A recent discovery by the Sophos MDR team uncovered a Chinese state-sponsored cyber-espionage operation known as Crimson Palace, targeting a government entity in Southeast Asia [2] [3] [4].


This operation [1] [2] [3] [4] [5] [6], which dates back to early 2022, involved three distinct clusters of intrusion activity named Cluster Alpha, Cluster Bravo [2] [4] [5], and Cluster Charlie [1] [2] [3] [4] [5]. The attackers utilized a DLL sideloading technique to exploit a VMware component [2] [3], VMNatexe [2] [3] [4] [6], and deployed malware implants such as CCoreDoor, PocoProxy [1] [2] [3] [4] [5] [6], an updated version of EAGERBEE [1] [2] [3] [4], NUPAKAGE [1] [3], and EtherealGh0st to maintain prolonged access for espionage purposes. The operation demonstrated a high level of coordination, suggesting a single orchestrating entity behind the campaign. Evidence indicates that the attackers had access to unmanaged assets dating back to early 2022. The infrastructure and techniques used align with other Chinese state-sponsored threat actors [2], indicating a broader ecosystem of cyber-espionage [2]. While attribution remains challenging, the investigation suggests the involvement of separate actors with parallel objectives working in the interest of Chinese state entities. Indicators and insights from the Crimson Palace campaign have been shared to support further research and defense efforts [2].


The Crimson Palace cyber-espionage operation highlights the sophisticated tactics employed by state-sponsored threat actors and underscores the need for enhanced cybersecurity measures. Organizations must remain vigilant and proactive in defending against such threats, leveraging the shared indicators and insights to bolster their defenses. This discovery also points to the evolving landscape of cyber-espionage, with implications for future research and defense strategies.


[1] https://patabook.com/technology/2024/06/05/chinese-state-backed-cyber-espionage-targets-southeast-asian-government/
[2] https://www.infosecurity-magazine.com/news/chinese-operation-crimson-palace/
[3] https://www.technadu.com/chinese-state-sponsored-threat-activity-targets-southeast-asian-government/530631/
[4] https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-sophos-threat-hunting-unveils-multiple-clusters-of-chinese-state-sponsored-activity-targeting-southeast-asia/
[5] https://www.darkreading.com/threat-intelligence/chinese-threat-clusters-triple-team-high-profile-asian-government-org
[6] https://www.csoonline.com/article/2138897/long-running-chinese-cyberespionage-operation-targeted-southeast-asian-government.html