Threat Research

McAfee Defender’s Blog: Operation Dianxun | McAfee Blog

McAfee

McAfee ATR describes Operation Diànxùn as an espionage campaign that used a phishing website impersonating Huawei careers to deliver a Flash-based downloader and a .NET payload, ultimately deploying backdoors and a Cobalt Strike Beacon for remote control. McAfee outlines detection and prevention controls across web, endpoint, and EDR layers and provides IoCs and detection guidance for hunting and response. #OperationDianxun #RedDelta

Keypoints

  • Initial access likely via a phishing website impersonating Huawei careers that served malicious content and delivered a Flash-based downloader.
  • The user-executed downloader (flashplayer_install_cn.exe) spawned svchost.exe, contacted a C2 (update.flach.cn), and dropped flash.exe in %TEMP%.
  • A later .NET payload provided functions to download additional backdoors, configure persistence, and perform discovery, enabling long-term espionage access.
  • Cobalt Strike Beacon and HTTP-based C2 communications were used for remote control and data exfiltration; network detections can identify callback anomalies.
  • Defenses recommended include multi-layer web protections (URL reputation, SSL inspection, Remote Browser Isolation), endpoint prevention (signature, behavior, ML), NGIPS callback detection, and EDR for full kill-chain visibility and hunting.
  • MVISION Insights provides threat intelligence and MITRE technique mapping, and MVISION EDR supports real-time and 90-day historical searches for IoCs and process activity.
  • Key IoCs include phishing domains (update.careerhuawei.net), C2 domains (update.flach.cn), IP 8.210.186.138, file names (flashplayer_install_cn.exe, flash.exe), and multiple SHA256 hashes for the downloader samples.

MITRE Techniques

  • [T1566] Phishing – initial access via a malicious website: [‘victims were lured to a domain under control of the threat actor, from which they were infected with malware’]
  • [T1204] User Execution – execution of user-run downloader: [‘The initial downloader payload flashplayer_install_cn.exe is executed directly by the user and spawned by svchost.exe.’]
  • [T1105] Ingress Tool Transfer – downloader retrieves additional components/backdoors: [‘the execution of the initial fake Flash installer acts mainly like a downloader’ and ‘tool to manage and download backdoors to the machine’]
  • [T1547] Persistence – payload configures persistence on the infected host: [‘manage and download backdoors to the machine and configure persistence.’]
  • [T1071.001] Application Layer Protocol: Web Protocols – C2 and beacon communications over HTTP: [‘At first it connects back to hxxp://update.flach.cn registering to the c2’ and ‘backdoor for remote control of the victim via a Command and Control Server and Cobalt Strike Beacon.’]
  • [T1082] System Information Discovery – payload queries time/geolocation from an external service: [‘checks the time and the geolocalization of the infected machine via a request to http://worldclockapi.com.’]

Indicators of Compromise

  • [Domain] phishing and C2 domains – update.careerhuawei.net (fake Huawei careers site used for initial phishing), update.flach.cn (C2 callback)
  • [IP Address] C2 traffic and hunting target – 8.210.186.138 (used in network searches for connections to the fake Huawei site)
  • [File name] downloader and dropped executable – flashplayer_install_cn.exe (user-run downloader), flash.exe (dropped executable in Windowstemp)
  • [SHA256] sample hashes for downloader/payloads – 422e3b16e431daa07bae951eed08429a0c4ccf8e37746c733be512f1a5a160a3, 8489ee84e810b5ed337f8496330e69d6840e7c8e228b245f6e28ac6905c19f4a, and 18 more hashes

The technical infection chain begins with a phishing website impersonating Huawei careers that serves a fake Flash installer. When executed by a user, the installer (flashplayer_install_cn.exe) spawns svchost.exe, contacts hxxp://update.flach.cn to register with the attacker’s C2, and writes a secondary executable (flash.exe) to the Windows temporary directory. The initial downloader primarily acts as a fetcher; a subsequent .NET payload implements utility functions to download additional backdoors, perform discovery checks (including querying worldclockapi.com for time/geolocation), and establish persistence on the host.

Detection and mitigation are layered: web protections (URL reputation, SSL inspection, and Remote Browser Isolation) block or isolate the phishing vector; endpoint controls (signature, behavior-based prevention, and ML/ATP) stop the downloader and .NET stages—McAfee ENS reports DAT families such as Trojan-Cobalt and CobaltStr-FDWE—and NGIPS callback detection can identify and block anomalous C2 communications including Cobalt Strike Beacon traffic. MVISION Insights supplies threat context and IoCs, while MVISION EDR provides process- and network-level visibility to trace the kill chain, pivot from alerts, and perform real-time or 90-day historical hunts for files, processes, domains, IPs, and hashes across the enterprise.

For incident response, investigate process activity for user-launched installers and svchost spawning, search EDR for network connections to update.flach.cn and the fake Huawei domain, query file stores for the listed SHA256 values, and use NGIPS/NSP callback detection to block C2s. Collect and export IoCs (e.g., domains, IPs, file hashes) into tooling for automated blocking and monitor for persistence artifacts and later-stage beaconing to disrupt attacker control and data collection.

Read more: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-defenders-blog-operation-dianxun/