← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
China-based cyber espionage campaign in SE Asia is expanding, says Sophos
WHITE tr2222200 2024-09-16 Modified: 2024-10-16
41
IOCs
MEDIUM VOLUME
According to cybersecurity company Sophos, a suspected China-based cyber espionage campaign called "Operation Crimson Palace" is expanding its operations to additional countries. The campaign began in 2023 and is made up of three attack groups whose activity is managed by China's Ministry of State Security. The group's activity ceased in August 2023, but has recently resumed using a previously undocumented keylogger. The group uses open-source tools like Cobalt Strike (for command and control [C2 or C&C]), SharpHound (for reconnaissance), Impacket (for lateral movement), Donut (a shellcode loader), Cloudflare tunnel (also for C2 work),
clustersAPT15UNC5330UNC2063ChamelGangUnfading SeahazeRed DeltaCluster CharlieAPT32.
Indicators of Compromise (8 / 41 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA1 29fb9af50458df43ef40bfc8f0f516d0c0a106fd SHA1 of 1453290db80241683288f33e6dd5e80e 2024-09-16
FileHash-SHA1 a5059f5a353d7fa5014c0584c7ec18b808c2a02c SHA1 of aaf1146ec9c633c4c3fbe8091f1596d8 2024-09-16
FileHash-SHA1 a93197c8c1897a95c4fb0367d7451019ae9f3054 SHA1 of 187ddca26d119573223cf0a32ba55a61 2024-09-16
FileHash-SHA1 aeed35a4d6a958a159934a7067b342b1d26630bc SHA1 of 57b51418a799d2d016be546f399c2e9b 2024-09-16
FileHash-SHA1 c86747c15bc6ec81a0ca2d721c3f3460f6bde2bc SHA1 of e8dd52e44949a4024b7910e161abc425 2024-09-16
FileHash-SHA1 d8a4b7e911bc8d2611caeea3183acede65a9eeb7 SHA1 of 5e83b6ed422399de04408b80f3e5470e 2024-09-16
FileHash-SHA1 e1f0f31aff1267564ceab9b27449b8279d050ff9 SHA1 of 609aa4fe6955ee8fadaabbbcda229376 2024-09-16
FileHash-SHA1 eeab6782b7418c03602419fc74b5975a9054a22d SHA1 of 8a0af14818eb5d6041d6988af1cf586d 2024-09-16
References (1)
↗ https://news.sophos.com/en-us/2024/09/09/crimson-palace-new-tools-tactics-targets/