Since the end of 2022, we have identified multiple espionage-related intrusions targeting governmental entities in the Middle East Africa and Asia. According to our findings, the main goal of the attacks was to obtain highly confidential and sensitive information, specifically related to politicians, geopolitical events, military activities, and ministries of foreign affairs.

The threat actor behind the attacks used a very rare set of tactics, techniques, and procedures (TTPs), which sets it apart from other known threat actors. Some of TTPs were never reported before in the wild, such as a novel and evasive in-memory webshell implant and custom-built family of backdoors. Other rare techniques that we observed included a novel Exchange email exfiltration technique that was used by the attackers only on a few selected targets, and a credential stealing technique that was rarely seen in the wild.

In our presentation, we will explore the TTPs employed by the sophisticated threat actor throughout each phase of the attack life cycle and share some exclusive information that has not been published yet about the attackers’ playbook. After understanding how this threat actor operates, what exactly they were looking for, and how to hunt them down, we will delve into the attribution process and establish the connection to the Chinese Nexus through different facets.