A new hacking campaign [1], known as “Carderbee,” has been discovered [2] [3], targeting organizations primarily located in Hong Kong and other parts of Asia [2] [3]. This campaign involves a supply chain attack, where the attackers compromised a software update file for Cobra DocGuard [1], a file protection software [1].


The attackers behind the Carderbee campaign have deployed the Korplug backdoor, also known as PlugX [1], which is a widely used malware. They have demonstrated skill and patience by carefully selecting a limited number of computers to deploy their payload and avoid detection. It is believed that the attackers may be selectively targeting specific victims. This campaign began in April 2023 and has affected approximately 100 computers across multiple organizations [1].

To make detection more challenging, the attackers have been using a legitimate Microsoft certificate to sign the malware. This tactic has made it difficult for security software to identify the malicious code. The tactics and techniques employed in this campaign suggest a possible connection to Chinese actors.


The Carderbee campaign highlights the ongoing threat posed by software supply chain attacks. Organizations in all sectors should be concerned about these attacks and take appropriate measures to mitigate the risks. The use of a legitimate certificate to sign the malware underscores the need for enhanced security measures to detect and prevent such attacks. The Symantec Threat Hunter Team [3], part of Broadcom [3], is actively monitoring and tracking this activity to provide ongoing protection and support to affected organizations.


[1] https://cyberscoop.com/hacking-group-hong-kong-supply-chain-cyberattack/
[2] https://thehackernews.com/2023/08/carderbee-attacks-hong-kong.html
[3] https://gixtools.net/2023/08/carderbee-attacks-hong-kong-organizations-targeted-via-malicious-software-updates/