A Chinese nation-state threat actor has been observed leveraging the LODEINFO and NOOPDOOR malware families to steal sensitive information from Japanese organizations, Israely cybersecurity firm Cybereason said in a recent report.

The threat actor, which the company tracks as ‘Cuckoo Spear,’ has been linked to a known Chinese state-backed hacker group APT10. Active since 2006, APT10 is known for targeting critical infrastructure sectors such as communications, manufacturing, and various public sectors. The group's primary objective is to support Chinese national security goals through intelligence gathering.

The analysis indicates Cuckoo Spear remained undetected within victim networks for an extended period, often between two and three years.

Recent investigations have identified a new malware family, NOOPDOOR, used alongside LODEINFO, a fileless malware that has been observed in campaigns that start with spear-phishing emails since December 2019. In July 2024, Japan’s computer emergency team JPCERT/CC released a security alert detailing a series of attacks by the MirrorFace threat actor against Japanese organizations using the LODEINFO and NOOPDOOR malware.

NOOPDOOR is a 64-bit modular backdoor that employs DGA-based command-and-control (C2) communication, and it is loaded by NOOPLDR, responsible for decrypting and executing NOOPDOOR.

Cuckoo Spear primarily relies on spear-phishing as the initial access technique with LODEINFO. However, it increasingly exploits vulnerabilities to achieve its goals.

Cybereason observed three different persistence mechanisms for NOOPDOOR:

• Scheduled Tasks: by abusing Scheduled Tasks, the threat actor executes MSBuild, which loads malicious XML files and compiles the NOOPDOOR loader at runtime.

• WMI Consumer Events: leveraging the WMI event consumer, the threat actor execute the main action via ActiveScript in the JScript engine, similar to the scheduled task method using MSBuild for the NOOPDOOR loader.

• Windows Services (Service DLL): the threat actor creates malicious services that load unsigned DLL files to maintain persistence within the environment.

LODEINFO includes various commands that enable the execution of arbitrary shellcode, logging of keystrokes, taking of screenshots, termination of processes, and exfiltration of files to a server controlled by the attacker. Similarly, NOOPDOOR, which shares code similarities with another APT10 backdoor called ANEL Loader, has capabilities to upload and download files, execute shellcode, and run additional malware.