← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Operation Crimson Palace: A Technical Deep Dive
WHITE Chinese state actors AlienVault 2024-06-06 Modified: 2024-07-06
127
IOCs
HIGH VOLUME
Sophos Managed Detection and Response initiated a threat hunt across customers after detecting abuse of a vulnerable VMware executable. The hunt uncovered a complex, persistent cyberespionage campaign by Chinese state-sponsored actors targeting a high-profile government organization in Southeast Asia. Three distinct clusters of intrusion activity, designated Alpha, Bravo, and Charlie, were identified operating from at least March to December 2023. This report provides an in-depth technical analysis of the tactics, techniques, and procedures used by each cluster, including credential access, lateral movement, persistence mechanisms, command and control infrastructure, defense evasion tactics, and data exfiltration methods. It also details previous compromises observed within the same organization dating back to early 2022.
cobalt strikecyberespionagepowheartbeatcredential accesspocoproxyintrusionmalwarerudebirdphantomnetccoredooreagerbeelateral movementimpersoni-fake-atornupakage
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
NUPAKAGE EAGERBEE CCoreDoor PhantomNet PowHeartBeat RUDEBIRD Impersoni-Fake-Ator PocoProxy Cobalt Strike - S0154
Indicators of Compromise (12 / 127 total)
All URL domain hostname FileHash-MD5 FileHash-SHA1 FileHash-SHA256
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA1 78e281e3246fa64c58b97fad2dd8420b259f26ec 2024-06-06
FileHash-SHA1 b5263b23ee594e06f42dfe95266dbc2d5d394a29 2024-06-06
FileHash-SHA1 bf1993403d7e4e0951cea1e337c0dadc2cd68429 2024-06-06
FileHash-SHA1 edc93c5d1fa686eea9e264905b2840bfe699e3fd 2024-06-06
FileHash-SHA1 c85c9a09cd1cb1691da0d96772391be6ddba3555 2024-06-06
FileHash-SHA1 e3ec286eb20ed6b62b222d21f6419f7d92cc7ef4 2024-06-06
FileHash-SHA1 5d36b4531c300363e9f3c4183fae028c309ca157 2024-06-06
FileHash-SHA1 a5059f5a353d7fa5014c0584c7ec18b808c2a02c 2024-06-06
FileHash-SHA1 aeed35a4d6a958a159934a7067b342b1d26630bc 2024-06-06
FileHash-SHA1 d8a4b7e911bc8d2611caeea3183acede65a9eeb7 2024-06-06
FileHash-SHA1 e1f0f31aff1267564ceab9b27449b8279d050ff9 2024-06-06
FileHash-SHA1 eeab6782b7418c03602419fc74b5975a9054a22d 2024-06-06
References (6)
↗ https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive/ ↗ https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_stac1248-alpha.csv ↗ https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_stac1870_bravo.csv ↗ https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_stac1305_charlie.csv ↗ https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_prior_intrusions.csv ↗ https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_post-08-2023.csv