Operation Crimson Palace Targets The Southeast Asian Government Sector
"Researchers have uncovered a complex long-running Chinese state-sponsored cyberespionage operation named ""Crimson Palace"" targeting a high-profile government organization in Southeast Asia. This operation utilized tools and infrastructure linked to several known Chinese threat actors including BackdoorDiplomacy REF5961 Worok TA428 Unfading Sea Haze and APT41 subgroup Earth Longzhi. The campaign aimed to maintain access to the target network for cyberespionage supporting Chinese state interests by accessing critical IT systems performing user reconnaissance collecting sensitive military and technical information and deploying various malware implants for command-and-control communications. The operation employed multiple malware families such as CCoreDoor PocoProxy EagerBee Nupakage Merlin C2 Agent Cobalt Strike Phant mNet RudeBird and PowHeartBeat. Over 15 distinct DLL sideloading scenarios were used often exploiting Windows Services legitimate Microsoft binaries and antivirus (AV) vendor software. The threat actors used numerous evasion techniques including overwriting ntdll.dll in memory to bypass the Sophos AV agent abusing AV software for sideloading and experimenting with various methods to execute their payloads efficiently and evasively."