A previously unknown threat actor named CeranaKeeper has been observed carrying out a series of data exfiltration attacks targeting governmental institutions in Southeast Asia.

Slovak cybersecurity firm ESET reports that CeranaKeeper, which has been active since 2022, is linked to campaigns in Thailand, Myanmar, the Philippines, Japan, and Taiwan, aligning its activities with Chinese state-sponsored groups.

The first identified campaigns, which took place in 2023, were aimed at governmental institutions in Thailand. The group's operations bear similarities to the notorious China-aligned threat actor Mustang Panda, known for cyber espionage activities, but ESET researchers believe that they are two separate clusters based on organizational and technical differences between the two.

CeranaKeeper is notable for its evolving backdoor techniques, which allow it to evade detection and facilitate extensive data theft. One of the group's  tactics involve the abuse of legitimate cloud and file-sharing services, including Dropbox and OneDrive, to create custom backdoors and data extraction tools.

Additionally, CeranaKeeper leverages GitHub’s pull request and issue comment features to stealthily create reverse shells, using the platform as a command-and-control (C2) server.

Beyond Thailand, the group has also targeted Myanmar, Japan, the Philippines, and Taiwan—countries that have previously been in the crosshairs of Chinese state-sponsored threat actors.

Once a foothold is established, CeranaKeeper spreads throughout the network, even turning some compromised systems into update servers for its backdoor.

CeranaKeeper’s toolkit includes a series of custom malware components, including TONEINS, TONESHELL, and PUBLOAD, which the group uses to carry out its attacks. These tools were previously attributed to Mustang Panda, but as it was mentioned above, CeranaKeeper appears to operate as a separate group.

The threat actor has also been observed disabling security measures on infected machines by leveraging legitimate software, such as Avast drivers, to mask their operations. Once embedded within a network, CeranaKeeper deploys backdoors across multiple machines and continuously updates its tools, making it difficult for defenders to detect or mitigate the attacks.