Recent report: 3 China-Nexus attack clusters target Southeast Asian governments

A recent report indicates that an undisclosed south east Asian government have experienced multiple attacks from China-nexus threat actors, over a long duration; signifying an espionage attack.

Palo Alto researchers uncovered the threat actors, and a cluster analysis framework that categorizes the attacks were documented. Image-source: PaloAlto


A comprehensive documentation by unit42 paloaltonetworks, indicates that:

“This appeared at first glance to the activity of a single threat actor. Careful analysis, however, revealed the attacks to have been carried out by separate threat actors whose activities group into three distinct clusters. While the activity occurred around the same time and in some instances even simultaneously on the same victim machines, each cluster is characterized by distinct tools, modus operandi and infrastructure.”

Further findings shows that these various threat actor’s techniques, tools, and persistent over a long period surveillance, is an indication that the attack is of Advanced Persistent Threat.


Analyzing the Clusters:

This analysis describes, findings Palo Alto researchers uncovered, and a cluster analysis framework that categorizes the behaviour, tools, infrastructure, and tradecraft of the threat actors.


                                                        The Clusters CL-STA-0044, CL-STA-0045, & CL-STA-0046 Analysis


  • First Cluster CL-STA-0044:

The first cluster findings are linked to the Safety Taurus (aka Mustang Panda), a notorious threat group with a high degree of confidence, and verified to have ties to the Chinese government. Additional insights revealed that these threat actors carried out a cyber espionage campaign, primarily centered around intelligence gathering and the exfiltration of sensitive documents and information, all while maintaining a persistent presence. Further investigation unveils that the attackers utilized two sophisticated and modular backdoors (ToneShell and ShadowPad), as their primary means of establishing a foothold, and a range of hacking tools used by the attacker includes: LandonGO, Impacket, China Chopper web shells, Scanning and Credentials dumping tools.

A deep context, and full analysis, can be read here.


  • Second Cluster CL-STA-0045:

The observations from the second cluster point to a moderate level of confidence. Further investigation reveals the involvement of a group known as Alloy Taurus, also referred to as Gallium, and it has been confirmed that this threat group is affiliated with the Chinese government. Activities within this cluster suggest that the threat actors maintained a long-term presence, engaged in reconnaissance missions, and acquired and retained information and access through a variety of methods, including backdoors, web shells, and extensive credential-gathering operations.

In attempt to invade detection and concealing their tracks, the threat actors used uncommon techniques such as bypassing security products. Findings also shows that major tools such as Zapoa and ReShell, were identified.


Unite24Paloalto stated that:

strong>“Moreover, the attackers also used known malware and hacking tools such as the following, GhostCringe Remote Access Trojan (RAT), Quasar RAT, Cobalt Strike, Kerbrute brute forcing tool, China Chopper web shell.”

Detailed report can be discovered here.


  • Third Cluster CL-STA-0046:

The third cluster research is associated with an unidentified threat group known as Gelsemium, with a moderate level of confidence in their attacks.

Examining the activities within this cluster, PaloAlto has identified that the main objectives of the attackers, primarily revolved around reconnaissance and maintaining access activities. Their main targets appear to be predominantly IIS Servers. Additionally, the malware employed by these threat actors includes OwlProxy and SessionManager. Previous investigations into cyber incidents and research findings have indicated that only one group, Gelsemium, has been found to utilize these distinct tools


Furthermore, the threat actors are said to be using common tools such as: Cobalt Strike, Meterpreter, Earthworm, Spoolfool.

Paloalto describes more about this cluster here.


Cluster Research TimeLine:

  • The timeline of the first cluster CL-STA-0044 research was between First quarter (Q1) of 2021, and Third quarter (Q3) of 2023.
  • Second cluster CL-STA-0045 timeline was between First quarter (Q1) of 2022, and Third quarter (Q3) of 2023.
  • And the last cluster CL-STA-0046 research was between Third quarter (Q3) of 2022, and Fourth quarter (Q4) of 2022.


The research team further describes that:


“The investigation we conducted revealed that what initially appeared as a single attack orchestrated by a solitary threat actor was not so simple. It unfolded into a complex operation of multiple infiltrations carried out across three distinct clusters of activity.”


Palo Alto Networks has further noted that their customers using Cortex XDR and XSIAM can benefit from protection against these attacks through Wildfire. This added layer of safeguarding encompasses Behavioural Threat Protection, Local Analysis, Analytics, and a range of security modules designed to enhance the detection and prevention of diverse threats, including specifically targeted APT attacks.

In the event that users detect any Indications of Compromise (IoCs), emergency contact information has been provided. Additionally, the article includes a reference to a resource detailing the Cyber Threat Alliance for further insights.




Put your comments below in the comment section on your thoughts about this.

Find this article and information helpful? Show some love and support  “Click-Here”
5 1 vote
Article Rating
Notify of
Inline Feedbacks
View all comments