Chinese threat actors [1] [3] [4] [5] [6] [7], known as Bronze Starlight [1] [2] [4] [6] [7], have been targeting the Southeast Asian gambling sector through cyberattacks [5]. This campaign [1] [2] [5] [6] [7], part of the larger Chinese espionage operation Bronze Starlight, involves APT groups and a threat ecosystem [4]. The motive behind these attacks is believed to be data collection and monitoring [4], with China’s interests in the Southeast Asian gambling sector being the primary target [4].


These attacks by Bronze Starlight involve exploiting vulnerabilities in Microsoft Edge, McAfee VirusScan [1] [2] [3] [4] [5] [6], and Adobe Creative Cloud executables to distribute malware [4], specifically Cobalt Strike beacons [1] [2] [3] [4] [5] [6] [7]. The threat actors use DLL hijacking to deploy the beacons and have also stolen a code signing certificate from a Singaporean VPN vendor called PMG PTE. One specific operation within this campaign, called ChattyGoblin [4], has utilized trojanized chat apps [4].

The compromised certificate issued to PMG PTE has been revoked by DigiCert Certificate Authority [3]. The campaign involves the use of a ZIP file containing a legitimate executable vulnerable to DLL search order hijacking [5], a malicious DLL [2] [3] [5] [6], and an encrypted data file [2] [5] [6]. The side-loaded DLL files are variants of HUI Loader [2] [5] [6], a custom malware loader used by China-based groups such as APT10 [5], Bronze Starlight [1] [2] [4] [5] [6] [7], and TA410 [5] [6] [7].

Attribution to a specific group is challenging due to the interconnected relationships and extensive infrastructure and malware sharing among Chinese nation-state actors [2] [5] [7]. The attacks also involve the use of short-lived ransomware as a smokescreen for espionage [6], and modified installers for chat applications to download a .NET malware loader that retrieves a second-stage ZIP archive [2] [6]. This illustrates the interconnected nature of the Chinese threat landscape [6].

The campaign [1] [2] [5] [6] [7], attributed to a threat actor known as Bronze Starlight [6] [7], shares similarities with an intrusion set called Operation ChattyGoblin [7]. The attackers have stolen a code signing certificate from a Singapore-based VPN provider called Ivacy VPN [7]. The malware loaders used in the campaign are associated with China-based groups APT10 [7], Bronze Starlight [1] [2] [4] [5] [6] [7], and TA410 [5] [6] [7]. These Chinese threat actors have a history of sharing malware [7], infrastructure [1] [2] [3] [5] [7], and operational tactics [7]. The activities highlight the complex nature of the Chinese threat landscape [2] [6] [7].


These cyberattacks by Bronze Starlight have significant implications for the Southeast Asian gambling sector. The motive of data collection and monitoring raises concerns about the security and privacy of sensitive information. The revocation of the compromised certificate is a step towards mitigating the threat, but the interconnected nature of Chinese threat actors makes attribution and prevention challenging.

The activities of APT groups and the extensive sharing of malware and infrastructure highlight the need for robust cybersecurity measures in the region. Ongoing monitoring, threat intelligence sharing, and collaboration among affected organizations and cybersecurity experts are crucial to effectively combat these threats. The complex nature of the Chinese threat landscape suggests that similar attacks may continue in the future, emphasizing the importance of proactive defense strategies.