The Chinese state-sponsored cyber-espionage group, tracked by Microsoft as DEV-0147, has been spotted targeting diplomatic entities in South America with the ShadowPad (aka PoisonPlug) remote access trojan.
Microsoft says that DEV-0147’s new campaign represents a notable expansion of the group’s data exfiltration operations that traditionally targeted government agencies and think tanks in Asia and Europe.
DEV-0147 has been previously observed using the ShadowPad RAT linked to other Chinese hacker groups to maintain persistent access and a webpack loader called “Quasarloader” to deploy additional malware.
ShadowPad is believed to be a successor to the PlugX remote access trojan and has been widely used by Chinese state-backed threat actors affiliated with the Ministry of State Security (MSS) and People's Liberation Army (PLA). According to cybersecurity firm Secureworks, the RAT has been deployed by the Chinese Bronze Atlas threat group since at least 2017.
“DEV-0147’s attacks in South America included post-exploitation activity involving the abuse of on-premises identity infrastructure for recon and lateral movement, and the use of Cobalt Strike for command and control and data exfiltration,” Microsoft wrote in a series of tweets.
While the tech giant did not provide any details regarding techniques the group used to gain initial access to victim networks, phishing and vulnerabilities in unpatched software may be likely attack vectors.