"Chinese Hackers Infiltrate South American Diplomatic Networks"

The Chinese state-sponsored threat actor DEV-0147 has recently been spotted targeting diplomatic entities in South America with the ShadowPad remote access Trojan (RAT), also known as PoisonPlug.  Microsoft stated that the threat actor's new campaign represents a notable expansion of the group's data exfiltration operations that previously targeted government agencies and think tanks in Asia and Europe.  From a technical standpoint, Microsoft noted that it observed DEV-0147 deploy ShadowPad, a RAT associated with other China-based actors, to achieve persistence, and QuasarLoader, a webpack loader, to download and execute additional malware.  The company stated that "DEV-0147's attacks in South America included post-exploitation activity involving the abuse of on-premises identity infrastructure for recon and lateral movement and the use of Cobalt Strike for command and control and data exfiltration."  Microsoft noted that Microsoft 365 Defender detects these DEV-0147 attacks through Microsoft Defender for Identity and Defender for Endpoint.  Microsoft is urging organizations to enforce multi-factor authentication (MFA).  DEV-0147 is not the only threat actor in China leveraging ShadowPad in recent times.  A June 2022 advisory by Kaspersky saw Chinese threat actors using the malware to target unpatched Microsoft Exchange servers in different Asian countries.  According to security researchers at Secureworks, ShadowPad has evolved from the PlugX malware.  

Infosecurity reports: "Chinese Hackers Infiltrate South American Diplomatic Networks"