Sophos Uncovers Ongoing Chinese Cyberespionage Against Southeast Asian Government

Chinese State-Linked Hackers Target Southeast Asian Government
Sophos, a global cybersecurity firm, has uncovered a sophisticated cyberespionage operation targeting a major Southeast Asian government. The operation, named “Crimson Palace” and active since at least March 2022, is linked to Chinese state interests. Sophos MDR’s Mark Parsons first identified the threat in May 2023, revealing a complex network of malicious activities aimed at espionage.
The investigation began following the discovery of a DLL sideloading vulnerability in VMware’s VMNat.exe component. Sophos’ research identified three distinct clusters of intrusion (Alpha, Bravo, and Charlie), each employing a variety of malware, including a new variant of the EAGERBEE malware. The operations spanned from March 2023 to at least April 2024, highlighting the sustained nature of the attacks.
The espionage campaign utilized tools and infrastructure associated with known Chinese threat actors and aimed to collect sensitive intelligence, including military strategies concerning the South China Sea. While the extent of the damage and the exact nature of the stolen data remain unclear, Sophos’ findings suggest a coordinated effort by multiple actors under a central command pursuing Chinese state interests.
Sophos’ investigation revealed the use of novel malware variants, such as CCoreDoor and PocoProxy, alongside sophisticated evasion tactics. These included over 15 distinct DLL sideloading scenarios, abusing legitimate software to bypass security measures.
The research underscores the ongoing threat posed by state-sponsored cyberespionage, particularly from actors linked to China, targeting critical government sectors in Southeast Asia. The Sophos team, comprising ten researchers, continues to monitor and analyze the activities of these threat clusters to mitigate their impact and protect vulnerable networks.
Sophos’ detailed report highlights the complexity and persistence of state-sponsored cyber threats, emphasizing the need for robust cybersecurity defenses and international cooperation to counter espionage activities targeting global stability and security.