Chinese Threat Clusters Triple-Team High-Profile Asia Government Org

Operation Crimson Palace performed specialized tasks in a broader cyberattack chain, likely under the watch of a single organization.

Over the past year, a trio of Chinese state-aligned threat clusters collaborated to glean sensitive military and political secrets from a high-profile government organization in Southeast Asia.
A Sophos
report issued today
highlights not just the sophistication of the so-called Operation Crimson Palace — involving new malware tools, more than 15 dynamic link library (DLL) sideloading efforts, and some novel evasion techniques — but also a remarkable degree of coordination. Three different threat clusters performed specialized tasks in a broader attack chain, likely under the watch of a single organization.
Such diligent teamwork allowed the attackers to steal a large number of files and emails. Those files and emails included, for example, documents outlining strategic approaches to the hotly contested South China Sea. The unidentified government in question has long feuded with China over that territory.
Chinese advanced persistent threats (APTs) have been known to
share infrastructure
and
malicious code
, but Operation Crimson Palace takes inter-APT collaboration to new heights.
The first signs of Chinese-linked threat activity can be traced at least to March 2022, when the Nupakage data exfiltration tool
developed by Mustang Panda
(aka Bronze President, Camaro Dragon, Earth Preta, Luminous Moth, Red Delta, Stately Taurus) was deployed to the victim governments network. Later, in December, an attacker performed DLL stitching to covertly deploy two backdoors against targeted domain controllers. Exactly who was behind this first year of activity is as yet unclear.
The Crimson Palace campaign began the following year, with the team Sophos calls Cluster Alpha. From March through August 2023, Alpha performed reconnaissance by mapping server subnets, noting administrator accounts, and probing Active Directory infrastructure. It disabled antivirus protections, including by using a new variant of the Eagerbee backdoor from
Emissary Panda
(aka Iron Tiger, APT27). It also performed various steps toward establishing persistence, leveraging uncommon LOLbins and no less than five different malware tools for command and control (C2).
Cluster Bravo had a quicker job. Entering the fray in March and leaving after just a few weeks, it focused primarily on using legitimate accounts to spread laterally in the targets network. To aid in this effort, as well as establishing C2 communications and dumping credentials, Bravo deployed a novel backdoor, called CCoreDoor.
The final cluster, Charlie, proved the most troublesome. From March 2023 to April 2024 it specialized in access management — performing ping sweeps across the network to map all users and endpoints, and capturing credentials from domain controllers — and deployed a novel backdoor called PocoProxy for C2 purposes.
Most importantly, Charlie collected and exfiltrated large volumes of data. The information gleaned from the government network included sensitive military and political secrets, including documents outlining strategic approaches to the hotly contested South China Sea.
Operation Crimson Palace involved tools and infrastructure that overlap with some half dozen known Chinese threat actors,
most notably Worok
and
the APT41 subgroup Earth Longzhi
. Sophos researchers used this and the nature of the espionage to tie the attack to the Chinese government, but stopped short of attributing a specific group.
In fact, they say, focusing on attributing Crimson Palace might end up being counterproductive to defending against it.
I think this has been problematic in the past — we obsess too much with attribution, says Chester Wisniewski, director and global field CTO at Sophos. Attribution can make defenders feel like they can predict an attackers next moves but, as Crimson Palace demonstrates, Just because one group is really talented at one given thing does not mean youre not going to see completely different techniques used later, Wisniewski says. Because they may have shared those stolen credentials with other groups, with completely different tool sets and completely different missions.
Once youre breached by one of these adversaries, all bets are off. One group might be after espionage. Another one might be prepositioning for
Volt Typhoon-style future disruption
. You have to assume all those things are happening.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Chinese Threat Clusters Triple-Team High-Profile Asia Government Org