Three China-Linked APT Clusters Converge on Southeast Asian Governments in Coordinated Espionage Blitz

Three Clusters, One Target, Parallel Kill Chains

Palo Alto Networks Unit 42 disclosed a series of overlapping cyberespionage campaigns targeting a single Southeast Asian government organization, carried out by three distinct China-linked threat clusters operating in parallel [1]. What initially appeared to be a single intrusion turned out to be three separate operations running simultaneously, sometimes hitting the same endpoints [8]. The clusters are tracked as Stately Taurus (Mustang Panda), CL-STA-1048 (overlapping with Earth Estries/Salt Typhoon and Crimson Palace), and CL-STA-1049 (overlapping with Unfading Sea Haze) [2][3]. Their combined malware arsenal includes USB-propagated worms, custom loaders, information stealers, and multiple remote access trojans [2].

This isn't an isolated finding. A broader pattern of collaborative Chinese cyber operations against Southeast Asian targets has been documented across multiple research teams. Trend Micro described an emerging "Premier Pass-as-a-Service" model in which Earth Estries acts as an access broker for Earth Naga, sharing compromised footholds for continued exploitation [7]. Symantec tracked Billbug (Lotus Panda) breaching a government ministry, an air traffic control organization, a telecoms operator, and a construction company in the same Southeast Asian country between August 2024 and February 2025 [5]. Check Point identified a new group it calls Silver Dragon, assessed with high confidence to be China-nexus and likely linked to APT41, targeting government ministries across the region [6].

The scale and coordination of these operations represent a structural shift in how Chinese state-sponsored cyber actors organize against priority intelligence targets.

The Three Clusters: Who They Are

Stately Taurus (Mustang Panda) was active from June through August 2025 against the targeted government entity [2][3]. This group has long been one of the most prolific China-aligned espionage operators, and its operations here centered on USB-based malware propagation. Unit 42 first detected PUBLOAD backdoor activity attributed to Stately Taurus across multiple endpoints on June 1, 2025 [1].

CL-STA-1048 operated from March through September 2025 and overlaps with Earth Estries (also tracked as Salt Typhoon, FamousSparrow, and GhostEmperor) and Crimson Palace [2][3]. Earth Estries has primarily targeted telecommunications and government entities across the US, Asia-Pacific, and Middle East [7]. Trend Micro identified the group deploying a new GHOSTSPIDER backdoor in Southeast Asian telecom attacks and MASOL RAT on Linux devices in government networks [12].

CL-STA-1049 was active in April and August 2025, with operations overlapping those of Unfading Sea Haze [2][3]. This cluster introduced a novel loader called Hypnosis Loader to deploy the FluffyGh0st RAT [1].

A fourth cluster, CL-STA-1087, disclosed separately by Unit 42 in March 2026, has been targeting Southeast Asian military organizations since at least 2020 with a custom toolset and China-based cloud infrastructure [4][11].

USB Worms and PUBLOAD: Stately Taurus Operations

Stately Taurus relied on a USB-propagated malware called USBFect (also known as HIUPAN) to gain initial footholds [1][2]. USBFect spreads via infected USB drives, a technique that remains effective in government environments where removable media is used to transfer files between air-gapped and connected networks.

Once USBFect executes on a host, it deploys the PUBLOAD backdoor [1]. PUBLOAD execution involves a shellcode loader called ClaimLoader, which has been observed using DLL files such as mscorsvc.dll and EVENT.dll to load the backdoor into memory [9][10]. The malware establishes working directories at paths like C:\Users\Public\Libraries\Dialogui [10].

Stately Taurus also deployed the ToneShell backdoor through DLL sideloading, with network communications using fake TLS headers (byte sequence 17 03 03) to disguise C2 traffic as legitimate encrypted sessions [14]. ToneShell has been observed installed at C:\ProgramData\ChromePDFBrowser\ChromePDF.exe, using chrome_elf.dll as the sideloaded malicious DLL [14].

CL-STA-1048: Salt Typhoon's Expanding Toolkit

CL-STA-1048's operations used a broad espionage toolkit [1]. The cluster deployed EggStremeFuel (a Gorem RAT variant for in-memory payload execution), PoshRAT, MASOL RAT for Linux targets, and the TrackBak information stealer for capturing keystrokes and clipboard data [2][10].

The connection to Salt Typhoon is significant. Silent Push identified previously unreported domains linked to Salt Typhoon and UNC4841 [13]. Darktrace documented a Salt Typhoon intrusion beginning with exploitation of CVE-2025-5777 (CVSS 9.3) in Citrix NetScaler Gateway, followed by deployment of SNAPPYBEE (Deed RAT) via DLL sideloading [15]. The attackers used legitimate antivirus software executables to load their payloads [15].

Earth Estries has also deployed the DEMODEX rootkit and CrowDoor backdoor in related campaigns [12]. Trend Micro's research on the "Premier Pass-as-a-Service" model showed Earth Estries compromising an unmanaged host to reach a vulnerable internal web server on January 22, 2025, then brokering that access to Earth Naga for continued exploitation [7].

CL-STA-1049: Unfading Sea Haze and Novel Malware

CL-STA-1049 brought new tools to the table. The Hypnosis Loader is a previously undocumented loader designed to deploy FluffyGh0st, a remote access trojan [1][3]. The naming conventions and operational patterns of CL-STA-1049 overlap with Unfading Sea Haze, a group that has maintained persistent focus on Southeast Asian government targets [2][3].

Military Targeting: CL-STA-1087

Disclosed in March 2026, CL-STA-1087 represents a separate but related thread. This cluster has been targeting Southeast Asian military organizations since at least 2020, demonstrating what Unit 42 described as "strategic operational patience" [4]. The attackers actively searched for files concerning military capabilities, organizational structures, and collaborative efforts with Western armed forces [4].

CL-STA-1087's custom toolset includes the AppleChris backdoor (dropped as swprv32.sys in System32), the MemFun backdoor (masquerading as GoogleUpdate.exe), and the Getpass credential harvester [4][11]. The cluster's C2 servers used China-based cloud network infrastructure [4].

Wider Campaign Context

Beyond these clusters, additional Chinese APT groups have been hitting the same region. Billbug (Lotus Panda), active since at least 2009, ran campaigns from August 2024 through February 2025 against government, aviation, telecom, and construction targets in a Southeast Asian country [5]. Silver Dragon, active since mid-2024 and likely linked to APT41, has been targeting government ministries by exploiting public-facing servers and using the GearDoor backdoor, which communicates through Google Drive [6]. A third overlap involved Gelsemium, which deployed the SessionManager IIS backdoor and OwlProxy alongside web shells including reGeorg, China Chopper, and AspxSpy [8].

CISA's joint advisory documented Chinese APT activity across telecommunications, government, transportation, and defense networks, involving Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor [9].

IOC Table

MITRE ATT&CK Techniques

Detection and Hunting

USB-based propagation. Monitor for new executable files written to removable media volumes. Look for USBFect / HIUPAN behavioral patterns: a process writing executables to USB root directories followed by creation of autorun configuration files. EDR telemetry showing PUBLOAD execution from C:\Users\Public\Libraries\Dialogui is a strong indicator [10].

DLL sideloading artifacts. Hunt for chrome_elf.dll loaded by processes outside normal Chrome installation directories, particularly from C:\ProgramData\ChromePDFBrowser\ [14]. Similarly, mscorsvc.dll and EVENT.dll loaded outside their expected .NET framework paths warrant investigation [9][10]. Sysmon Event ID 7 (Image Loaded) filtered for these DLL names in unusual directories is a practical starting point.

Fake TLS traffic. ToneShell's use of 17 03 03 byte sequences as fake TLS headers can be detected by TLS inspection tools that flag malformed handshakes. Network traffic to 218.255.96.245 or matching this pattern without a valid TLS negotiation preceding it should be flagged [14].

Web shell detection. Scan IIS servers for SessionManager, China Chopper, reGeorg, and AspxSpy artifacts. Look for .aspx files in web-accessible directories with recent modification timestamps. Monitor IIS worker processes (w3wp.exe) spawning cmd.exe or PowerShell [8][16].

C2 domain monitoring. Add palloaltonetworks.com (the typosquatted domain), onlineeylity.com, cloudprocenter.com, and thetavaluemetrics.com to DNS blocklists and hunt retrospectively in DNS logs [12][13][15]. The user agent string NetSupport Manager/1.3 in proxy logs is another indicator of SNAPPYBEE C2 communications [15].

Credential harvesting. The Getpass tool used by CL-STA-1087 targets stored credentials. Monitor for unusual LSASS access patterns and the presence of swprv32.sys in System32 or GoogleUpdate.exe running from non-standard paths [4][11].

Analysis

The convergence of multiple Chinese APT clusters on the same targets isn't accidental. The Trend Micro research on "Premier Pass-as-a-Service" provides the clearest evidence yet that these groups aren't just operating in parallel: they're actively sharing access [7]. Earth Estries compromised infrastructure and then handed it off to Earth Naga. This is access brokering between state-sponsored teams, a level of inter-group coordination that was rarely documented before 2025.

The malware diversity is striking. Across the documented clusters, defenders face USB worms, custom loaders, multiple RAT families, IIS backdoors, rootkits, credential harvesters, and information stealers. No single detection approach covers this breadth. The attackers are distributing risk across toolsets: even when one cluster's tools are burned, the others can continue operating.

Target selection follows clear strategic logic. Government agencies, military organizations, telecommunications providers, and critical infrastructure operators in Southeast Asia all represent intelligence priorities tied to South China Sea disputes, regional alliance structures, and economic competition. CL-STA-1087's specific focus on files about military capabilities and cooperation with Western armed forces is particularly revealing [4].

The operational timelines also show deliberate deconfliction. Stately Taurus operated June through August, CL-STA-1048 ran March through September, and CL-STA-1049 appeared in April and August [2][3]. These overlapping but distinct windows suggest some level of tasking coordination to avoid stepping on each other's operations.

References

1. Unit 42 - Converging Interests: Analysis of Threat Clusters Targeting a Southeast Asian Government
2. SC World - China-linked groups conduct sophisticated cyber espionage against Southeast Asian government
3. Security Affairs - China-Linked groups target Southeast Asian government with advanced malware
4. Unit 42 - Suspected China-Based Espionage Operation Against Military Targets in Southeast Asia
5. The Record - China-linked Billbug hackers breached multiple entities in Southeast Asian country
6. Check Point - Silver Dragon: China Nexus Cyber Espionage Group Targeting Governments in Asia and Europe
7. Trend Micro - The Rise of Collaborative Tactics Among China-aligned Cyber Espionage Campaigns
8. CSO Online - Chinese state actors behind espionage attacks on Southeast Asian government
9. CISA Joint Advisory on Chinese State-Sponsored APT Activity
10. Unit 42 - Southeast Asian Government Targeting (mirror)
11. SecurityWeek - China-Linked Hackers Target Asian Military Organizations
12. Trend Micro - Earth Estries (Salt Typhoon) Analysis
13. Silent Push - Salt Typhoon Domain Infrastructure
14. KillSwitch - Mustang Panda ToneShell Campaign Analysis
15. Darktrace - Salt Typhoon Intrusion Analysis
16. MITRE ATT&CK - China Chopper Web Shell

Hunt Guide: Hunt Report: Coordinated Chinese APT Campaign Targeting Southeast Asian Governments

Hypothesis: If Chinese APT clusters (Stately Taurus, CL-STA-1048, CL-STA-1049) are active in our environment, we expect to observe USB-based malware propagation, DLL sideloading artifacts, web shells on IIS servers, and C2 communications to known infrastructure in Sysmon, Windows Security, IIS, and DNS logs.

Intelligence Summary: Multiple China-linked APT clusters are conducting parallel espionage operations against Southeast Asian government organizations, with evidence of access brokering between groups. The campaign involves USB worms, custom loaders, multiple RAT families, and demonstrates unprecedented coordination between traditionally independent Chinese cyber operations.

Confidence: High | Priority: Critical

Scope

• Networks: All government and critical infrastructure networks, with priority on external-facing services and systems with USB access
• Timeframe: Initial sweep: 180 days retrospective. Ongoing: Real-time monitoring with 30-day retention
• Priority Systems: Citrix NetScaler gateways, IIS web servers, endpoints with removable media access, domain controllers

MITRE ATT&CK Techniques

T1091 — Replication Through Removable Media (Initial Access) [P1]

USBFect/HIUPAN malware propagates via infected USB drives to deploy PUBLOAD backdoor

Splunk SPL:

index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=11 (TargetFilename="*\\*.exe" OR TargetFilename="*\\autorun.inf") Image!="*\\System32\\*" | regex TargetFilename="^[A-Z]:\\[^\\]+\.(exe|scr|com|bat|cmd|vbs|js)$" | stats count by Computer, Image, TargetFilename | where count > 5

Elastic KQL:

event.code:11 AND file.path:(/*.exe OR /*.scr OR /*.com OR /autorun.inf) AND NOT process.executable:*\\System32\\* AND file.path:/^[A-Z]:\\[^\\]+\.(exe|scr|com|bat|cmd|vbs|js)$/

Sigma Rule:

title: USBFect Malware Propagation Detection
id: a7c3d773-caef-227e-a7e7-c2f13c622329
status: experimental
description: Detects potential USBFect/HIUPAN USB propagation behavior
references:
    - https://unit42.paloaltonetworks.com/espionage-campaigns-target-se-asian-government-org/
author: PEAK Framework
date: 2025/01/24
modified: 2025/01/24
tags:
    - attack.initial_access
    - attack.t1091
    - detection.emerging_threats
logsource:
    category: file_create
    product: windows
detection:
    selection_drive:
        TargetFilename|re: '^[A-Z]:\\[^\\]+\.(exe|scr|com|bat|cmd|vbs|js)$'
    selection_autorun:
        TargetFilename|endswith: '\autorun.inf'
    filter_system:
        Image|contains: '\System32\'
    condition: (selection_drive or selection_autorun) and not filter_system
falsepositives:
    - Legitimate portable applications
    - Antivirus USB vaccination tools
level: high

Monitor for executables written to USB root directories. Whitelist known portable apps. Alert on autorun.inf creation.

T1574.002 — DLL Side-Loading (Persistence) [P1]

ToneShell uses chrome_elf.dll sideloading, SNAPPYBEE loads via legitimate AV executables

Splunk SPL:

index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=7 (ImageLoaded="*\\chrome_elf.dll" OR ImageLoaded="*\\mscorsvc.dll" OR ImageLoaded="*\\EVENT.dll") NOT (Image="*\\Google\\Chrome\\Application\\chrome.exe" OR Image="*\\Microsoft.NET\\*") | eval suspicious_path=case(match(ImageLoaded,"ChromePDFBrowser"),"ToneShell", match(ImageLoaded,"Public\\Libraries"),"PUBLOAD", 1=1,"Unknown") | stats values(ImageLoaded) as DLLs, values(suspicious_path) as Threat by Computer, Image

Elastic KQL:

event.code:7 AND (file.name:("chrome_elf.dll" OR "mscorsvc.dll" OR "EVENT.dll") AND NOT (process.executable:*\\Google\\Chrome\\Application\\chrome.exe OR process.executable:*\\Microsoft.NET\\*))

Sigma Rule:

title: Chinese APT DLL Sideloading Detection
id: b4c3d773-caef-437e-a7e7-c2f14c633429
status: stable
description: Detects DLL sideloading patterns used by Chinese APT groups
references:
    - https://unit42.paloaltonetworks.com/espionage-campaigns-target-se-asian-government-org/
author: PEAK Framework
date: 2025/01/24
tags:
    - attack.persistence
    - attack.t1574.002
logsource:
    category: image_load
    product: windows
detection:
    selection_dll:
        ImageLoaded|endswith:
            - '\chrome_elf.dll'
            - '\mscorsvc.dll'
            - '\EVENT.dll'
    filter_legitimate:
        Image|contains:
            - '\Google\Chrome\Application\'
            - '\Microsoft.NET\'
    suspicious_paths:
        ImageLoaded|contains:
            - '\ChromePDFBrowser\'
            - '\Public\Libraries\Dialogui\'
    condition: selection_dll and not filter_legitimate
falsepositives:
    - None expected
level: critical

Focus on chrome_elf.dll outside Chrome directories. Check for ChromePDFBrowser path (ToneShell indicator).

T1505.003 — Web Shell (Persistence) [P1]

China Chopper, reGeorg, AspxSpy, and SessionManager web shells on compromised IIS servers

Splunk SPL:

index=* (sourcetype=iis OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational) ((ParentImage="*\\w3wp.exe" AND (Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\wscript.exe")) OR (cs_uri_stem="*.aspx" AND (sc_status=200 OR sc_status=500) AND cs_method="POST" AND (cs_uri_query="*eval*" OR cs_uri_query="*exec*" OR cs_Referer="-"))) | eval webshell_type=case(match(_raw,"SessionManager"),"SessionManager", match(_raw,"China.*Chopper"),"ChinaChopper", match(_raw,"reGeorg"),"reGeorg", match(_raw,"AspxSpy"),"AspxSpy", 1=1,"Unknown") | stats count by Computer, webshell_type, ParentImage, Image

Elastic KQL:

(process.parent.name:"w3wp.exe" AND process.name:("cmd.exe" OR "powershell.exe" OR "wscript.exe")) OR (url.path:*.aspx AND http.response.status_code:(200 OR 500) AND http.request.method:"POST")

Monitor w3wp.exe spawning shells. Scan for known web shell file patterns. Check IIS logs for suspicious POST requests to .aspx files.

T1190 — Exploit Public-Facing Application (Initial Access) [P1]

CVE-2025-5777 (CVSS 9.3) Citrix NetScaler Gateway exploitation by Salt Typhoon

Splunk SPL:

index=* (sourcetype=citrix:netscaler OR sourcetype=citrix) (CVE-2025-5777 OR (uri="*/vpn/*" AND (status=500 OR status=200) AND (method=POST OR method=PUT) AND (src!="10.0.0.0/8" AND src!="172.16.0.0/12" AND src!="192.168.0.0/16"))) | rex field=uri "(?<exploit_attempt>(\.\./|%2e%2e%2f|\\x2e\\x2e|cmd=|exec\(|system\())" | where isnotnull(exploit_attempt) | stats count by src, dest, uri, exploit_attempt

Elastic KQL:

(event.module:citrix AND vulnerability.id:"CVE-2025-5777") OR (url.path:*/vpn/* AND http.response.status_code:(500 OR 200) AND http.request.method:(POST OR PUT) AND NOT source.ip:(10.0.0.0/8 OR 172.16.0.0/12 OR 192.168.0.0/16))

Patch CVE-2025-5777 immediately. Monitor Citrix logs for exploitation attempts. Watch for SNAPPYBEE deployment post-exploitation.

T1071 — Application Layer Protocol (Command and Control) [P2]

GearDoor using Google Drive for C2, ToneShell using fake TLS headers (17 03 03)

Splunk SPL:

index=* (sourcetype=proxy OR sourcetype=bro:http:json) ((dest="drive.google.com" OR dest="*.googleapis.com") AND (bytes_out>1000000 OR bytes_in>1000000)) OR (user_agent="NetSupport Manager/1.3") | eval c2_type=case(match(dest,"google"),"GearDoor", match(user_agent,"NetSupport"),"SNAPPYBEE", 1=1,"Unknown") | stats sum(bytes_out) as total_upload, sum(bytes_in) as total_download by src, dest, c2_type

Elastic KQL:

(destination.domain:("drive.google.com" OR "*.googleapis.com") AND (network.bytes:(>1000000))) OR (user_agent.original:"NetSupport Manager/1.3")

Monitor unusual Google Drive API usage. Alert on NetSupport Manager user agent. Use DPI to detect fake TLS headers (17 03 03).

T1055 — Process Injection (Defense Evasion) [P2]

In-memory payload execution via EggStremeFuel/ClaimLoader

Splunk SPL:

index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational (EventCode=8 OR EventCode=10) (TargetImage="*\\svchost.exe" OR TargetImage="*\\explorer.exe" OR TargetImage="*\\winlogon.exe") SourceImage!="*\\System32\\*" | where GrantedAccess IN ("0x1F0FFF", "0x1FFFFF", "0x1010", "0x1410") | stats count by Computer, SourceImage, TargetImage, GrantedAccess | where count > 3

Elastic KQL:

(event.code:(8 OR 10) AND process.name:("svchost.exe" OR "explorer.exe" OR "winlogon.exe") AND NOT process.executable:*\\System32\\*)

Monitor for process injection into critical Windows processes. Focus on non-System32 sources injecting into svchost/explorer.

Indicators of Compromise

IOC Sweep Queries (Splunk):

index=* (filename="mscorsvc.dll" OR file="mscorsvc.dll" OR ImageLoaded="*\\mscorsvc.dll") | stats count by host, source

index=* (filename="EVENT.dll" OR file="EVENT.dll" OR ImageLoaded="*\\EVENT.dll") | stats count by host, source

index=* (filename="swprv32.sys" OR file="swprv32.sys" OR TargetFilename="*\\swprv32.sys") | stats count by host, source

index=* (filename="GoogleUpdate.exe" OR CommandLine="*GoogleUpdate.exe*") NOT (Image="*\\Google\\Update\\GoogleUpdate.exe") | stats count by host, Image, CommandLine

index=* (ImageLoaded="*\\chrome_elf.dll" OR filename="chrome_elf.dll") NOT Image="*\\Google\\Chrome\\Application\\chrome.exe" | stats count by host, Image, ImageLoaded

index=* (TargetFilename="*\\ChromePDFBrowser\\ChromePDF.exe" OR Image="*\\ChromePDFBrowser\\ChromePDF.exe" OR CommandLine="*ChromePDFBrowser*") | stats count by host, TargetFilename, Image

index=* (TargetFilename="*\\Public\\Libraries\\Dialogui*" OR CurrentDirectory="*\\Public\\Libraries\\Dialogui*") | stats count by host, TargetFilename, CurrentDirectory

index=* (dest_ip="141.255.164.98" OR dest="141.255.164.98" OR dst="141.255.164.98") | stats count by src, src_ip, dest_port

index=* (dest_ip="218.255.96.245" OR dest="218.255.96.245" OR dst="218.255.96.245") | stats count by src, src_ip, dest_port

index=* (dest_ip="74.91.125.57" OR dest="74.91.125.57" OR dst="74.91.125.57") | stats count by src, src_ip, dest_port

index=* (query="palloaltonetworks.com" OR dest="palloaltonetworks.com" OR url="*palloaltonetworks.com*") | stats count by src, query_type

index=* (query="onlineeylity.com" OR dest="onlineeylity.com" OR url="*onlineeylity.com*") | stats count by src, query_type

index=* (query="cloudprocenter.com" OR dest="cloudprocenter.com" OR url="*cloudprocenter.com*") | stats count by src, query_type

index=* (query="thetavaluemetrics.com" OR dest="thetavaluemetrics.com" OR url="*thetavaluemetrics.com*") | stats count by src, query_type

YARA Rules

APT_CN_ToneShell_Loader — Detects ToneShell backdoor and chrome_elf.dll sideloading artifacts

rule APT_CN_ToneShell_Loader {
    meta:
        description = "Detects ToneShell backdoor and DLL sideloading artifacts"
        author = "PEAK Framework"
        date = "2025-01-24"
        reference = "https://unit42.paloaltonetworks.com/espionage-campaigns-target-se-asian-government-org/"
        hash1 = "unknown"
    strings:
        $s1 = "ChromePDFBrowser" wide ascii
        $s2 = "chrome_elf.dll" wide ascii
        $s3 = "ChromePDF.exe" wide ascii
        $s4 = {17 03 03} // Fake TLS header
        $s5 = "218.255.96.245" wide ascii
        $pdb1 = "ChromePDFBrowser.pdb" ascii
        $mutex1 = "Global\\ChromePDFMutex" wide
    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        (3 of ($s*) or (2 of ($s*) and ($pdb1 or $mutex1)))
}

APT_CN_PUBLOAD_ClaimLoader — Detects PUBLOAD backdoor and ClaimLoader components

rule APT_CN_PUBLOAD_ClaimLoader {
    meta:
        description = "Detects PUBLOAD backdoor and ClaimLoader shellcode loader"
        author = "PEAK Framework"
        date = "2025-01-24"
        reference = "https://unit42.paloaltonetworks.com/espionage-campaigns-target-se-asian-government-org/"
    strings:
        $s1 = "mscorsvc.dll" wide ascii
        $s2 = "EVENT.dll" wide ascii
        $s3 = "Public\\Libraries\\Dialogui" wide ascii
        $s4 = "ClaimLoader" ascii
        $shellcode1 = {E8 00 00 00 00 5? 8? ?? ?? ?? ?? ?? C3} // Shellcode pattern
        $api1 = "VirtualAlloc" ascii
        $api2 = "VirtualProtect" ascii
    condition:
        uint16(0) == 0x5A4D and
        filesize < 2MB and
        ((2 of ($s*)) or ($shellcode1 and all of ($api*)))
}

APT_CN_ChinaChopper_Webshell — Detects China Chopper web shell variants

rule APT_CN_ChinaChopper_Webshell {
    meta:
        description = "Detects China Chopper web shell"
        author = "PEAK Framework"
        date = "2025-01-24"
        reference = "https://attack.mitre.org/software/S0020/"
    strings:
        $asp1 = "eval(Request" nocase
        $asp2 = "Execute(Request" nocase
        $asp3 = "eval request(" nocase
        $aspx1 = "eval(Request.Item[" nocase
        $aspx2 = "unsafe{eval(Request" nocase
        $php1 = "@eval($_POST[" nocase
        $php2 = "@eval($_REQUEST[" nocase
        $php3 = "eval(base64_decode($_POST" nocase
    condition:
        filesize < 1KB and
        any of them
}

Suricata Rules

SID 2051001 — APT CN ToneShell Fake TLS Communication

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"APT CN ToneShell Fake TLS Communication"; flow:established,to_server; content:"|17 03 03|"; depth:3; pcre:"/^(?!\x16\x03)/"; content:!"Host:"; reference:url,unit42.paloaltonetworks.com/espionage-campaigns-target-se-asian-government-org/; classtype:trojan-activity; sid:2051001; rev:1;)

SID 2051002 — APT CN Salt Typhoon C2 Domain DNS Query

alert dns $HOME_NET any -> any 53 (msg:"APT CN Salt Typhoon C2 Domain DNS Query"; dns.query; content:"onlineeylity.com"; nocase; reference:url,unit42.paloaltonetworks.com/espionage-campaigns-target-se-asian-government-org/; classtype:trojan-activity; sid:2051002; rev:1;)

SID 2051003 — APT CN SNAPPYBEE NetSupport Manager UA

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"APT CN SNAPPYBEE NetSupport Manager User-Agent"; flow:established,to_server; http.user_agent; content:"NetSupport Manager/1.3"; fast_pattern; reference:url,darktrace.com/blog/salty-much-darktraces-view-on-a-recent-salt-typhoon-intrusion; classtype:trojan-activity; sid:2051003; rev:1;)

SID 2051004 — APT CN C2 Communication to Known IP

alert ip $HOME_NET any -> [141.255.164.98,218.255.96.245,74.91.125.57] any (msg:"APT CN C2 Communication to Known Malicious IP"; reference:url,unit42.paloaltonetworks.com/espionage-campaigns-target-se-asian-government-org/; classtype:trojan-activity; sid:2051004; rev:1;)

Data Source Requirements

Sources

• Unit 42 - Converging Interests: Analysis of Threat Clusters Targeting a Southeast Asian Government
• SC World - China-linked groups conduct sophisticated cyber espionage against Southeast Asian government
• Security Affairs - China-Linked groups target Southeast Asian government with advanced malware
• Unit 42 - Suspected China-Based Espionage Operation Against Military Targets in Southeast Asia
• The Record - China-linked Billbug hackers breached multiple entities in Southeast Asian country
• Check Point - Silver Dragon: China Nexus Cyber Espionage Group Targeting Governments in Asia and Europe
• Trend Micro - The Rise of Collaborative Tactics Among China-aligned Cyber Espionage Campaigns
• CSO Online - Chinese state actors behind espionage attacks on Southeast Asian government
• CISA Joint Advisory on Chinese State-Sponsored APT Activity
• Unit 42 - Southeast Asian Government Targeting (mirror)
• SecurityWeek - China-Linked Hackers Target Asian Military Organizations
• Trend Micro - Earth Estries (Salt Typhoon) Analysis
• Silent Push - Salt Typhoon Domain Infrastructure
• KillSwitch - Mustang Panda ToneShell Campaign Analysis
• Darktrace - Salt Typhoon Intrusion Analysis
• MITRE ATT&CK - China Chopper Web Shell