The Seqrite Labs APT-Team has uncovered a sophisticated cyber-espionage operation called Swan Vector, targeting educational and mechanical engineering sectors in Japan and Taiwan. The campaign uses multi-stage malware, deception techniques, and Google Drive infrastructure to evade detection and deploy Cobalt Strike payloads.
Affected: educational institutions, mechanical engineering sector in Japan and Taiwan
Affected: educational institutions, mechanical engineering sector in Japan and Taiwan
Keypoints
- The Swan Vector operation employs deceptive resume-themed lures and multi-stage malware delivery to targeted sectors in Japan and Taiwan.
- The initial infection begins with a malicious ZIP archive containing an LNK file that executes a DLL implant using rundll32.exe.
- The malware uses API hashing and loads additional payloads from Google Drive, which acts as a covert command-and-control infrastructure.
- Advanced techniques such as DLL sideloading, API hashing, and in-memory shellcode execution are used to evade detection.
- The decrypted shellcode is a Cobalt Strike beacon that communicates with a hardcoded C2 server via HTTPS, facilitating remote commands.
- Seqriteβs analysis links the campaign to known threat groups like Winnti, Lazarus, and APT10, with medium confidence in attribution to East Asian threat actors.
- The campaign includes scheduled implants for future operations against trusted Windows and Python applications, indicating ongoing threat activity.
Read More: https://securityonline.info/swan-vector-espionage-targets-japan-taiwan-with-advanced-malware/