This analysis investigates the DragonClone campaign attributed to a China-Nexus Threat Actor, highlighting their use of sophisticated cyber warfare tactics targeting China Mobile Tietong, a major telecommunications company. The study provides a deep technical analysis of the VELETRIX loader, its shellcode, command and control infrastructure, and how it facilitates mass espionage aligned with Chinese state interests. #DragonClone #VELETRIX #ChinaMobileTietong #VShell
Keypoints
- China-Nexus Threat Actors operate under state-driven cyber warfare objectives, prioritizing long-term intelligence gathering over immediate financial gains.
- The DragonClone campaign targeted China Mobile Tietong, compromising its telecommunications backbone to enable mass espionage.
- Initial access was achieved through spearphishing, delivering a ZIP containing a malicious DLL sideloaded by legitimate Wondershare Recoverit software.
- The malicious DLL, VELETRIX, employs anti-sandbox techniques, dynamic API loading, and unique shellcode obfuscation via IPv4 address representation and XOR decryption.
- VELETRIX uses an unconventional Shellcode injection method with the EnumCalendarInfoA API to evade detection and executes encrypted payloads received from a C2 server.
- The Command and Control infrastructure is largely based in China, with identified servers hosted in Tencent Cloud Beijing and utilizing TCP port 9999 for communication.
- Shellcode samples share common characteristics with VShell, an Offensive Security Tool, indicating advanced tooling and persistent capabilities used by the threat actor.
- Custom Yara rules enabled identification and hunting of additional samples with similar patterns, confirming multiple incidents linked to the same actor.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – Initial access via spearphishing emails delivering a ZIP file containing malicious DLL targeting China Mobile Tietong employees (“delivering to users a ZIP file that contains binaries related to an internal training program”).
- [T1055] Process Injection – VELETRIX shellcode injects payload by using EnumCalendarInfoA API to execute shellcode in memory, bypassing conventional detection methods (“EnumCalendarInfoA API call, since it expects to receive the application-defined callback function…the Shellcode will be executed”).
- [T1105] Ingress Tool Transfer – The loader downloads an encrypted second-stage payload from the C2 server, decrypts it, and executes it in memory (“VELETRIX Shellcode appears to download and execute some type of data…Command and Control server sent almost 5MB of encrypted data”).
- [T1027] Obfuscated Files or Information – Shellcode obfuscates payload by representing shellcode bytes as IPv4 addresses and encrypting with XOR key 0x6f (“each byte (in hexadecimal) of the shellcode is represented by an octet of an IPv4 address…XOR operation with the key 0x6f”).
- [T1106] Native API – Uses Windows native APIs such as LoadLibraryA, GetProcAddress, VirtualProtect, and EnumCalendarInfoA to perform dynamic loading and execution (“dynamic API loading routine with LoadLibraryA and GetProcAddress…change the protection through VirtualProtect”).
- [T1043] Commonly Used Port – C2 communication established over TCP port 9999 (“validation of communication with the IPv4 address 62.234.24.38 on TCP port 9999”).
Indicators of Compromise
- [File Hash] Samples related to the DragonClone campaign – SHA256 fef69f8747c368979a9e4c62f4648ea233314b5f41981d9c01c1cdd96fb07365 (malicious ZIP archive), a15f30f20e3df05032445697c906c3a2accf576ecef5da7fad3730ca5f9c141c (shellcode sample), 27c04c7d2d6dbbb80247adae62e76dfa43c39c447f51205e276b064555a6eb84 (loader sample), and c9dc947b793d13c3b66c34de9e3a791d96e34639c5de1e968fb95ea46bd52c23 (extracted Golang DLL).
- [Domain/IP Address] Command and Control servers – 62.234.24.38 (Tencent Cloud Beijing, active C2 with multiple open TCP ports), 156.238.236.130 (English language webserver with Chinese content), 121.37.80.227 (China-based server hosting VShell-related ELF samples).
- [File Name] Malicious executable used for social engineering – “2025年中国移动有限公司内部培训计划即将启动,请尽快报名.exe” (translated: “China Mobile Limited’s internal training program for 2025 is about to start, please sign up as soon as possible”).