Cisco Talos discovered a malicious campaign that compromised a Taiwanese government-affiliated research institute that started as early as July 2023, delivering the ShadowPad malware, Cobalt Strike and other customized tools for post-compromise activities.The activity conducted on the victim endpoint matches the hacking group APT41, alleged by the U.S. government to be comprised of Chinese nationals. Talos assesses with medium confidence that the combined usage of malware, open-source tools and projects, procedures and post-compromise activity matches this group’s usual methods of operation.The ShadowPad malware used in the current campaign exploited an outdated vulnerable version of Microsoft Office IME binary as a loader to load the customized second-stage loader for launching the payload.We also discovered that APT41 created a tailored loader to inject a proof-of-concept for CVE-2018-0824 directly into memory, utilizing a remote code execution vulnerability to achieve local privilege escalation.

Taiwanese Government Affiliated Research Institute compromised by Chinese Actor

In August 2023, Cisco Talos detected abnormal PowerShell commands connecting to an IP address to download and execute PowerShell scripts in the environment of a Taiwanese government-affiliated research institute. The victim in this attack was a research institute in Taiwan, affiliated with the government, that specializes in computing and associated technologies. The nature of research and development work carried out by the entity makes it a valuable target for threat actors dedicated to obtaining proprietary and sensitive technologies of interest to them.

Chinese Threat Actors likely Behind the Attacks

Cisco Talos assesses with medium confidence that this campaign is carried out by APT41, alleged by the U.S. government to be comprised of Chinese nationals. This assessment is ba ..

Support the originator by clicking the read the rest link below.