← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Operation Crimson Palace: A Technical Deep Dive
WHITE Chinese state actors AlienVault 2024-06-06 Modified: 2024-07-06
127
IOCs
HIGH VOLUME
Sophos Managed Detection and Response initiated a threat hunt across customers after detecting abuse of a vulnerable VMware executable. The hunt uncovered a complex, persistent cyberespionage campaign by Chinese state-sponsored actors targeting a high-profile government organization in Southeast Asia. Three distinct clusters of intrusion activity, designated Alpha, Bravo, and Charlie, were identified operating from at least March to December 2023. This report provides an in-depth technical analysis of the tactics, techniques, and procedures used by each cluster, including credential access, lateral movement, persistence mechanisms, command and control infrastructure, defense evasion tactics, and data exfiltration methods. It also details previous compromises observed within the same organization dating back to early 2022.
cobalt strikecyberespionagepowheartbeatcredential accesspocoproxyintrusionmalwarerudebirdphantomnetccoredooreagerbeelateral movementimpersoni-fake-atornupakage
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
NUPAKAGE EAGERBEE CCoreDoor PhantomNet PowHeartBeat RUDEBIRD Impersoni-Fake-Ator PocoProxy Cobalt Strike - S0154
Indicators of Compromise (12 / 127 total)
All URL domain hostname FileHash-MD5 FileHash-SHA1 FileHash-SHA256
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 8f3862191232959fc941afd4c2943b86 2024-06-06
FileHash-MD5 ce74b7b305b8f6e8ef650e348118e902 2024-06-06
FileHash-MD5 e09c9841d8d9f77cde35499f083ef752 2024-06-06
FileHash-MD5 e397775e130add76d0140c413efd183f 2024-06-06
FileHash-MD5 054a32d6033b1744dca7f49b2e466ea2 2024-06-06
FileHash-MD5 3ac3d514f4600611af8cb83e50e3e9a1 2024-06-06
FileHash-MD5 26a3762b49b1c6c04c859dd4305e4f95 2024-06-06
FileHash-MD5 57b51418a799d2d016be546f399c2e9b 2024-06-06
FileHash-MD5 5e83b6ed422399de04408b80f3e5470e 2024-06-06
FileHash-MD5 609aa4fe6955ee8fadaabbbcda229376 2024-06-06
FileHash-MD5 8a0af14818eb5d6041d6988af1cf586d 2024-06-06
FileHash-MD5 aaf1146ec9c633c4c3fbe8091f1596d8 2024-06-06
References (6)
↗ https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive/ ↗ https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_stac1248-alpha.csv ↗ https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_stac1870_bravo.csv ↗ https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_stac1305_charlie.csv ↗ https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_prior_intrusions.csv ↗ https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_post-08-2023.csv