Threat Research

Cyber Espionage in the South China Sea | Proofpoint US

Securonix

Proofpoint’s Threat Research Team links a long-running TA423/Red Ladon espionage operation to a 2022 ScanBox phishing campaign targeting Australian government, offshore energy, and international entities in the South China Sea. The operation impersonates Australian media outlets to deliver a modular JavaScript reconnaissance framework with extensive data collection, evolving from earlier RTF template injection campaigns. #TA423 #RedLadon #ScanBox #SouthChinaSea #AustralianMorningNews #KasawariGasField #YunlinOffshoreWindfarm #Leviathan #GADOLINIUM

Keypoints

  • Joint Proofpoint/PwCThreat Intelligence analysis ties TA423/Red Ladon to a 2022 ScanBox phishing campaign with global reach and a focus on Australia, Malaysia, Europe, and South China Sea energy projects.
  • The April–June 2022 campaign used phishing emails impersonating Australian media to redirect targets to a malicious domain hosting the ScanBox JavaScript payload.
  • ScanBox is a modular, plugin-based JavaScript framework used to profile victims, load plugins, and exfiltrate data through a C2 infrastructure.
  • Previous TA423/Red Ladon activity (2021) leveraged RTF template injection to deliver a downloader and Meterpreter payload, linking current campaigns to earlier techniques.
  • Victimology centers on Australian federal/state government, offshore wind/energy contractors, and supply chains for projects in the South China Sea (e.g., Kasawari Gas Field, Yunlin Windfarm).
  • TA423/Red Ladon’s activity has been linked to broader indictments and government assessments, with ongoing use of ScanBox alongside other toolsets like Meterpreter.
  • Infrastructure includes actor-controlled domains, multiple C2 servers, and a range of IOCs (domains, emails, hashes, and IPs) tied to the campaigns.

MITRE Techniques

  • [T1566.002] Phishing – Proxy/redirect phishing emails delivering targets to a malicious site impersonating Australian media outlets. ‘phishing emails … redirected to a malicious website posing as an Australian news media outlet.’
  • [T1566.001] Spearphishing Attachment – RTF template injection attachments used to deliver initial payloads in earlier TA423 campaigns. ‘Zip Archive attachments containing RTF template injection files …’
  • [T1059.007] Command and Scripting Interpreter: JavaScript – ScanBox is JavaScript-based web reconnaissance and exploitation software loaded from malicious pages. ‘ScanBox, detailed in open source as early as 2014 … is a JavaScript based web reconnaissance and exploitation framework.’
  • [T1574.002] DLL Side-Loading – DLL stager downloaded via DLL sideloading in TA423 campaigns. ‘This DLL stager is executed using DLL sideloading.’
  • [T1071.001] Web Protocols – C2 communications over HTTP/S used by ScanBox to contact its C2. ‘C2 server to contact’ and related data exfiltration via web channels.
  • [T1518.001] Software Discovery – The security check plugin searches for Kaspersky Internet Security, indicating discovery of security software. ‘Security check plugin … checks whether Kaspersky Internet Security is installed.’
  • [T1082] System Information Discovery – The initial ScanBox script gathers host information (time, language, browser version, OS, etc.) before loading plugins. ‘The initial ScanBox script harvests several types of information from visitors …’
  • [T1056.001] Input Capture: Keylogging – Keylogger plugin records keystrokes within the iframe. ‘Keylogger plugin records any key pressed by the victim …’

Indicators of Compromise

  • [Phishing Email Sender Address] Phase 3 IOCs – [email protected], [email protected], and other sender addresses
  • [Phishing Email Header From] Phase 3 IOCs – Daisha Manalo , Blair Goodland
  • [Actor-controlled Domain] Phase 3 IOCs – australianmorningnews.com, image.australianmorningnews.com, heraldsun.me, regionail.xyz, walmartsde.com, theaustralian.in
  • [C2 IP] Phase 3 IOCs – 139.59.60.116:443, 172.105.114.27:80
  • [Phishing URL] Phase 3 IOCs – hxxp://australianmorningnews.com/?p=23, hxxp://australianmorningnews.com/?p=30
  • [SHA-256] Phase 3 IOCs – 7795936ed1bdb7a5756c1ff821b2dc8739966abbb00e3e0ae114ee728bf1cf1a, 2f204f3b3abc97efc74b6fa016a874f9d4addb8ac70857267cc8e4feb9dbba26
  • [Filename] Phase 3 IOCs – cwhe18nc.js, cwhe18nc.htm

Read more: https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea