McAfee ATR describes Operation Diànxùn, an espionage campaign targeting telecommunication companies via phishing websites impersonating Huawei and malicious domains that delivered malware posing as Flash. The campaign used Cobalt Strike for command-and-control and shows TTP overlaps with RedDelta and Mustang Panda, focusing on targets tied to 5G roll-out debates. #OperationDiànxùn #RedDelta #MustangPanda #Huawei #CobaltStrike #PlugX
Keypoints
- Operation Diànxùn targeted telecommunication companies across Southeast Asia, Europe and the US, with notable interest in German and Vietnamese firms.
- Attackers used phishing websites that impersonated Huawei career pages and malicious domains to deliver payloads masquerading as Flash applications.
- Observed tooling included Cobalt Strike beacons for command-and-control; PlugX was referenced as used in prior related activity but not in this campaign.
- McAfee found telemetry linking the campaign to past TTPs attributed to Chinese-linked groups RedDelta and Mustang Panda, indicating overlapping methods and tooling.
- Earlier related intrusions used decoy documents and DLL side-loading with legitimate applications (Word, Acrobat) to deploy backdoors.
- McAfee recommends multi-layer defenses (MVISION Insights, McAfee Web Gateway, MVISION UCE, MVISION EDR, NSP) and notes specific detections reported as Trojan-Cobalt, Trojan-FSYW, Trojan-FSYX, Trojan-FSZC and CobaltStr-FDWE.
MITRE Techniques
- [T1566.002] Spearphishing Link – Attackers lured victims to attacker-controlled web pages impersonating legitimate sites to deliver malware (‘we believe with a medium level of confidence that the attackers used a phishing website masquerading as the Huawei company career page to target people working in the telecommunications industry.’)
- [T1189] Drive-by Compromise – Victims were directed to malicious domains from which they were infected (‘victims were lured to a domain under control of the threat actor, from which they were infected with malware’).
- [T1574.001] DLL Side-Loading – Prior related attacks used DLL side-loading with legitimate software to deploy backdoors (‘These attacks mainly used the PlugX backdoor using DLL side loading with legitimate software, such as Word or Acrobat, to compromise targets.’)
- [T1036] Masquerading – Malware and domains were crafted to appear as legitimate applications/sites (Flash, Huawei career) to evade detection (‘We discovered malware that masqueraded as Flash applications… the malicious domain was crafted to look like the legitimate career site for Huawei’).
- [T1071.001] Application Layer Protocol: Web Protocols – Cobalt Strike beacons and C2 communications over web protocols were used for remote control (‘creating a backdoor for remote control of the victim via a Command and Control Server and Cobalt Strike Beacon’).
- [T1566.001] Spearphishing Attachment (Decoy Documents) – Earlier related activity used decoy documents to entice targets and trigger compromise (‘the group continued its activity using decoy documents related to Catholicism, Tibet-Ladakh relations and the United Nations General Assembly Security Council’).
Indicators of Compromise
- [Domain] Malicious/impersonation domains used to deliver payloads – update.careerhuawei.net, update.huaweiyuncdn.com, flach.cn (malicious domains crafted to mimic Huawei or Flash download sites).
- [Domain – Legitimate referenced] Legitimate target referenced for impersonation – career.huawei.com, flash.cn (legitimate domains that were mimicked by attacker domains).
- [Malware/Detections] McAfee detection names for samples observed – Trojan-Cobalt, Trojan-FSYW, Trojan-FSYX, Trojan-FSZC, CobaltStr-FDWE (used to identify and block observed samples; and other detection names reported).
- [Tool/Beacon] C2 and beacon tooling – Cobalt Strike Beacon (used to establish command-and-control and remote access to compromised hosts).
- [Malware] Previously used backdoor referenced – PlugX (not observed in this campaign but cited as used in earlier related intrusions).