Authorities Identify 3 Chinese-Associated Clusters Behind Cyberassaults in Southeast Asia

AndyC 11 September 2024

Sep 10, 2024Ravie LakshmananMalicious Software / Cyber Surveillance

A triumvirate of menace activity clusters associated with China has been witnessed infiltrating additional government organizations in Southeast Asia as part of an enhanced state

Experts Identify 3 Chinese-Linked Clusters Behind Cyberattacks in Southeast Asia

Sep 10, 2024Ravie LakshmananMalicious Software / Cyber Surveillance

Experts Identify 3 Chinese-Linked Clusters Behind Cyberattacks in Southeast Asia

A triumvirate of menace activity clusters associated with China has been witnessed infiltrating additional government organizations in Southeast Asia as part of an enhanced state-backed operation named Crimson Palace, presenting an extension in the breadth of the intelligence gathering endeavor.

Cybersecurity establishment Sophos, which has been overseeing the cyber onslaught, mentioned that it consists of three intrusion sets recognized as Cluster Alpha (STAC1248), Cluster Bravo (STAC1870), and Cluster Charlie (STAC1305). STAC is an acronym for “security threat activity cluster.”

“The perpetrators consistently utilized other compromised organizational and public service networks in that vicinity to distribute malicious software and tools under the façade of a trusted entry point,” security experts Mark Parsons, Morgan Demboski, and Sean Gallagher mentioned in a technical document shared with The Hacker News.

An important feature of the attacks is the utilization of an undisclosed organization’s systems as a command-and-control (C2) relay station and a preparation site for tools. A second organization’s compromised Microsoft Exchange Server is reported to have been employed to host malicious software.

Cybersecurity

Crimson Palace was initially documented by the cybersecurity firm in early June 2024, with the assaults occurring between March 2023 and April 2024.

Even though the initial activity connected with Cluster Bravo, which coincides with a threat unit named Unfading Sea Haze, was concentrated in March 2023, a recent wave of attacks detected between January and June 2024 has been pinpointed targeting 11 other organizations and agencies in the same vicinity.

Cyberassaults in Southeast Asia

A series of fresh attacks orchestrated by Cluster Charlie, a cluster identified as Earth Longzhi, has also been unearthed between September 2023 and June 2024, some of which also involve the deployment of the C2 frameworks like Cobalt Strike, Havoc, and XieBroC2 with the intention of facilitating post-exploitation and delivering additional payloads like SharpHound for Active Directory infrastructure mapping.

“Stealing data of intelligence worth remained a target post the restart of activity,” the researchers articulated. “Nevertheless, a substantial portion of their endeavor appeared to be geared toward re-establishing and extending their foothold on the target network by circumventing EDR software and swiftly regaining access when their C2 implants had been obstructed.”

Cyberassaults in Southeast Asia

Another material aspect is Cluster Charlie’s heavy dependence on DLL hijacking to execute malicious software, an approach previously embraced by threat operators behind Cluster Alpha, suggesting a “cross-pollination” of strategies.

Some of the other publicly available programs utilized by the threat actor include RealBlindingEDR and Alcatraz, which enable terminating antivirus processes and concealing portable executable files (e.g., .exe, .dll, and .sys) with the goal of evading detection.

Completing the cluster’s inventory of malicious software is a formerly unidentified keylogger named TattleTale that was initially detected in August 2023 and has the ability to gather Google Chrome and Microsoft Edge browser information.

Cybersecurity

“The malware has the ability to identify the compromised system and inspect for mounted physical and network drives by imitating a logged-on user,” the researchers elucidated.

“TattleTale also captures the domain controller name and pilfers the LSA (Local Security Authority) Query Information Policy, which is recognized to contain sensitive details associated with password policies, security configurations, and sometimes cached passwords.”

To recap, the three clusters collaborate, while simultaneously concentrating on specific duties in the assault progression: infiltrating target environments and conducting reconnaissance (Alpha), navigating deep into the networks using various C2 mechanisms (Bravo), and extracting valuable information (Charlie).

“Throughout the operation, the adversary seemed to continuously experiment and refine their methods, tools, and methodologies,” the researchers concluded. “As we implemented countermeasures for their customized malicious software, they fused the usage of their custom-developed tools with generic, open-source tools commonly utilized by legitimate penetration testers, experimenting with different combinations.”

Found this piece interesting? Connect with us on Twitter and LinkedIn for more exclusive content we publish.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

CISA Flags Critical ASUS Live Update Flaw After Evidence of Active Exploitation

CISA Flags Critical ASUS Live Update Flaw After Evidence of Active Exploitation

AndyC 18 December 2025
Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances

Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances

AndyC 18 December 2025
SonicWall Fixes Actively Exploited CVE-2025-40602 in SMA 100 Appliances

SonicWall Fixes Actively Exploited CVE-2025-40602 in SMA 100 Appliances

AndyC 18 December 2025
Kimwolf Botnet Hijacks 1.8 Million Android TVs, Launches Large-Scale DDoS Attacks

Kimwolf Botnet Hijacks 1.8 Million Android TVs, Launches Large-Scale DDoS Attacks

AndyC 18 December 2025
APT28 Targets Ukrainian UKR-net Users in Long-Running Credential Phishing Campaign

APT28 Targets Ukrainian UKR-net Users in Long-Running Credential Phishing Campaign

AndyC 18 December 2025
New ForumTroll Phishing Attacks Target Russian Scholars Using Fake eLibrary Emails

New ForumTroll Phishing Attacks Target Russian Scholars Using Fake eLibrary Emails

AndyC 18 December 2025

You may have missed

Smashing Security podcast #448: The Kindle that got pwned

Smashing Security podcast #448: The Kindle that got pwned

AndyC 18 December 2025
What’s Powering Enterprise AI in 2025: ThreatLabz Report Sneak Peek

Private Certificate Authority 101: From Setup to Management

AndyC 18 December 2025
CISA Flags Critical ASUS Live Update Flaw After Evidence of Active Exploitation

CISA Flags Critical ASUS Live Update Flaw After Evidence of Active Exploitation

AndyC 18 December 2025
Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances

Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances

AndyC 18 December 2025
Microsoft warns MSMQ may fail after update, breaking apps

LLM10: Unbounded Consumption – FireTail Blog

AndyC 18 December 2025

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.