Cyber Incident Victim: Telecommunication service providers in Central Asia
Date:
May 2022
Location:
China
Summary
A Chinese cyber-espionage group known as Moshen Dragon targeted telecommunications providers in Central Asia using sophisticated techniques including malicious DLL sideloading through antivirus products to execute high-privilege code. The attackers employed Impacket for lateral movement and credential theft, capturing password changes and deploying passive loaders that verified target machines before activating custom payloads like PlugX and ShadowPad backdoors. Their operations focused on extensive data exfiltration from compromised systems while adapting tactics to bypass defenses, leveraging tools such as WinDivert for traffic interception and payload decryption.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2022, cybersecurity researchers identified a cyber-espionage campaign targeting telecommunication service providers in Central Asia, attributed to a newly tracked threat group designated as Moshen Dragon. Sentinel Labs reported the activity, noting overlaps with known Chinese state-aligned groups RedFoxtrot and Nomad Panda through shared malware families like ShadowPad and PlugX, but highlighted sufficient operational differences to warrant separate tracking. The group demonstrated advanced capabilities in evading defenses by exploiting trusted security software, specifically sideloading malicious DLLs into antivirus processes from TrendMicro, Bitdefender, McAfee, Symantec, and Kaspersky. This technique leveraged the high privileges of antivirus products on Windows systems to execute unrestricted malicious code while avoiding detection. The initial infection vector remained undetermined at the time of reporting, with analysis commencing from the post-compromise abuse of antivirus mechanisms. Moshen Dragon deployed Impacket, a Python toolkit facilitating lateral movement via Windows Management Instrumentation (WMI), to remotely execute commands and harvest credentials across the network.
The attackers systematically captured password change events across compromised domains using an open-source tool integrated with Impacket, logging credentials to "C:\Windows\Temp\Filter.log". After establishing footholds, they distributed passive loaders to neighboring systems designed to activate only on specific machines by matching hostnames against hardcoded values, indicating tailored payloads per target. These loaders employed the WinDivert packet sniffer to intercept network traffic, awaiting decryption strings to unpack final-stage payloads identified as variants of PlugX and ShadowPad backdoors. These malware families enabled persistent remote access, aligning with the group’s objective of large-scale data exfiltration from infected systems. The operation showcased meticulous planning through host-specific payload generation, antivirus subversion for privilege escalation, and multi-stage payload deployment to maintain stealth. No containment measures or victim responses were detailed in the available reporting, though the campaign’s technical sophistication suggested prolonged access to telecommunications infrastructure for intelligence gathering.