Two distinct Chinese advanced persistent threat (APT) groups have been targeting entities and member countries affiliated with the Association of Southeast Asian Nations (ASEAN), according to findings from Unit 42 researchers at Palo Alto Networks.

The first APT group, known as Stately Taurus, has been linked to cyberattacks targeting entities in Myanmar, the Philippines, Japan, and Singapore. These campaigns notably coincided with the ASEAN-Australia Special Summit held from March 4 to 6, 2024. Stately Taurus, also tracked as Mustang Panda, Bronze President, Red Delta, LuminousMoth, Earth Preta, and Camaro Dragon, has a long-standing history dating back to at least 2012. Their modus operandi typically involves targeting government entities, nonprofits, religious organizations, and other nongovernmental bodies across North America, Europe, and Asia.

The observed cyberattack employed phishing emails as the primary method of infiltration, delivering two malware packages to unsuspecting victims. One of these packages contained a ZIP file containing an executable named "Talking_Points_for_China.exe," which, upon execution, deployed a DLL file called "KeyScramblerIE.dll" to initiate the download of Pubload malware, a tool commonly associated with Mustang Panda. Interestingly, the executable was disguised as a legitimate software called KeyScrambler.exe, highlighting the sophistication of the attack.

The second package consisted of a screensaver executable named "Note PSO.scr," designed to retrieve additional malicious code from a remote IP address. This code included a benign program masquerading as "WindowsUpdate.exe" and a rogue DLL, both of which were utilized to further compromise the target's system. Additionally, Unit 42 detected network traffic between an ASEAN-affiliated entity and the command-and-control (C2) infrastructure of another Chinese APT group, suggesting a successful breach of the victim's environment.

The second Chinese APT group has also been active in targeting various Southeast Asian government entities, including Cambodia, Laos, and Singapore.

“These types of campaigns continue to demonstrate how organizations are targeted for cyber espionage purposes,” stated researchers from Palo Alto Networks Unit 42. “Nation-state affiliated threat groups collect intelligence of geopolitical interests within the region, posing significant cybersecurity challenges for ASEAN member countries.”

Earlier this week, the US authorities charged seven alleged members of the Chinese hacker group APT31 for their involvement in cyberespionage campaigns targeting a wide range of individuals and organizations, including political dissidents, government officials, political candidates, campaign personnel, and American companies. Their tactics involved sophisticated hacking techniques, including zero-day exploits, which allowed them to gain and maintain access to victim computer networks.