Threat Research

unknown actor using APT29’s TTP against Chinese users

Securonix

Lab52 detects a maldoc-based campaign targeting Chinese-speaking users, delivered via Chinese phishing and designed around a resume decoy. While the infection chain shares some traits with APT29, it features significant differences (Chinese-language decoy, program data folder usage) and culminates in a Cobalt Strike beacon to enable post-exploitation. #APT29 #SunJichao #PekingUniversity #CobaltStrike #appvisvsubsystems64.dll #DLLSideLoading #WinWord #UPX #Beijing #BeijingMunicipalCommunicationsCommission

Keypoints

  • Malicious content is a Chinese-language maldoc campaign aimed at Chinese-speaking users, using a CV-style decoy.
  • Initial access is achieved through a Chinese phishing lure, with a .lnk file that runs a.bat, invoking a PowerShell-like command via cmd.exe.
  • The .bat is obfuscated and decrypted using a Batch Encryption DeCoder, after which stage0 artifacts are created and cleaned up.
  • Stage 0 copies and renames files in C:ProgramData (e.g., wda.tmp to OfficeUpdate.exe and mbp.tmp to appvisvsubsystems64.dll) and launches the decoy PDF.
  • Stage 1 loads a malicious DLL (appvisvsubsystems64.dll) via DLL side-loading to execute a Go-derived payload and eventually deploy a Cobalt Strike beacon for post-exploitation.
  • The campaign is linked to APT29-like techniques but is differentiated by its encrypted bat, Chinese decoy targeting Beijing, and storage locations (ProgramData rather than AppData).

MITRE Techniques

  • [T1566.001] Phishing – Initial access via a Chinese phishing. “The initial access is through a Chinese phishing.”
  • [T1059.003] Windows Command Shell – The maldoc runs the batch via cmd.exe: %windir%system32cmd.exe /c “__MACOSX.DOCXaaa.bat”.
  • [T1027] Obfuscated/Compressed Files and Information – The .bat is obfuscated with special characters and decrypted with Batch Encryption DeCoder.
  • [T1574.002] Hijack Execution Flow: DLL Side-Loading – Stage 1 loads WinWord via the malicious appvisvsubsystems64.dll.
  • [T1070.004] File Deletion – Stage 0 deletes the temporary and utility files after persistence.

Indicators of Compromise

  • [Hash] File hash – D5A8B6635240CC190BC869A2A41BC437A48BFBFCCE0D218B879D9768D85D1D6F, F1F6BB1BDF41217D26EC33E00E1E52FBC479E636B5D43671736905210FC4D734, and 2 more hashes
  • [File name] File names – 孙继超-北京大学-硕士.pdf.lnk, aaa.bat (DESCIPHER)
  • [Domain] Domain – info.gtjas.site
  • [URL] URL – hxxp://123.60.168.]69:443/jquery-3.3.2.slim.min.js

Read more: https://lab52.io/blog/beyond-appearances-unknown-actor-using-apt29s-ttp-against-chinese-users/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint