084bbb4aec9843db732dfe115ec4ee0c7cc4cf8884621b5142d"
      },
      {
        "id": "",
        "name": "52e248b9fb32ac3aaa4be4b41c66f1e7d9f2d4605aae98f20584f21ea1f33202"
      },
      {
        "id": "",
        "name": "5298c1aadac203285c8a95a4e3f62ec14b984729bf768a405c8028291e34fe1b"
      },
      {
        "id": "",
        "name": "4dd0debf03eeb938fbaca1f1fd391523358c23cbf18959a149c29133cc3c9cae"
      },
      {
        "id": "",
        "name": "4995b91badc8f9bf549548a734d3c14fa2a1c21080743484028b5362440808a0"
      },
      {
        "id": "",
        "name": "430bf24c9a7843895cb266b440c1f911ae600a7e6b8f3885d1c000622da52b2b"
      },
      {
        "id": "",
        "name": "3cc8e21798462468d3bc05ddef35a558fe0dff268c433d42bd01385155084f53"
      },
      {
        "id": "",
        "name": "299b1e82f6941cc049a16c7854230fb37c97af32e2cf5cb335495f42446dc43f"
      },
      {
        "id": "",
        "name": "2892aa48e12e72ba25c4caa9471b41ce316624ff98ed79f56e3c6b3a51026504"
      },
      {
        "id": "",
        "name": "1622ef497f2b767a43e25bcd9a9a629cbe7bed49cb27dc4f08fe0863730580d9"
      },
      {
        "id": "",
        "name": "101bf8dcdd414f09ba46cdecbd96e8606c79b0e76b6a2ce040395e775cb4da86"
      },
      {
        "id": "",
        "name": "f830c3771d35237b4a63b946d7a0d187f5aaa4240e965d74070b7d72b6fba210"
      },
      {
        "id": "",
        "name": "f682323a2c543abbe12c21a77ee93b49444381fa33f76c67363c84764ca4c675"
      },
      {
        "id": "",
        "name": "cca5ae87cd710a8fbf994addb0abc8bf1deb222214d4831289885de23ca98924"
      },
      {
        "id": "",
        "name": "c1bec59afd3c6071b461bb480ff88ba7e36759a949f4850cc26f0c18e4c811a0"
      },
      {
        "id": "",
        "name": "b708dd11942c3e87a8987bdf83f7ea603425ae75fc25a306f54f1087df4198b4"
      },
      {
        "id": "",
        "name": "56f0c8047203147d9b9a888ebac8f33b14ae198182a13913a0f93652dfe2052a"
      },
      {
        "id": "",
        "name": "506b21588541243f3ddd5acb759bf20a3bf06fd2fea455066866154bc5e59721"
      },
      {
        "id": "",
        "name": "4ae29b8124f6221dab934ac04afed2acc8b17c6b35120d568bad8658cbca01c6"
      },
      {
        "id": "",
        "name": "f788d5c2c1bb2d88db09b727b3841155daf43ba81802b5faffec72640451fa4f"
      },
      {
        "id": "",
        "name": "ea8c8f834523886b07d87e85e24f124391d69a738814a0f7c31132b6b712ed65"
      },
      {
        "id": "",
        "name": "c1d818f18c7160807d9031e024fcc6429476d6455221e3aa988c6245269fbcc8"
      },
      {
        "id": "",
        "name": "ad346007f28c4b6d409c95f55e750e249db4b168cd7061baa128f826df948e10"
      },
      {
        "id": "",
        "name": "a1a8adae91daa96deb01326c702fec388d0fa983f299de3f1bdb8a277df64423"
      },
      {
        "id": "",
        "name": "91f40e8659da3dbbb22497b317aa37f26403be86662e359ecddcb4a0c72e154c"
      },
      {
        "id": "",
        "name": "7d6209036d370dbce7a0657f35dedeaa59c15fcfb4d696b9ebdd0fcc773dad50"
      },
      {
        "id": "",
        "name": "755b14ad83da2f2eff8ef8bf83ed74c6d96f6b3b3fde95d4c13d8cb75d861631"
      },
      {
        "id": "",
        "name": "62c9b97a849f40f4b5b167b96a54fa1ef03624ac8f2972b641af8ca5d00b5db0"
      },
      {
        "id": "",
        "name": "5f3fd50715aabf43cc6edb5f38026a3baa37a7fd7a17ae232fc65e186c83befb"
      },
      {
        "id": "",
        "name": "4fcbc598c5699ea48a1edd8dda065eab210f09ad900ab167cb5abdf9841dd2b7"
      },
      {
        "id": "",
        "name": "44e0c61f70f44e3a35ecde9b49a623973727d3aa68922ef4e1ff8dfc74795582"
      },
      {
        "id": "",
        "name": "3a85c36fff48b223f6edd722bc1603a1fd9b00d3e4d46a88151c4b1b696d90d1"
      },
      {
        "id": "",
        "name": "34294ff52899a63f2dc02e5a8f1488343afdb9702437d409a0869317ccfb4243"
      },
      {
        "id": "",
        "name": "1ad26a31c5387055610e053dbab8355e1371f89dfa37526f7a3341122526b719"
      },
      {
        "id": "",
        "name": "edd0c859424ab953a92ef20cfc8b938f469253122485915d6de80d314b18b08f"
      },
      {
        "id": "",
        "name": "dcc938af8fb2964a1f35adfb221de76ffc0bd0ccaac91455b3638fd4dc33e8c0"
      },
      {
        "id": "",
        "name": "c679a2453697c51776b8a64d59fb8bf4172906e9a4f91b3872774bd05378d28c"
      },
      {
        "id": "",
        "name": "a70e8317a608dd6ea0ad8564b089a153a7e3ab7ef763899d3d806141e820148e"
      },
      {
        "id": "",
        "name": "92e2dafb6d91ac7bc725e680d53cfbfcc854033d14f6e4807fd0169c605324d2"
      },
      {
        "id": "",
        "name": "55277d86c0707459500dbb16915665ae611d3a4e4597d51599ea8b8fe6f85f29"
      },
      {
        "id": "",
        "name": "0c3baa012cdb518982ec4ae954b395f3d6b9544ead8e050370219fa584f74f3c"
      },
      {
        "id": "",
        "name": "f499f8d9584e5f4474b19324b807a38fec1c1d38d5df2ff4c1e16798311bc25b"
      },
      {
        "id": "",
        "name": "e9cb02690d987de8d392d0e24b3ccbb294c751dff73962135913c7ec0d8a8064"
      },
      {
        "id": "",
        "name": "e8cd237ac43fa0505d858ac8eb800020eeca104a1cd931d3b6d0ef656ee5393d"
      },
      {
        "id": "",
        "name": "c1abc254d231574044ffe7bdd030be04618916f255396197f1151bfec98c04b6"
      },
      {
        "id": "",
        "name": "c06065d3de3bfb37168a5d94baf1c675f831a201937ef774a36c2ea2bf6fc49e"
      },
      {
        "id": "",
        "name": "bbc0fe549a9e902528a125abd13b1f7c53746416d9c9bb91f88877f37a4ce11c"
      },
      {
        "id": "",
        "name": "b05b92fd84cc3e3bd6378cadbe9b8b2cb926c42383e6194be1df44d1b9202fc1"
      },
      {
        "id": "",
        "name": "951c7f8fdb6cfc8b362615ab1eec4a07dc8fccfd3a7ecda8255908a93b6a1f21"
      },
      {
        "id": "",
        "name": "9404f51ccaf4165e6add08344f04b90ae79a045814d6b1de6b6c1e30981faa78"
      },
      {
        "id": "",
        "name": "7ed44a0e548ba9a3adc1eb4fbf49e773bd9c932f95efc13a092af5bed30d3595"
      },
      {
        "id": "",
        "name": "68ee8c2209641a6796e06caa115effcb89f722a5737210b5bebb87a36e5141a8"
      },
      {
        "id": "",
        "name": "47c4a62fe75aa62906f0b110668e17947e905a33759100de21b987879b47183b"
      },
      {
        "id": "",
        "name": "2a662b58f1dd229e7dba923a4d123658e3c10c0cfcec03748fbe577db81db34d"
      },
      {
        "id": "",
        "name": "1b97afb3310b3af944f74c2d715c110cec32ec536c0a9837b8c88df3438b2a63"
      },
      {
        "id": "",
        "name": "173bb620ed2eee6b356e128da88e173eb1b69253ecd616f8f984087688c089fd"
      },
      {
        "id": "",
        "name": "110c5eec940f3abb8b3a671cd292bc9ef65772168325a7949290e9828353824a"
      },
      {
        "id": "",
        "name": "0e010a36ff24299592569f7c3fc01c597e158996d94b66eb3bbf757742663e76"
      },
      {
        "id": "",
        "name": "01544aeb502163c4fb7bac483430059183ce3d11aee78cd4a6c7074c5289540e"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:51c9b5d91aaa5fa0",
        "name": "PocoProxy",
        "slug": "pocoproxy"
      },
      {
        "id": "legacy:malware:643cf63de6619a11",
        "name": "RUDEBIRD",
        "slug": "rudebird"
      },
      {
        "id": "legacy:malware:f4dbe8719c880443",
        "name": "PowHeartBeat",
        "slug": "powheartbeat"
      },
      {
        "id": "c543d8b3-4b99-45e2-ac20-19f4ba73e5a3",
        "name": "PhantomNet",
        "slug": "phantomnet"
      },
      {
        "id": "3de5df38-271d-45b3-92ac-c4134ebc4d36",
        "name": "CCoreDoor",
        "slug": "ccoredoor"
      },
      {
        "id": "legacy:malware:ee703c15f1da4af3",
        "name": "EAGERBEE",
        "slug": "eagerbee"
      },
      {
        "id": "legacy:malware:e3e4c12405a8ceb5",
        "name": "NUPAKAGE",
        "slug": "nupakage"
      },
      {
        "id": "ab138766-9b64-4880-87fb-1942a709d778",
        "name": "Cobalt Strike - S0154",
        "slug": "cobalt-strike-s0154"
      },
      {
        "id": "legacy:malware:220387976f501068",
        "name": "Impersoni-Fake-Ator",
        "slug": "impersoni-fake-ator"
      }
    ],
    "intrusion_sets": [
      {
        "id": "d9c1fd44-dc17-4bee-bd96-ddf748c26170",
        "name": "Chinese state actors",
        "slug": "chinese-state-actors"
      }
    ],
    "attack_patterns": [
      {
        "id": "024c025e-d4ab-4d4e-a391-91d29564bc42",
        "name": "T1207"
      },
      {
        "id": "f6ceeba2-b50c-47dc-8642-ab9842ca76d7",
        "name": "T1018"
      },
      {
        "id": "93b2c4dd-5523-4464-8976-78754ee372fd",
        "name": "T1012"
      },
      {
        "id": "6efb8bea-11d7-418d-a429-9f4a3e6c50f6",
        "name": "T1087"
      },
      {
        "id": "fc699aef-8931-4a79-8f79-9651be9abd50",
        "name": "T1021"
      },
      {
        "id": "6e4e21cc-92cf-4564-920e-d509bd22fd40",
        "name": "T1574"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "af9ed2e3-4663-4723-beab-c606ddc312e0",
        "name": "T1543"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "33962583-7396-47ef-913d-1db78d6685c9",
        "name": "T1569"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b",
        "name": "T1033"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "74d6e294-54d1-4a21-9dfc-df5870f8ec8e",
        "name": "T1003"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Government"
      }
    ]
  },
  "external_refs": [
    "https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_post-08-2023.csv",
    "https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_prior_intrusions.csv",
    "https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_stac1305_charlie.csv",
    "https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_stac1870_bravo.csv",
    "https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_stac1248-alpha.csv",
    "https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive/",
    "https://otx.alienvault.com/pulse/66616b89c93e2fdea5783ecf"
  ]
}