Symantec discovered a new China-linked APT campaign targeting the power grid in Asia over the past 6 months. The campaign overlaps with activity previously attributed to APT 41, also known as Redfly, Winnti, Wicked Panda, or Blackfly.

The threat actor used the ShadowPad remote access trojan (RAT) with websencl[.]com as its C2 server. The RAT disguises itself as VMware files and directories, and eventually achieves persistence by designating itself as a service launched when Windows boots up. The campaign also deployed PackerLoader, a keylogger and shellcode execution tool, on various machines. Symantec intelligence analysts stated that the campaign is likely an espionage effort to achieve persistence in Asian critical infrastructure. China-linked threat actors can act on this disruptive capability during times of increased political tension.

Read More: