A new Chinese APT campaign dubbed Operation StealthyTrident has been observed by researchers

The operators behind Operation StealthyTrident have launched supply-chain attacks against hundreds of Mongolian government agencies. As a common vector among these government agencies, the hackers have picked out a chat app called Able Desktop

  • The initial attacks revolved around adding payloads, such as HyperBro backdoor and PlugX remote access trojan, to the Able Desktop chat app and subsequently, spreading a trojanized version of the app’s installer via phishing emails.
  • The attackers have been able to deliver a malware-laced Able Desktop chat app through the official update mechanism. They continued delivering HyperBro backdoor, however, the PlugX RAT was replaced by Tmanger as the remote access component.
  • After analyzing all the malware strains used in the attacks, Avast researchers have attributed this operation to the Chinese APT group LuckyMouse, while ESET researchers believe that it is a collaboration of different China-linked APTs, such as LuckyMouse, TA428, CactusPete, TICK, IceFog, KeyBoy, and Winnti group.

Hijacking the official update mechanism in the operation StealthyTrident demonstrates the increasing proficiency and determination of Chinese APT groups to infiltrate government institutions. 

An already diverse toolset range and incrementally improving approaches in these attacks signify the fierceness of these groups. These factors justify the need for close monitoring of such threat actors by security agencies.