Chinese Tag Team APTs Keep Stealing Asian Govt Secrets

A PRC threat cluster known as Crimson Palace is demonstrating the benefits of having specialized units carry out distinct stages of a wider attack chain.

A trio of threat clusters working in service of the Peoples Republic of China (PRC) have compromised at least a dozen new targets, including one Southeast Asian government organization.
Operation Crimson Palace
has been around since March 2023, but been particularly active in 2024, as the threat actors fight against cybersecurity analysts to stay alive. In fact, despite being outed and actively hunted, Crimson Palaces three arms have managed to continue breaching public and private organizations in Asia, and stealing potentially sensitive strategic data and materials from what Sophos described in a new report as a prominent agency within the government of a Southeast Asian nation.
Every heist movie has a team, where each team member has a unique specialty. Youve got your getaway driver, your hacker or safecracker, the weapons expert, the muscle, the silver-tongued vixen.
Operation Crimson Palace uses this team-based approach for cyber heists. Instead of operating as a monolithic advanced persistent threat (APT), three independent teams — tracked by Sophos as Alpha, Bravo, and Charlie — each have a unique, though partly overlapping role in the wider attack chain. This setup allows each cluster to hyperfocus on specific tasks, and allows different clusters to work on different compromises simultaneously.
Cluster Alpha typically handles initial access: performing network reconnaissance and mapping, moving laterally and establishing persistence in a targeted system, deploying backdoors, interrupting security software, and so on.
Broadly speaking, Cluster Bravo is the infrastructure specialist. It further entrenches and spreads in target networks, prepares the field for malware deployment, and establishes command-and-control (C2) communications channels, often by using one Crimson Palace victim as a relay point through which to attack another. From January to June, Sophos identified a number of organizations — including one government agency — whose infrastructure Bravo borrowed for purposes of malware staging.
Its obscuring the command-and-control in places where you might already be expecting to see traffic, explains Chester Wisniewski, global field chief technology officer (CTO) at Sophos. If you see HTTPS traffic directly with one of your primary telecommunications providers — or perhaps with another government agency or business entity in the country thats commonly engaging with people in your environment — its going to be a lot harder to determine if thats [coming from a malicious] C2, or if its just normal business operations.
Though Bravo hasnt always featured heavily in Crimson Palace attacks, it has come to life in more recent cases. Sophos newly identified Bravo activity in at least 11 Asian organizations and agencies, including government contractors.
Its very possible Cluster Alpha [and Bravo] doesnt even know what theyre after, other than that this is the target environment that they must keep the door open to, to allow someone else in whos aware of what the goal is, Wisniewski notes.
That someone else is Cluster Charlie.
Cluster Charlie is the cleanup hitter, responsible for whatever is necessary to maintain system access and exfiltrate sensitive data. Befitting its role, it appears to be the most active and sophisticated of the three clusters.
Its story took shape following its first run-in with researchers in August 2023. After Sophos blocked its custom C2 tool, PocoProxy, the Charlie cluster went quiet for a few weeks. Then, beginning that September and continuing ever since, it has constantly bounced back with a new tactic, technique, or procedure (TTP) for every one its adversaries have blocked.
In response to having its custom malware blocked, Charlie turned to the open source community, making use of at least 11 tools for C2 (e.g. Cobalt Strike), shellcode loading (e.g. Donut),
evasion of EDR software
(e.g. RealBindingEDR), and more. When they had custom C2 access to the environment and we successfully blocked it, they pivoted to some open source tools, Wisniewski recalls. And then when that didnt work, they came back with new custom tooling.
Charlies creativity came through the most in its means of malware delivery. In the period between last November and this past May, Charlie deployed C2 implants using no less than 28 unique combinations of sideloading chains, execution methods, and shellcode loaders. On multiple occasions during the month of February, the group even conducted a kind of A/B testing, deploying its malicious files using slightly varying means to test which method would work best.
As Wisniewski warns, If you have something they want — even if youre successful in figuring out their current approach to how theyre attacking the network — theyre not going to stop. They will continue to innovate and iterate.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Chinese Tag Team APTs Keep Stealing Asian Govt Secrets