216.73.216.169

Threat Bulletin: Weaponized Software Targets Chinese-Speaking Organizations

· Published 20/01/2025 11:09 · Modified 20/01/2025 11:49

Export JSON

Essential information

Published
20/01/2025 11:09
Modified
20/01/2025 11:49
Tags
2025-01-20 espionage gh0st rat pngplug valleyrat
Related entities
52 observables, 1 intrusion sets (apt), 11 techniques (mitre), 3 malware, 3 others

Description

A series of attacks targeting Chinese-speaking regions has been identified, utilizing a multi-stage loader named to deliver payload. The attack begins with a phishing webpage encouraging victims to download a malicious MSI package disguised as legitimate software. The installer deploys a benign application and extracts an encrypted archive containing malware components. The loader sets up the environment for malware execution, including patching ntdll.dll and injecting payloads from PNG files. , attributed to the Silver Fox APT, employs advanced techniques like shellcode execution, obfuscation, and persistence mechanisms. The campaign stands out due to its focus on Chinese-speaking victims across China, Hong Kong, and Taiwan, treating these regions as a unified target despite their political differences.

External references