Sophos MDR uncovers a long-running Chinese state-sponsored cyberespionage operation, dubbed “Crimson Palace,” targeting a high-profile Southeast Asian government organization. The campaign comprises three activity clusters (Cluster Alpha, Bravo, and Charlie) employing novel malware, extensive DLL sideloading, and evasive techniques to maintain access and exfiltrate sensitive information.
#CrimsonPalace #EAGERBEE #PocoProxy #CCoreDoor #MerlinC2Agent #RUDEBIRD #PhantomNet #PowHeartBeat #NUPAKAGE #BackdoorDiplomacy #Worok #TA428 #EarthLongzhi #UnfadingSeaHaze #REF5961 #APT41
#CrimsonPalace #EAGERBEE #PocoProxy #CCoreDoor #MerlinC2Agent #RUDEBIRD #PhantomNet #PowHeartBeat #NUPAKAGE #BackdoorDiplomacy #Worok #TA428 #EarthLongzhi #UnfadingSeaHaze #REF5961 #APT41
Keypoints
- Three distinct intrusion clusters (Alpha, Bravo, Charlie) operated within the targeted network from March 2023 to December 2023, with overlaps suggesting coordination.
- Novel malware variants surfaced (CCoreDoor, PocoProxy) alongside updates to EAGERBEE, plus known tools like NUPAKAGE, Merlin C2 Agent, RUDEBIRD, PhantomNet, and PowHeartBeat.
- Extensive DLL sideloading (>15 scenarios) abused Windows services, legitimate Microsoft binaries, and AV software to run implants.
- Aggressive evasion tactics included in-memory ntdll.dll unhooking of the Sophos AV agent and multiple persistence methods.
- The campaign’s objective appears to be long-term espionage—maintaining access, recon, and exfiltration of military/policy information—across the victim network.
- Overlap with multiple Chinese-nexus actors across public reports (BackdoorDiplomacy, Worok, TA428, Earth Longzhi, REF5961), though attribution remains cautious.
MITRE Techniques
- [T1574.002] DLL Side-Loading – Over 15 distinct DLL sideloading scenarios abusing Windows Services, legitimate Microsoft binaries, and AV vendor software. “over 15 distinct DLL sideloading scenarios, most of which abused Windows Services, legitimate Microsoft binaries, and AV vendor software.”
- [T1218] Signed Binary Proxy Execution – Renamed versions of a signed binary (mscorsvw.exe) to obfuscate backdoor deployment and move laterally from the beachhead host to other remote servers. “renamed versions of a signed mscorsvw.exe to obfuscate backdoor deployment and move laterally from the beachhead host to other remote servers”
- [T1055] Process Injection – HUI loader to inject a Cobalt Strike Beacon into mstsc.exe, enabling stealthy code execution. “to inject a Cobalt Strike Beacon into mstsc.exe”
- [T1003] OS Credential Dumping – LSASS logon credential interceptor injected into svchost.exe to capture domain controller credentials. “LSASS logon credential interceptor into svchost.exe…to capture credentials on domain controllers”
- [T1087] Account Discovery – Wevtutil commands to conduct user reconnaissance, using outputs to guide actions. “Execution of wevtutil commands to conduct specific user reconnaissance”
- [T1069] Permission Groups Discovery – Enumeration of administrator accounts during Cluster Alpha reconnaissance. “enumerating administrator accounts”
- [T1071] Command and Control – Deploying multiple implants for persistent C2 communications across clusters. “deploying various malware implants for command-and-control (C2) communications”
Indicators of Compromise
- [IP] 198.13.47.158 – Known Earth Longzhi C2 IP used in Cluster Charlie communications.
- [Domain] message.ooguy.com – C2 domain used by CCoreDoor backdoor (Cluster Bravo) communications.
- [Domain] googlespeedtest33.com – C2 domain variant observed in Earth Longzhi-related activity; related variants include vietSovspeedtest.com and evnpowerspeedtest.com.
- [Domain] vi etsovspeedtest.com – Additional speedtest domain variant used in Earth Longzhi activity.
- [File] 443.txt – PocoProxy sample communications endpoint mentioned in PocoProxy activity.
- [File] sslwnd64.exe – PhantomNet backdoor implant referenced in Cluster Alpha overlap with Unfading Sea Haze findings.
- [File] mscorsvw.exe – Signed binary used to obfuscate backdoor deployment and lateral movement.