Cyber Incident Victim: Moshen Dragon Victims
Date:
May 2022
Location:
China
Summary
Moshen Dragon, a Chinese cyber-espionage group, targeted telecommunications providers in Central Asia using sophisticated techniques to bypass defenses and maintain persistence. The threat actors abused high-privilege antivirus processes to sideload malicious DLLs, enabling unrestricted code execution and evasion, then deployed Impacket for lateral movement and credential theft by capturing domain password changes. Unique host-specific loaders with packet-sniffing capabilities activated payloads only on designated machines, demonstrating operational diligence. The group ultimately deployed PlugX and ShadowPad backdoor variants to exfiltrate data from compromised systems across the network.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Moshen Dragon cyber-espionage campaign targeted telecommunications service providers in Central Asia, with activity documented around May 2022. Researchers from Sentinel Labs identified the group as a distinct threat actor despite overlaps with known Chinese-linked groups like RedFoxtrot and Nomad Panda, particularly in their use of ShadowPad and PlugX malware variants. The initial infection vector remained unidentified, but analysis began with the group’s abuse of antivirus software processes to sideload malicious DLLs. Targeted antivirus products included those from TrendMicro, Bitdefender, McAfee, Symantec, and Kaspersky, leveraging their high-privilege Windows access to execute unrestricted code while evading detection. This technique enabled deployment of the Impacket framework, a Python-based toolkit facilitating lateral movement via Windows Management Instrumentation (WMI) and remote code execution. Impacket incorporated credential-stealing capabilities, capturing password change events on compromised domains and logging them to "C:\Windows\Temp\Filter.log" for later exfiltration.
After establishing access, Moshen Dragon deployed passive loaders on neighboring systems, which verified hostnames against hardcoded values before activation—indicating tailored payloads per target machine. The loaders utilized the WinDivert packet sniffer to intercept network traffic until receiving a specific decryption string, after which they unpacked and executed final-stage payloads (SNAC.log or bdch.tmp). These payloads included variants of PlugX and ShadowPad, modular backdoors historically associated with Chinese advanced persistent threats. The group’s operations demonstrated adaptability to defensive measures, systematic lateral movement, and rigorous targeting validation. The campaign’s primary objective centered on data exfiltration from compromised telecommunication networks, though specific impacts on victim organizations or datasets were not disclosed in available reporting. No containment or remediation actions by victims or third parties were detailed in the source material.