A technical analysis by Palo Alto Networks Unit 42 reported that a years-long campaign targeted high-value organisations across South, Southeast and East Asia and that it had “moderate-to-high confidence” the primary objective was cyber espionage.
KEY FACTS
- Incident Years-long campaign targeting high-value organisations in South, Southeast and East Asia
- Group Cluster identified as CL-UNK-1068
- Primary objective Credential theft and sensitive data exfiltration
- Techniques Web server exploits, web shells and DLL side-loading
- Sectors Aviation, energy, government, law enforcement, pharmaceutical, technology, telecommunications
The campaign deploys a multi-faceted tool set that targets both Windows and Linux hosts, combining custom malware, modified open-source utilities and living-off-the-land binaries.
Attackers commonly exploit web servers to install web shells such as Godzilla and ANTSWORD, then move laterally to harvest files. Stolen items include web configuration and executable files from c:\inetpub\wwwroot, browser history and bookmarks, spreadsheets and MS-SQL backup files.
In some intrusions attackers archived files with WinRAR, Base64-encoded the archives with certutil -encode and then printed the encoded output through the web shell to exfiltrate data without uploading files. The actors also used Python executables to perform DLL side-loading and run persistent tools such as FRP and scanner utilities.
Credential theft techniques observed include memory dumping with Mimikatz, LsaRecorder hooks, memory image extraction with DumpItForLinux and Volatility, and exporting stored SSMS connection information. Reconnaissance traces extend back to 2020 with a custom .NET tool and later batch scripts for environment mapping.
WHY IT MATTERS
The focus on credential harvesting and sensitive data from critical infrastructure and government sectors raises the risk of prolonged access to high-value networks. The use of common open-source tools and text-based exfiltration methods makes detection and attribution more challenging.