Cyber Threat Actor: Moshen Dragon
| Actor Type | Location | Known Incidents |
Spy
|
China
|
2 incidents |
|---|
Profile
Moshen Dragon is acyber‑espionage group that operates under the alias Moshen Dragon and is publicly linked to China. The group has been identified by security researchers as a Chinese cyber‑espionage actor that focuses on stealing information rather than pursuing financial gain or causing disruption. Its known targets are telecommunications service providers located in Central Asia, a regional focus that has been observed in the publicly reported activity attributed to the actor. The strategic objective of Moshen Dragon, as described in the available sources, is to conduct espionage by exfiltrating data from compromised systems.
The actor’s tactics include the abuse of high‑privilege antivirus processes to sideload malicious Windows DLLs, a technique that leverages the trusted execution of products from TrendMicro, Bitdefender, McAfee, Symantec and Kaspersky to run code with minimal restrictions. After gaining execution, Moshen Dragon employs the open‑source Impacket framework to move laterally within networks and to harvest credentials by capturing domain password change events and writing them to C:\Windows\Temp\Filter.log. To maintain persistence and ensure that payloads run only on intended hosts, the group deploys a passive loader that compares the system’s hostname to a hard‑coded value before activating. This loader utilizes the WinDivert packet sniffer to intercept incoming traffic until a specific decryption string is received, at which point it unpacks and launches the final payload. The payloads observed in the group’s operations are variants of the PlugX and ShadowPad backdoors, both of which have been used by multiple Chinese APT families for data exfiltration and long‑term access.
A representative campaign occurred in May 2022 when Moshen Dragon targeted telecommunication providers across Central Asia using the described DLL sideloading and Impacket‑based lateral movement chain. The activity was documented in a Sentinel Labs report that noted overlaps with the RedFoxtrot and Nomad Panda clusters but emphasized sufficient differences to track Moshen Dragon as a distinct cluster. Although the initial infection vector for this operation remains unknown, the reported sequence began with antivirus abuse, proceeded through credential theft and host‑specific loader deployment, and culminated in the exfiltration of data via PlugX and ShadowPad implants. The campaign illustrates the group’s focus on stealthy persistence, targeted execution, and the collection of sensitive information from telecommunications infrastructure.
