← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
China-based cyber espionage campaign in SE Asia is expanding, says Sophos
WHITE tr2222200 2024-09-16 Modified: 2024-10-16
41
IOCs
MEDIUM VOLUME
According to cybersecurity company Sophos, a suspected China-based cyber espionage campaign called "Operation Crimson Palace" is expanding its operations to additional countries. The campaign began in 2023 and is made up of three attack groups whose activity is managed by China's Ministry of State Security. The group's activity ceased in August 2023, but has recently resumed using a previously undocumented keylogger. The group uses open-source tools like Cobalt Strike (for command and control [C2 or C&C]), SharpHound (for reconnaissance), Impacket (for lateral movement), Donut (a shellcode loader), Cloudflare tunnel (also for C2 work),
clustersAPT15UNC5330UNC2063ChamelGangUnfading SeahazeRed DeltaCluster CharlieAPT32.
Indicators of Compromise (41)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 1453290db80241683288f33e6dd5e80e 2024-09-16
FileHash-MD5 187ddca26d119573223cf0a32ba55a61 2024-09-16
FileHash-MD5 37da95ea7f57acc0e568759e6da68f00 2024-09-16
FileHash-MD5 4a1a06689d1fa1397dd19ef646174dbd 2024-09-16
FileHash-MD5 57b51418a799d2d016be546f399c2e9b 2024-09-16
FileHash-MD5 5e83b6ed422399de04408b80f3e5470e 2024-09-16
FileHash-MD5 609aa4fe6955ee8fadaabbbcda229376 2024-09-16
FileHash-MD5 65508db496d68597b66971f5f092f9a6 2024-09-16
FileHash-MD5 8a0af14818eb5d6041d6988af1cf586d 2024-09-16
FileHash-MD5 99d3a0cef43155105aac941c78b0f6e2 2024-09-16
FileHash-MD5 aaf1146ec9c633c4c3fbe8091f1596d8 2024-09-16
FileHash-MD5 bfcb73def4c72d2682a34bc4c7c45227 2024-09-16
FileHash-MD5 d4d29cd88d25fe6867eee7676ce36644 2024-09-16
FileHash-MD5 dadc3940c25ab3e7d9bd97057f17d684 2024-09-16
FileHash-MD5 e8dd52e44949a4024b7910e161abc425 2024-09-16
FileHash-SHA1 29fb9af50458df43ef40bfc8f0f516d0c0a106fd SHA1 of 1453290db80241683288f33e6dd5e80e 2024-09-16
FileHash-SHA1 a5059f5a353d7fa5014c0584c7ec18b808c2a02c SHA1 of aaf1146ec9c633c4c3fbe8091f1596d8 2024-09-16
FileHash-SHA1 a93197c8c1897a95c4fb0367d7451019ae9f3054 SHA1 of 187ddca26d119573223cf0a32ba55a61 2024-09-16
FileHash-SHA1 aeed35a4d6a958a159934a7067b342b1d26630bc SHA1 of 57b51418a799d2d016be546f399c2e9b 2024-09-16
FileHash-SHA1 c86747c15bc6ec81a0ca2d721c3f3460f6bde2bc SHA1 of e8dd52e44949a4024b7910e161abc425 2024-09-16
FileHash-SHA1 d8a4b7e911bc8d2611caeea3183acede65a9eeb7 SHA1 of 5e83b6ed422399de04408b80f3e5470e 2024-09-16
FileHash-SHA1 e1f0f31aff1267564ceab9b27449b8279d050ff9 SHA1 of 609aa4fe6955ee8fadaabbbcda229376 2024-09-16
FileHash-SHA1 eeab6782b7418c03602419fc74b5975a9054a22d SHA1 of 8a0af14818eb5d6041d6988af1cf586d 2024-09-16
FileHash-SHA256 101bf8dcdd414f09ba46cdecbd96e8606c79b0e76b6a2ce040395e775cb4da86 SHA256 of 57b51418a799d2d016be546f399c2e9b 2024-09-16
FileHash-SHA256 2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c SHA256 of 1453290db80241683288f33e6dd5e80e 2024-09-16
FileHash-SHA256 4dd0debf03eeb938fbaca1f1fd391523358c23cbf18959a149c29133cc3c9cae SHA256 of 8a0af14818eb5d6041d6988af1cf586d 2024-09-16
FileHash-SHA256 5f959f480a66a33d37d9a0ef6c8f7d0059625ca2a8ae9236b49b194733622655 SHA256 of 5e83b6ed422399de04408b80f3e5470e 2024-09-16
FileHash-SHA256 a22b8ef40b8abe2bd7161f425484e82207f322fef1d0562de5bf98e2f642b477 SHA256 of 609aa4fe6955ee8fadaabbbcda229376 2024-09-16
FileHash-SHA256 cc19c785702eea660a1dd7cbf9e4fef80b41384e8bd6ce26b7229e0251f24272 SHA256 of aaf1146ec9c633c4c3fbe8091f1596d8 2024-09-16
FileHash-SHA256 e4b7a1372233aef6d495743bb726fcd5037d4e90e043085498c21587335d36c7 SHA256 of e8dd52e44949a4024b7910e161abc425 2024-09-16
FileHash-SHA256 ea3c5569405ed02ec24298534a983bcb5de113c18bc3fd01a4dd0b5839cd17b9 SHA256 of 187ddca26d119573223cf0a32ba55a61 2024-09-16
URL https://www.hpupdate.net/us-en/drivers/printers 2024-09-16
domain cancelle.net 2024-09-16
domain dmsz.org 2024-09-16
domain gandeste.net 2024-09-16
domain gsenergyspeedtest.com 2024-09-16
domain hpupdate.net 2024-09-16
domain wwindows.data 2024-09-16
hostname test1.zhangliyong.cn 2024-09-16
hostname www.hpupdate.net 2024-09-16
hostname www.pmshyptest.com 2024-09-16
References (1)
↗ https://news.sophos.com/en-us/2024/09/09/crimson-palace-new-tools-tactics-targets/