Symantecβs investigation reveals a complex network of Chinese espionage operations using sophisticated malware like Zingdoor, ShadowPad, and KrustyLoader, linked to groups Glowworm and UNC5221. The campaign targeted government agencies and a U.S. university, employing various exploits and stealth techniques to maintain long-term access. #Glowworm #UNC5221
Keypoints
- Chinese threat groups utilized interconnected malware families and infrastructure for espionage activities.
- Zingdoor, ShadowPad, and KrustyLoader were the primary tools deployed across multiple victim networks.
- The attackers exploited vulnerabilities in SQL Server and Apache HTTP to gain initial access.
- Public tools like Certutil and Revsocks were used for stealth, persistence, and credential theft.
- The campaign targeted government agencies and academic institutions, aiming for data theft and long-term espionage.