Several China-associated threat groups have targeted an unnamed Southeast Asian government in a series of extended espionage campaigns. These operations, occurring from the second quarter of 2021 to the third quarter of 2023, have focused on intelligence gathering and stealing sensitive information, maintaining a persistent presence for long-term control. Three distinct clusters, namely Stately Taurus, Alloy Taurus, and Gelsemium, have been identified, each employing unique tools and tactics.
Stately Taurus (Mustang Panda): This group's cyberespionage operation involved intelligence gathering and stealing sensitive documents. It operated from the second quarter of 2021 to the third quarter of 2023. The attack leveraged LadonGo, AdFind, Mimikatz, Impacket, China Chopper web shells, Cobalt Strike, ShadowPad, and a new version of the TONESHELL backdoor.
Alloy Taurus (Granite Typhoon): This intrusion set, active from early 2022 through 2023, employed uncommon techniques to bypass security measures. It utilized security flaws in Microsoft Exchange Servers to deploy web shells, then delivered additional payloads, including two previously unknown .NET backdoors, Zapoa and ReShell.
Gelsemium: Active over six months in 2022-2023, this cluster targeted vulnerable IIS servers belonging to a government entity in Southeast Asia. The attackers installed web shells, distributed backdoors like OwlProxy and SessionManager, and used various tools for post-exploitation activities.
The threat actors focused on stealing sensitive documents and maintaining long-term access to the compromised environments. They employed an array of tools and techniques, demonstrating adaptability and persistence in the face of mitigation efforts.
