Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

New Cyberattack Hits Chinese-Speaking Firms

August 30, 2024
Reading Time: 2 mins read
in Alerts
New Cyberattack Hits Chinese-Speaking Firms

A new and highly sophisticated cyberattack campaign, identified as SLOW#TEMPEST, is targeting Chinese-speaking businesses with advanced Cobalt Strike payloads. Researchers from Securonix have uncovered that this campaign initiates with phishing emails containing malicious ZIP files. Once unpacked, these files trigger an infection chain on Windows systems, deploying a post-exploitation toolkit designed to maintain stealthy access. The attack begins with a disguised Windows shortcut file, which masquerades as a Microsoft Word document, leading to the execution of a rogue DLL through DLL side-loading.

The rogue DLL, named “dui70.dll,” acts as a Cobalt Strike implant, providing attackers with persistent and covert access to the infected systems. This access allows them to establish communication with a remote server, “123.207.74[.]22,” enabling further activities such as deploying additional payloads, conducting reconnaissance, and setting up proxied connections. Notably, this attack marks the first reported use of DLL side-loading via LicensingUI.exe, adding a new dimension to the malware landscape.

To evade detection, the attackers elevate the privileges of the built-in Guest user account, transforming it into a powerful access point by adding it to the administrative group and assigning a new password. This technique helps the attackers maintain access with minimal oversight, as the Guest account is typically less monitored. The attackers then move laterally across the network using Remote Desktop Protocol (RDP) and Mimikatz to extract credentials, setting up remote connections to their command-and-control (C2) servers from each compromised machine.

The campaign’s connections to China are reinforced by the fact that all C2 servers are hosted by Shenzhen Tencent Computer Systems Company Limited, and many of the campaign’s artifacts originate from China. Although no direct link to known APT groups has been established, the complexity of the campaign suggests it is orchestrated by experienced threat actors skilled in advanced exploitation frameworks and post-exploitation tools. This methodical approach to initial compromise, persistence, and lateral movement highlights the sophisticated nature of the cyberattack.

Reference:

  • Cyberattack Targets Chinese-Speaking Businesses Using Cobalt Strike Payloads
Tags: August 2024Chinese-speaking businessesCobalt Strike payloadsCyber AlertsCyber Alerts 2024Cyber threatsCyberattackPhishingWindows
ADVERTISEMENT

Related Posts

Wing FTP Server RCE Flaw Exploited

WinRAR Zero-Day Exploit $80K on Dark Web

July 14, 2025
Wing FTP Server RCE Flaw Exploited

Google Gemini Flaw Hijacks Email Summaries

July 14, 2025
Wing FTP Server RCE Flaw Exploited

Wing FTP Server RCE Flaw Exploited

July 14, 2025
Fake Firms Push Malware on Crypto Users

Fake Sites Push Investment Scams

July 11, 2025
Fake Firms Push Malware on Crypto Users

Severe WordPress Flaw 200K Sites at Risk

July 11, 2025
Fake Firms Push Malware on Crypto Users

Fake Firms Push Malware on Crypto Users

July 11, 2025

Latest Alerts

WinRAR Zero-Day Exploit $80K on Dark Web

Google Gemini Flaw Hijacks Email Summaries

Wing FTP Server RCE Flaw Exploited

Fake Sites Push Investment Scams

Fake Firms Push Malware on Crypto Users

Severe WordPress Flaw 200K Sites at Risk

Subscribe to our newsletter

    Latest Incidents

    Supermarket Cyberattack Prompts Warning

    China Hacker Suspected in DC Law Firm Breach

    nius.de Cyberattack Leaks User Data

    Microsoft’s Outlook Long Outage

    Avantic Lab Affected By Ransomware

    $40M+ Stolen from GMX Crypto Platform

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial