IcePeony with the '996' work culture

This blog post is based on “IcePeony with the ‘996’ work culture” that we presented at VB2024. We are grateful to Virus Bulletin for giving us the opportunity to present.

https://www.virusbulletin.com/conference/vb2024/abstracts/icepeony-996-work-culture/

tl;dr

We have discovered a previously unknown China-nexus APT group, which we have named “IcePeony”. Due to operational mistakes, they exposed their resources, allowing us to uncover details of their attacks.

IcePeony

IcePeony is an unknown attack group. Our research shows that they have been active since at least 2023. They mainly target Asian countries, such as India and Vietnam. In the log files we analyzed, there were over 200 attempts to attack various government websites in India.

They use SQL injection attacks on public web servers. If they find a vulnerability, they install a webshell or malware. Ultimately, their goal is to steal credentials.

We believe IcePeony works for China’s national interests. It is possible that they prioritize China’s maritime strategy.

Our research found that IcePeony targeted government and academic institutions in India, political parties in Vietnam, and government institutions in Mauritius. Recently, they may have also attacked Brazil. It is likely that they will expand their targets in the future.

OPSEC fail

In July, we identified a host that was publicly exposing various attack tools, including CobaltStrike and sqlmap, via an open directory. What made this discovery even more compelling was the presence of a zsh_history file.

One of the most interesting findings was the zsh_history file. Similar to bash_history, the zsh_history file records command history. However, zsh_history also logs timestamps, allowing us to pinpoint the exact time each command was executed. This enabled us to construct a highly detailed timeline of the attack.

Unlike a typical timeline created by an IR or SOC analyst, this one offers insight from the attacker’s perspective. We could observe their trial-and-error process and how they executed the intrusion.

The zsh_history was not the only interesting file. There were many others.

For example, IcePeony had configured several helper commands in their alias file, including shortcuts to simplify lengthy commands and commands to quickly access help information.

Here is an example with Mimikatz. By typing “hPass,” the attacker could display basic tutorials for Mimikatz. This improved their effectiveness during attacks.

Intrusion Timeline

We obtained two weeks’ worth of command history from the zsh_history. Let’s go through the events of each day.

On day-1, the attacker attempted SQL injections on several government websites. When the exploit succeeded, they installed a webshell or IceCache, establishing a foothold for the attack. On day-2, they reviewed the domain information of compromised hosts and created accounts for further exploitation. On day three, which was a Sunday, no actions were taken. On day-3, which was a Sunday, they did not perform any actions. It seems the attacker does not work on Sundays. On day-4, they used IceCache to configure proxy rules. We will explain this in more detail later. On day-5, the attacker expanded their reach by attempting more SQL injections on other government websites. On day-6, they used various tools, including IcePeony’s custom tool called StaX and a rootkit called Diamorphine. On day-7, they continued to attack other hosts using tools like URLFinder and sqlmap.

On day-8, they used IceCache to steal information from the compromised environment, especially focusing on domain users. On day-9, they were quiet and only performed connection checks. On day-10, they did nothing since it was a Sunday. On day-11, they used tools like craXcel and WmiExec. They used craXcel, an open-source tool, to unlock password-protected Microsoft Office files. On day-12, they used IceCache to add proxy rules and set persistence with scheduled tasks. On day-13 and day-14, they explored other hosts for further exploitation.

Over the course of two weeks, the attacker utilized a variety of tools and commands to compromise government websites and exfiltrate information.

Tools

IcePeony uses a wide range of tools, with a particular preference for open-source ones. Here, we will highlight only the most distinctive tools they use.

StaX

StaX is a customized variant of the open-source tool Stowaway, a high-performance proxy tool. The attacker enhanced Stowaway with custom processing. Based on development strings, we called this version StaX.

StaX included encryption for communication targets specified in active mode using Custom Base64 and AES.

ProxyChains

ProxyChains is an open-source proxy tool. The attacker used ProxyChains to run script files on victim hosts.

info.sh is a script that collects system information from the compromised environment. It gathers environment information, user information, installed tool versions, network settings, SSH configuration files, and command history.

linux_back.sh is a script for backdoors and persistence. It downloads and runs a backdoor shell script from the server and creates backdoor users.

Interestingly, they installed a rootkit called Diamorphine, which is available on GitHub.

Malware

The IcePeony server contained malware targeting IIS, which we named IceCache. They used IceCache to attack the attack surface server. Additionally, during the investigation, we discovered another related malware, which we called IceEvent. Although no logs of using IceEvent were found. We believe it was used to compromise another computer that was not connected to the internet.

IceCache

IceCache is an ELF64 binary developed in Go language. It is customized based on the open-source software reGeorge.

To facilitate their intrusion operations, they added file transmission commands and command execution functionality.

IceCache module is installed and run on IIS servers. The number of commands change, but they are classified into two types based on authentication tokens. We found files with remaining PDB information. These files were developed by a user named “power” in a project called “cachsess”

PDB Path
C:\Users\power\documents\visual studio 2017\Projects\cachsess\x64\Release\cachsess.pdb
C:\Users\power\Documents\Visual Studio 2017\Projects\cachsess\Release\cachsess32.pdb

The number of commands changes over time, but it includes command execution functions, SOCKS proxy functions, and file transmission functions.

TYPE-A Description
EXEC / EXEC_PRO Command to the execution of a process
SOCKS_HELLO Command to SOCKS protocol initial handshake message
SOCKS_CONNECT Command to indicate a connection request with the SOCKS protocol
SOCKS_DISCONNECT Command to indicate disconnection with SOCKS protocol
SOCKS_READ Command to reading of data in SOCKS protocol
SOCKS_FORWARD Command to instruct data transfer via SOCKS protocol
PROXY_ADD Command to add a proxy
PROXY_LIST Command to list a proxy
PROXY_DEL Command to del a proxy
PROXY_CLEAR Command to clear all proxy settings
PROXY_SET_JS Set the JavaScript
PROXY_GET_JS Get set the JavaScript
PROXY_ALLOW_PC Allowed PC settings
PROXY_CACHE_CLEAR Command to clear the proxy cache
PROXY_CACHE_TIME Command to set proxy cache time
FILE_UPLOAD Upload Files
FILE_DOWNLOAD Download Files


TYPE-B Description
EXEC / EXEC_PRO Command that directs the execution of a process
SOCKS_HELLO SOCKS protocol initial handshake message
SOCKS_CONNECT Command to indicate a connection request with the SOCKS protocol
SOCKS_DISCONNECT Command to indicate disconnection with SOCKS protocol
SOCKS_READ Command that directs reading of data in SOCKS protocol
SOCKS_FORWARD Command to instruct data transfer via SOCKS protocol
PROXY_ADD Command to add a proxy
PROXY_LIST Command to list a proxy
PROXY_DEL Command to del a proxy
PROXY_CLEAR Command to clear all proxy settings
FILE_UPLOAD / FILE_UPLOAD_PRO Upload Files
FILE_DOWNLOAD / FILE_DOWNLOAD_PRO Download Files
IIS_VERSION Show IIS version

These are the IceCache modules found so far. The first sample we are aware of was compiled in August 2023 and submitted to VirusTotal in October. Since there is no discrepancy between the compille time and the first submission, we believe the dates are reliable.

Many new samples have also been found since 2024. Most of the submitters are from India, which matches the victim information we have gathered from OpenDir data.

The number of commands has change over time. It is show that the malware’s developers have made improvements while continuing their intrusion operations.

sha256[:8] Compile Time First Submission Submitter Cmd Num X-Token TYPE
5b16d153 2024-07-17 09:11:14 2024-08-03 04:58:20 c8d0b2b9 (ID) 20 tn7rM2851XVvOFbc B
484e2740 2024-06-21 03:05:15 2024-08-07 09:25:53 39d4d6d2 - email 20 tn7rM2851XVvOFbc B
11e90e24 2024-06-05 03:52:48 2024-06-18 12:21:50 d9cb313c (ID) 20 tn7rM2851XVvOFbc B
b8d030ed 2024-06-05 03:52:41 2024-06-18 10:47:18 408f1927 (ID) 20 tn7rM2851XVvOFbc B
ceb47274 2024-04-25 09:53:26 2024-08-02 21:50:50 06ac9f47 (BR) 20 tn7rM2851XVvOFbc B
d1955169 2024-04-21 11:29:25 2024-06-18 12:24:39 d9cb313c (ID) 18 tn7rM2851XVvOFbc B
de8f58f0 2024-04-21 11:29:10 2024-06-18 10:49:53 408f1927 (ID) 18 tn7rM2851XVvOFbc B
53558af 2024-03-27 05:08:50 2024-04-19 07:57:19 c2440bbf (ID) 18 tn7rM2851XVvOFbc B
0b8b10a2 2024-03-27 05:08:57 2024-04-18 13:54:16 c2440bbf (ID) 18 tn7rM2851XVvOFbc B
a66627cc 2024-02-20 09:36:12 2024-03-12 15:17:55 a6412166 (VN) 16 cbFOvVX1582Mr7nt A
e5f520d9 2024-02-01 09:32:21 2024-07-17 09:30:54 24761b38 (SG) 24 cbFOvVX1582Mr7nt A
3eb56218 2023-12-07 03:04:16 2024-02-20 13:54:02 0f09a1ae (ID) 24 cbFOvVX1582Mr7nt A
5fd5e99f 2023-09-27 00:50:46 2024-03-24 08:59:02 Ca43fb0f (ID) 24 cbFOvVX1582Mr7nt A
0eb60e4c 2023-08-23 09:11:24 2023-10-18 10:11:00 0e8f2a34 (VN) 18 cbFOvVX1582Mr7nt A

IceEvent

IceEvent is a simple passive-mode backdoor that installed as a service.

PDB Path
C:\Users\power\Documents\Visual Studio 2017\Projects\WinService\x64\Release\WinService.pdb

Two types have been identified based on the command format. Both types only have the minimum necessary commands. The older type was discovered in September 2023, and several new types were found in April of this year. All of these were submitted from India.

TYPE-A Description
FILE: Command to Reading files via sockets
CMD: Command to the execution of a process


TYPE-B Description
UPFILE Upload Files
DOWNFILE Download Files
CMD Command to the execution of a process


sha256[:8] Compile Time First Submission Submitter Cmd Num TYPE
80e83118 2024-04-25 09:50:58 2024-07-25 05:43:08 INDIA (99003aca) 3 B
9aba997b 2024-04-30 04:48:48 2024-06-14 05:46:49 INDIA (060734bd) 3 B
9a0b0439 2024-04-25 09:50:58 2024-06-14 05:00:08 INDIA (060734bd) 3 B
bc94da1a 2023-08-23 08:52:46 2023-09-05 03:03:57 INDIA (81f8b666) 2 A

Similarities

We believe that IceEvent was developed because a simple passive backdoor was needed during intrusions, based on code similarities with IceCache. Both IceCache and IceEvent use the same key for XOR to encode communication data. And PDB information shows that the same developer created both malware.

This is the XOR-based data encoding process used for communication data, which is equal to both malware.

This is the command execution process equal to both malware. Since the function calls and branching processes are exactly the same, we believe they were compiled from the same source code. Other commands also match perfectly.

The communication data of IceCache and IceEvent is only encoded using the XOR process mentioned earlier, making it easy to decode. Here is an example of decoding the data during command execution.

Attribution

We investigated the attacker’s activity times based on the timestamp information in the zsh_history file. As a result, we found that the attacker is likely operating in the UTC+8 time zone. Surprisingly, the attacker works from 8 a.m. to 10 p.m., which is a 14-hour workday. They are remarkably diligent workers.

Similarly, we investigated the changes in activity based on the day of the week. It seems that the attackers work six days a week. While they are less active on Fridays and Saturdays, their only full day off appears to be Sunday. This investigation suggests that the attackers are not conducting these attacks as personal activities, but are instead engaging in them as part of organized, professional operations.

By the way, have you heard of the term “996 working hour system”? This term originated in China’s IT industry. In China’s IT industry, long working hours see as a problem. It refers to working from 9 a.m. to 9 p.m.,six days a week. Such hard work conditions are called the “996 working hour system”. IcePeony might be working under the 996 working hour system.

https://en.wikipedia.org/wiki/996_working_hour_system

Next, There is a very simple example to consider when discussing attribution. IcePeony sometimes includes Simplified Chinese comments in the tools they use. Here, we provide an example of a wrapper script for the IceCache Client. From this, we can conclude that IcePeony is a threat actor from a region where Simplified Chinese is commonly used.

IcePeony uses an original malware called IceCache. As previously mentioned, IceCache is based on reGeorge. More specifically, IceCache contains a string referring to a project named reGeorgGo.

Upon investigating reGeorgGo, We found that it was developed by a Chinese security engineer. There is no other information about this project on the internet, aside from the developer’s blog. It was a not well-known tool. However, the publicly available reGeorgGo is a tool with only three arguments, where as IceCache has more commands added to it.

https://github.com/zz1gg/secdemo/tree/main/proxy/reGeorgGo

Let’s examine attribution from another side. In this attack campaign, IcePeony targeted India, Mauritius, and Vietnam. While attacks on India and Vietnam are generally not uncommon. What about Mauritius?

Mauritius is a small country located in the Indian Ocean. Interestingly, Mauritius has recently formed a cooperation with India. They are wary of China’s expansion into the Indian Ocean and have begun various forms of collaboration to counter this influence.

https://www.mea.gov.in/newsdetail1.htm?12042/

We summarize the attribution information using the Diamond Model.

IcePeony consists of Simplified Chinese speakers who show interest in the governments of Indian Ocean countries and work under the 996 working hour system.

They prefer open-source software developed in Chinese-speaking regions and use their original malware, IceCache and IceEvent. In attacks on the Indian government, they used VPSs located in the Indian region. Additionally, the governments and education sectors in Mauritius and Vietnam were also targeted.

Wrap-Up

In this blog post, we introduced IcePeony. IcePeony is a newly emerging attack group. Our investigation shows that they have been active since at least 2023. Their primary targets are countries in Asia, such as India and Vietnam.

The log files we analyzed recorded attempts to attack over 200 different Indian government websites. IcePeony typically attempts SQL Injection attacks on publicly accessible web servers. If vulnerabilities are found, they install web shells or execute malware. Ultimately, they aim to steal credentials.

We suspect that IcePeony operates as a group of individuals conducting cyberattacks in support of China’s national interests, possibly in connection with China’s maritime strategy. They remain active, and we must continue monitoring their activities closely moving forward.

IoCs

IP

Domain

IceCache

IceEvent

Building Casper's Shadow

Introduction

A few days ago, we came across a peculiar file. It looked like some kind of builder, and a quick glance at the settings piqued our interest. It appeared to be a ShadowPad builder, probably created around 2021.

ShadowPad builders became a topic of conversation around the time of the i-Soon leak, but we had never seen the actual builder ourselves. This is likely true for most of you as well.

We were so intrigued that we carefully investigated this builder and reviewed past attack campaigns. In this article, we will share how attackers build ShadowPad, what we discovered through our investigation, and our insights.

Our investigation is still ongoing. We would love to engage in active discussions with you. If you have any opinions or comments, please feel free to contact us.

[Note] What we discovered this time is a builder. It does not include a controller. Therefore, it is not possible to control what is generated by this builder. In other words, this builder alone is not meaningful in the real world.

Background

In June 2024, we happened to read a research memo from a year ago. We often read past memos for a change of pace. In doing so, we recalled an attack on Kyrgyzstan in April 2023.

https://x.com/nao_sec/status/1648960199938707456

This attack involved a file resembling a RoyalRoad RTF, which prompted our investigation at the time. Opening this RTF file with a vulnerable version of Microsoft Word displayed a decoy file related to Kyrgyzstan’s cybersecurity, while simultaneously writing and executing several files to the disk. As a result, a CobaltStrike beacon was executed.

The loader that decrypted and executed the beacon resembled Casper Loader. Casper Loader is familiar to threat researchers specializing in East Asia and has been reported to be used in attacks by Tick12. Our friend @aRtAGGI conducted similar analyses at the time.

https://x.com/aRtAGGI/status/1649184131090087938

We later found that a similar attack had been carried out against Kazakhstan after searching our past database. The attack on Kazakhstan was older than the one on Kyrgyzstan, occurring around November 2022. In this case, the same loader executed from the RTF file eventually ran the CobaltStrike beacon.

Information about the RTF files used in the attacks on Kyrgyzstan and Kazakhstan is listed in the IoC sheet from our previous research on RoyalRoad RTF34. We have identified these as U-4. If you are interested, please refer to the IoC sheet.

https://nao-sec.org/jsac2020_ioc.html

Let’s return to the present. To investigate recent attack samples, we executed a search query based on the characteristics of the loader used in the attack on Kyrgyzstan.

exports:IEE2 exports:LoadLibraryShim2 exports:LoadStringRC2

We found an unusual file posted in May 2024. This data was embedded in the resource section of another file. We downloaded and executed the original file. To our surprise, it was a ShadowPad builder.

CasperVMakerHTTPx86

MD5 eb99580e0d90ee61b3e2e3bd8715c633
SHA-1 706482eda6d747ca2688cdfd97399f800da9e73c
SHA-256 b6d7c456423c871c7ffe418069a75c39055e4e3d023021c8b0885a02c7ce93c6

When launching the ShadowPad builder, which calls itself CasperVMakerHTTPx86, the following screen appears. There are several tabs, each with various settings.

These items are very similar to the reported architecture of ShadowPad5. This suggests that these tabs are configuration items for each module. The settings for each item are as follows:

Let’s try building ShadowPad. By clicking the “Build EXE x86” button, ShadowPad is generated. If the build is successful, an EXE file and a DLL file are created.

The EXE file is a legitimate AppLaunch. It loads the mscoree.dll in the same directory via DLL Side-Loading. The DLL file is the Casper Loader, which decodes and executes the ShadowPad shellcode stored internally.

Comparison with Similar Samples

ShadowPad loaders exhibit several patterns, but those generated using this builder are decoded using a custom XOR with constants.

There are many samples with similar characteristics, but we will introduce two of them.

Sample-1

According to Macnica’s report2, Tick uses Casper Loader to execute ShadowPad. Comparing this Casper Loader with the loader created using the builder reveals that while the Macnica sample contains junk code and different fixed values, the algorithm is the same.

Sample-2

A report released by the FBI in December 20216 reported an attack exploiting CVE-2021-44515 where ShadowPad was used. The AppLaunch.exe and mscoree.dll in this case used Casper Loader to execute ShadowPad.

Comparing this Casper Loader with the one created using the builder shows that the algorithm and fixed values are identical. Although API Hashing is not used, it is a highly similar sample.

ShadowPad Community

As you know, ShadowPad is commercial software sold for profit. According to SentinelOne’s report from 20215, ShadowPad is sold to various targeted attack groups, and there is speculation that whg and Rose are involved in its development. The i-Soon leak in February 2024 reported that i-Soon was selling software that appeared to be ShadowPad (including source code and training)7.

As various researchers have reported256891011121314151617181920212223242526272829303132333435363738, many targeted attack groups use ShadowPad. These can be broadly categorized into two groups: attack groups associated with the MSS, like APT41, and those associated with the PLA, like Tick.

As previously mentioned, it is generally believed that whg and Rose were involved in ShadowPad’s development. There is no compelling reason to refute this, so we will proceed with this assumption. According to a U.S. government report related to APT4139, Rose (Tan Dailin) was involved in APT41. Seven individuals were indicted for their involvement with APT41, with Rose (and Zhang Haoran) being particularly noted for their involvement in both BARIUM and LEAD, making them key figures in APT41’s activities. This background suggests that BARIUM was the earliest adopter of ShadowPad, followed by LEAD.

In contrast, the PLA has many more attack groups using ShadowPad than the MSS. This is generally because many researchers have given them different names, and their relationships are not sufficiently organized. If you are a researcher, you probably have more organized information in your mind (or within your organization). Of course, we understand and accept this. However, to keep things simple, we will exclude such discussions in this article and share how we organized this information within nao_sec. Interestingly, all these attack groups used the RoyalRoad RTF Weaponizer. Is this just a coincidence? ShadowPad and RoyalRoad RTF Weaponizer may be shared through the same channels.

Conclusion

In this article, we introduced the ShadowPad builder. ShadowPad, widely used by various targeted attack groups as a successor to PlugX, had limited information available about its builder until now. This article sheds light on how attackers build ShadowPad.

We also organized the relationships between attack groups using ShadowPad. Our research is still ongoing. We would love to engage in active discussions. If you have any opinions or comments, please contact us. We look forward to hearing from you.

Acknowledgments

We received a lot of help from our friends in writing this article. While we won’t name individuals here, we are immensely grateful to the many supportive reviewers. We want to take this opportunity to express our deepest gratitude to you.

References

  1. TrendMicro, “Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data”, https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf 

  2. マクニカ, “標的型攻撃の実態と対策アプローチ 第5版 日本を狙うサイバーエスピオナージの動向 2020年度”, https://www.macnica.co.jp/business/security/manufacturers/files/mpressioncss_ta_report_2020_5.pdf  2 3

  3. nao_sec, “An Overhead View of the Royal Road”, https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html 

  4. nao_sec, “Royal Road! Re:Dive”, https://nao-sec.org/2021/01/royal-road-redive.html 

  5. SentinelOne, “ShadowPad A Masterpiece of Privately Sold Malware in Chinese Espionage”, https://www.sentinelone.com/labs/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage/  2 3

  6. FBI, “APT Actors Exploiting Newly-Identified Zero Day in ManageEngine Desktop Central”, https://www.ic3.gov/Media/News/2021/211220.pdf  2

  7. HarfangLab, “A comprehensive analysis of I-Soon’s commercial offering”, https://harfanglab.io/en/insidethelab/isoon-leak-analysis/ 

  8. Kaspersky, “ShadowPad in corporate networks”, https://securelist.com/shadowpad-in-corporate-networks/81432/ 

  9. Kaspersky, “Operation ShadowHammer”, https://securelist.com/operation-shadowhammer/89992/ 

  10. ESET, “Connecting the dots: Exposing the arsenal and methods of the Winnti Group”, https://www.welivesecurity.com/2019/10/14/connecting-dots-exposing-arsenal-methods-winnti/ 

  11. ESET, “Winnti Group targeting universities in Hong Kong”, https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/ 

  12. マクニカ, “標的型攻撃の実態と対策アプローチ 第4版 日本を狙うサイバーエスピオナージの動向 2019年度下期”, https://www.macnica.co.jp/business/security/manufacturers/files/mpressioncss_ta_report_2019_4.pdf 

  13. PwC, “Around the world in 80 days 4.2bn packets”, https://www.youtube.com/watch?v=YCwyc6SctYs 

  14. CrowdStrike, “Manufacturing Industry in the Adversaries’ Crosshairs”, https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/ 

  15. Kaspersky, “APT trends report Q2 2020”, https://securelist.com/apt-trends-report-q2-2020/97937/ 

  16. Positive Technologies, “ShadowPad: new activity from the Winnti group”, https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf 

  17. Symantec, “APT41: Indictments Put Chinese Espionage Group in the Spotlight”, https://symantec-enterprise-blogs.security.com/threat-intelligence/apt41-indictments-china-espionage 

  18. Dr.Web, “Study of the ShadowPad APT backdoor and its relation to PlugX”, https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf 

  19. TrendMicro, “Earth Akhlut: Exploring the Tools, Tactics, and Procedures of an Advanced Threat Actor Operating a Large Infrastructure”, https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf 

  20. ESET, “Operation StealthyTrident: corporate software under attack”, https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/ 

  21. Positive Technologies, “Higaisa or Winnti? APT41 backdoors, old and new”, https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/ 

  22. Recorded Future, “China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions”, https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf 

  23. Recorded Future, “Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling”, https://www.recordedfuture.com/blog/chinese-group-tag-22-targets-nepal-philippines-taiwan 

  24. TrendMicro, “Delving Deep: An Analysis of Earth Lusca’s Operations”, https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf 

  25. Secureworks, “ShadowPad Malware Analysis”, https://www.secureworks.com/research/shadowpad-malware-analysis 

  26. Recorded Future, “Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group”, https://go.recordedfuture.com/hubfs/reports/ta-2022-0406.pdf 

  27. SentinelOne, “Moshen Dragon’s Triad-and-Error Approach Abusing Security Software to Sideload PlugX and ShadowPad”, https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/ 

  28. TeamT5, “The Next Gen PlugX - ShadowPad - A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT”, https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf 

  29. Positive Technologies, “Space Pirates: analyzing the tools and connections of a new hacker group”, https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/ 

  30. Kaspersky, “Attacks on industrial control systems using ShadowPad”, https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/ 

  31. ESET, “Worok: The big picture”, https://www.welivesecurity.com/2022/09/06/worok-big-picture/ 

  32. Elastic, “Update to the REF2924 intrusion set and related campaigns”, https://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns 

  33. Symantec, “Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors”, https://symantec-enterprise-blogs.security.com/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor 

  34. TrendMicro, “Possible Supply-Chain Attack Targeting Pakistani Government Delivers Shadowpad”, https://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html 

  35. Recorded Future, “RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale”, https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf 

  36. Symantec, “Redfly: Espionage Actors Continue to Target Critical Infrastructure”, https://symantec-enterprise-blogs.security.com/threat-intelligence/critical-infrastructure-attacks 

  37. Palo Alto Networks, “Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda”, https://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/ 

  38. TrendMicro, “Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks”, https://www.trendmicro.com/en_us/research/24/c/earth-krahang.html 

  39. United States Department of Justice, “Seven International Cyber Defendants, Including “Apt41” Actors, Charged In Connection With Computer Intrusion Campaigns Against More Than 100 Victims Globally”, https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer