Chinese State-Sponsored Attackers Unleash New Malware for Espionage Campaign

Sophos recently uncovered a sophisticated espionage campaign targeting a high-level government entity in Southeast Asia. The report, titled “Operation Crimson Palace,” revealed that Chinese state-sponsored attackers used previously unseen malware named PocoProxy to gather military and economic intelligence related to the country’s strategies in the South China Sea.

The investigation by Sophos X-Ops found three distinct clusters of activity, with tactics that overlapped with well-known Chinese nation-state groups. The attackers aimed to collect sensitive political, economic, and military information by targeting specific users within the organization.

Cluster Alpha, Cluster Bravo, and Cluster Charlie were the three identified groups involved in the cyberespionage operations. Cluster Alpha focused on disabling AV protections and conducting reconnaissance, while Cluster Bravo moved laterally through the network to establish external communication pathways. Cluster Charlie, on the other hand, deployed PocoProxy to exfiltrate a large volume of sensitive data for espionage purposes.

The aggressive development of cyberespionage operations in the South China Sea was evident in the attackers’ ability to rotate their tools frequently and move throughout the organization at will. The overlap and sharing of tooling among Chinese threat groups indicate a coordinated effort to gather intelligence.

As organizations face the growing threat of cyberattacks from China, understanding the broader picture of how these groups operate is crucial for enhancing defenses. Sophos continues to investigate the three clusters and will keep the intelligence community informed of any new developments in Chinese state-sponsored cyber operations.