Microsoft on Monday attributed a China-based cyber espionage actor to a set of attacks targeting diplomatic entities in South America.
The tech giant’s Security Intelligence team is tracking the cluster under the emerging moniker DEV-0147, describing the activity as an “expansion of the group’s data exfiltration operations that traditionally targeted government agencies and think tanks in Asia and Europe.”
The threat actor is said to use established hacking tools such as ShadowPad to infiltrate targets and maintain persistent access.
ShadowPad, also called PoisonPlug, is a successor to the PlugX remote access trojan and has been widely put to use by Chinese adversarial collectives with links to the Ministry of State Security (MSS) and People’s Liberation Army (PLA), per Secureworks.
One of the other malicious tools utilized by DEV-0147 is a webpack loader called QuasarLoader, which allows for deploying additional payloads onto the compromised hosts.