Chinese state-sponsored threat actor connected to the Operation Soft Cell campaign has been observed by security researchers at SentinelOne targeting Middle East telecom providers. SentinelOne has dubbed the campaign Operation Tainted Love and stated that it has been active since early 2023. The campaign exhibits a well-run credential theft capability and a new dropper mechanism leveraged by the threat group.

The threat actors begin the attacks by infiltrating internet-facing Microsoft Exchange servers. These servers are then leveraged to deploy web shells for command execution. The attackers conduct reconnaissance after establishing an initial foothold, including credential theft, lateral movement, and data exfiltration. The campaign is centered around custom credential theft malware, a sample of which was obtained by SentinelOne. The campaign has not been attributed to a specific known threat actor despite the links to Operation Soft Cell.

Read More: China-Aligned “Operation Tainted Love” Targets Middle East Telecom Providers