China-Linked Cyber-Espionage Team Homes In on Hong Kong Government Orgs

The Winnti APT was spotted dropping several variants of Spyder Loader and other malware as part of the so-called Operation Cuckoobees.

The Winnti cyber-espionage group out of China was discovered deploying the Spyder Loader malware as part of an ongoing campaign to gather intelligence information on government organizations in Hong Kong.
Researchers at Symantecs Threat Hunter Team recently observed malicious activity in which attackers remained active on some targeted networks for more than a year to steal critical data in what they believe is an extension of the groups previously identified Operation Cuckoobees, they said in a
blog post
published this week.
While we did not see the ultimate payload in this campaign, based on the previous activity seen alongside the Spyder Loader malware it seems likely the ultimate goal of this activity was intelligence collection, researchers wrote.
Researchers at Cybereason
first identified
the Cuckoobees campaign in May as a massive cyber-espionage campaign against manufacturing and technology companies in North America and Asia that had been stealing immense stores of intellectual property and other sensitive data for years when it was discovered.
At that time, researchers estimated that Winnti — aka APT41, Wicked Panda, and Barium — so far had stolen hundreds of gigabytes of data, including trade secrets, blueprints, formulas, diagrams, and proprietary manufacturing documents, from more than 30 global organizations. They also harvested details about a target organizations network architecture, user accounts, credentials, customer data, and business units to leverage in future attacks.
The latest activity against Hong Kong organizations appears to be part of that broad campaign, which is likely to continue and ensnare more victims in its cyber-espionage web before its over, researchers said. The fact that this campaign has been ongoing for several years … indicates that the actors behind this activity are persistent and focused adversaries, with the ability to carry out stealthy operations on victim networks over a long period of time, they wrote.
During the activity they observed Symantec researchers got a good look under the hood at Spyder Loader, which Winnti
already had been spotted using
as the initial payload in previous malicious activity.
Researchers at SonicWall were the first
to discuss the malware publicly
in March 2021, according to Symantec, which is part of Broadcom Software. At the time researchers identified the malware being used for targeted attacks on information storage systems to collect information about corrupted devices, execute mischievous payloads, coordinate script execution, and communicate with command and control systems, they said in their report.
The malware later was spotted being used in the Cuckoobees campaign and now again against Hong Kong organizations, with various variants being deployed this time around. All of them displayed largely the same functionality to load next-stage payloads and perform functions similar to those described by SonicWall, using obfuscation to hide malicious activity, the researchers said.
Winnti is believed to be working on behalf of, or with the support of, the Chinese government since at least 2010. Some security vendors have described Winnti as an umbrella group
comprised of multiple threat actors
operating under the control of Chinas state intelligence agencies.
In addition to Cuckoobees, Winnti also has been linked to attacks in 2010 on scores of US firms that included such heavy-hitters as Google and Yahoo. Its activity eventually led the US government to
indict five members
of the threat group, which in the end did little to stop its malicious activities.
Symantec researchers analyzed a sample of Spyder Loader compiled as a 64-bit PE DLL, a modified copy of sqlite3.dll with the addition of a malicious export, sqlite3_prepare_v4, which expects a string as its third argument, they said.
Reportedly, whenever an export is executed by rundll32.exe, the third argument of the called export should contain part of the process command-line, researchers explained. When this loader is executed, it extracts the file name from its third argument, and the referred file is expected to contain a sequence of records.
The malware executes a created wlbsctrl.dll file that likely acts as a next-stage loader that runs the content of a previously stored blob_id 2 record — which it encrypts using the AES algorithm in Ciphertext Feedback (CFB) mode with segment_size of 0x80 bits — from the created FileMapping, researchers explained. The encryption key is based on the name of an affected computer per GetComputerNameW() API, they said.
Spyder Loader also used other obfuscation techniques to prevent its activity from being analyzed, researchers said. In addition to AES encryption, the malware sample also used the ChaCha20 algorithm encryption to obfuscate one of the strings, as well as cleaned up created artifacts by overwriting the content of the dropped wlbsctrl.dll file before deleting it, for example, they said.
There are several similarities between the Spyder Loader activity seen in the Hong Kong campaign and its original functionality as described by Cybereason. They include: use of a modified version of sqlite3.dll; use of the third parameter of its malicious export thats consistent with the rundll32.exe command-line example seen in Cybereason’s research; and use of the CryptoPP C++ library.
In addition to Spyder Loader, credential-stealer
Mimikatz
and a Trojanized ZLib DLL were among the malware loaded onto victim machines, the researchers said.
The researchers included in their report a list of indicators of compromise for Spyder Loader in the post so enterprises can detect if their systems have been infected. They also encouraged organizations to stay up to date on the latest threats and malware in circulation that may require security updates by referring to Symantecs
Protection Bulletins
page.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
China-Linked Cyber-Espionage Team Homes In on Hong Kong Government Orgs