IBM X-Force has uncovered the resurgence of the China-aligned threat group Hive0154, which uses sophisticated spear-phishing campaigns targeting Tibetan communities and global organizations. These campaigns deploy the Pubload backdoor via convincing weaponized documents related to geopolitical issues, extending their influence beyond Tibet to U.S. military and DRC interests. #Hive0154 #Pubload
Keypoints
- Hive0154 is a China-aligned threat actor using phishing campaigns to deploy the Pubload backdoor.
- The campaigns target Tibetan communities, U.S. military interests, and mineral deals involving the DRC.
- The malware distribution includes weaponized ZIP archives with legitimate-looking documents and images.
- Claimloader is a customized loader using DLL sideloading and encryption to deliver payloads like Pubshell.
- Organizations should enhance detection of DLL sideloading, reverse shells, and spear-phishing to defend against these threats.