December 8, 2023

A sophisticated Chinese APT actor dubbed  LuoYu has been observed using a malicious Windows tool called WinDealer that allows the actor to modify network traffic in-transit to insert malicious payloads

LuoYu primarily targets foreign diplomatic organizations established in China and members of the academic community as well as financial, defense, logistics, and telecommunications companies.


The attack campaigns have used the malware to target Japanese entities, with isolated infections reported in Austria, Germany, India, Russia, and the U.S.

PlugX and its successor ShadowPad, are the tools present in the arsenal both of which have been used by a variety of Chinese threat actors to enable their strategic objectives.

WinDealer, has been delivered in the past via websites that act as watering holes and in the form of trojanized applications masquerading as instant messaging and video hosting services like Tencent QQ and Youku.

WinDealer, a modular malware platform at its core, associated with a backdoor, allowing it to hoover sensitive information, take screenshots, and execute arbitrary commands. It uses IP generation algorithm for selecting a C2 server from a random group of 48000 IP addresses

The improper network behaviors can be predicted by assuming the existence of a man-on-the-side attacker who is able to intercept all network traffic and even modify it.

A man-on-the-side attack, is as same as man-in-the-middle attack, that allows a rogue attacker to read and inject arbitrary messages into a communications channel, but not modify or delete messages sent by other parties.

Researchers raised an eyebrow, that threat actor is able to control such a massive range of IP addresses could show us the sophistication in hijacking of the update mechanism associated with genuine apps to deliver the WinDealer payload.


The only way for potential victims to defend themselves is to remain extremely vigilant and have robust security procedures, such as regular antivirus scans, analysis of outbound network traffic, and extensive logging to detect anomalies

Indicators of Compromise

  • 27c51026b89c124a002589c24cd99a0c116afd73c4dc37f013791f757ced7b7e
  • db034aeb3c72b75d955c02458ba2991c99033ada444ebed4e2a1ed4c9326c400
  • 25cbfb26265889754ccc5598bf5f21885e50792ca0686e3ff3029b7dc4452f4d
  • 1e9fc7f32bd5522dd0222932eb9f1d8bd0a2e132c7b46cfcc622ad97831e6128
  • ea4561607c00687ea82b3365de26959f1adb98b6a9ba64fa6d47a6c19f22daa4
  • ecd001aeb6bcbafb3e2fda74d76eea3c0ddad4e6e7ff1f43cd7709d4b4580261
  • 318c431c56252f9421c755c281db7bd99dc1efa28c44a8d6db4708289725c318
  • 28df5c75a2f78120ff96d4a72a3c23cee97c9b46c96410cf591af38cb4aed0fa
  • 4a9b37ca2f90bfa90b0b8db8cc80fe01d154ba88e3bc25b00a7f8ff6c509a76f
  • 08530e8280a93b8a1d51c20647e6be73795ef161e3b16e22e5e23d88ead4e226
  • b9f526eea625eec1ddab25a0fc9bd847f37c9189750499c446471b7a52204d5a

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.