Slovak cybersecurity firm ESET has recently discovered a new threat actor known as Blackwood [1] [2] [3] [4] [5] [6] [7] [8], believed to have connections to China. This threat actor has been utilizing a previously unknown APT group called NSPX30 to carry out sophisticated cyber-espionage activities since at least 2018.


Blackwood, through the use of NSPX30, has been employing adversary-in-the-middle (AitM) attacks to deliver a multistage implant known as NSPX30. This implant consists of various components [1] [7], including a dropper [2] [4], installer [2] [4], loaders [2] [4] [7], orchestrator [2] [4] [7], and backdoor [1] [2] [4] [6] [7]. It takes advantage of update requests from legitimate software such as Tencent QQ and WPS Office [8]. NSPX30 has the capability to intercept packets and whitelist itself in Chinese anti-malware solutions. It also has the ability to spy on applications like Skype, Telegram [4], Tencent QQ [2] [4] [7] [8], and WeChat [4]. The command-and-control (C2) servers of this implant are concealed using AitM techniques, and the attackers anonymize their infrastructure by utilizing legitimate networks owned by Baidu [4].

The NSPX30 implant can be traced back to an earlier backdoor called Project Wood, which was initially compiled in 2005 [3]. The researchers believe that the developers behind Project Wood possess expertise in malware development [3], given the techniques employed [3]. ESET telemetry data indicates that NSPX30 conceals the location of its C2 infrastructure through packet interception [1]. This implant has been detected on systems belonging to various targets, including individuals and companies in China [3] [4], Japan [1] [2] [3] [4] [6] [7] [8], and the UK [1] [2] [4] [6] [8]. Blackwood [1] [2] [3] [4] [5] [6] [7] [8], the APT group responsible for NSPX30, also attempts to re-compromise systems if access is lost [6]. ESET Research has observed attempts by attackers to use malware toolkits associated with multiple APT groups [5], suggesting that the targeted machines have become attractive targets [5]. The compromise occurs when legitimate software attempts to download updates from legitimate servers using the HTTP protocol [5]. The exact method used by the attackers to deliver NSPX30 as malicious updates is still unknown [5]. ESET researcher Facundo Muñoz [5], who discovered NSPX30 and Blackwood [5], states that the initial tool enabling the compromise has yet to be discovered [5].


The discovery of Blackwood and its utilization of the NSPX30 implant highlights the ongoing threat of cyber-espionage activities. The sophisticated techniques employed by this threat actor, including AitM attacks and the ability to conceal C2 infrastructure, pose significant challenges for detection and mitigation. It is crucial for organizations and individuals to remain vigilant and implement robust cybersecurity measures to protect against such threats. Additionally, further research and investigation are needed to uncover the initial tool enabling the compromise and to develop effective countermeasures against Blackwood and similar threat actors.