Operation Crimson Palace
Sophos Managed Detection and Response initiated a threat hunt across customers after detecting abuse of a vulnerable VMware executable. The hunt uncovered a complex persistent cyberespionage campaign by Chinese state-sponsored actors targeting a high-profile government organization in Southeast Asia. Three distinct clusters of intrusion activity designated Alpha Bravo and Charlie were identified operating from at least March to December 2023. This report provides an in-depth technical analysis of the tactics techniques and procedures used by each cluster including credential access lateral movement persistence mechanisms command and control infrastructure defense evasion tactics and data exfiltration methods. It also details previous compromises observed within the same organization dating back to early 2022.