A newly identified threat actor, CeranaKeeper, has emerged as a significant player in data exfiltration attacks targeting Southeast Asia, particularly governmental institutions. According to Slovak cybersecurity firm ESET, CeranaKeeper is linked to Chinese cyber espionage activities and has been active since at least 2023, with a focus on countries including Thailand, Myanmar, the Philippines, Japan, and Taiwan. The group employs tactics reminiscent of those used by the Mustang Panda group, indicating a strategic alignment with established Chinese state-sponsored cyber operations.
CeranaKeeper has developed a sophisticated toolkit that leverages popular cloud services such as Dropbox and OneDrive to facilitate data theft. By embedding custom backdoors and exfiltration tools within these platforms, the group can siphon large volumes of sensitive information while maintaining a low profile. ESET researchers have noted that CeranaKeeper displays a relentless and creative approach, consistently updating its malware to evade detection and adapt to the changing cybersecurity landscape.
The threat actor’s operations involve a combination of known malware families like TONESHELL and PUBLOAD, as well as new custom tools designed for stealthy data extraction. Notable among these tools are WavyExfiller, a Python uploader that harvests data from connected devices, and BingoShell, which uses GitHub’s pull request feature for command-and-control operations. These innovations highlight CeranaKeeper’s focus on maximizing data collection and minimizing exposure to security measures.
While CeranaKeeper and Mustang Panda appear to operate independently, there are indications that they may share resources or information, a common practice among cyber groups aligned with Chinese state interests. This development raises concerns about the growing sophistication and persistence of cyber espionage efforts targeting critical sectors across Southeast Asia. As the region faces increasing threats, organizations must remain vigilant and implement robust cybersecurity measures to protect sensitive information from such advanced threat actors.
