A campaign known as “Stayin’ Alive” has been actively targeting high-profile government and telecom organizations in Asia since 2021, deploying basic backdoors and loaders to deliver subsequent malware.
Furthermore, Check Point, the cybersecurity company tracking the campaign, reports that this attack aims to compromise organizations in countries such as Vietnam, Uzbekistan, Pakistan, and Kazakhstan. These attacks employ relatively simple tools that appear to be disposable and are used for downloading and executing additional malicious payloads. What sets this campaign apart is its shared infrastructure with ToddyCat, a China-linked threat actor known for targeting government and military entities in Europe and Asia since late 2020.
The attack typically begins with a spear-phishing email containing a ZIP file attachment, which includes a legitimate executable leveraging DLL side-loading to load a backdoor known as CurKeep. CurKeep is responsible for sending information about the compromised host to a remote server, executing server-sent commands, and writing server responses to a local file. The command-and-control (C2) infrastructure was found to consist of evolving loader variants such as CurLu, CurCore, and CurLog, capable of receiving DLL files, executing remote commands, and launching processes associated with newly generated files. A passive implant named StylerServ was also discovered, listening on multiple ports to accept remote connections and receive encrypted configuration data.
While no definitive connection between Stayin’ Alive and ToddyCat has been established, both use similar infrastructure for targeting their victims. The adoption of disposable tools in this campaign, making detection and attribution more challenging, aligns with a trend seen among sophisticated threat actors.
In parallel, South Korea and Thailand have also experienced cyberattacks by a Chinese hacking group called Dalbit, who are utilizing an open-source Go-based backdoor known as BlueShell for command execution and file operations, further emphasizing the growing sophistication of threat actors in the region.