Ddos 
Seqrite Labs APT-Team has uncovered a targeted campaign against China Mobile Tietong Co., Ltd., a prominent subsidiary of China Mobile, using a combination of DLL sideloading, anti-sandbox techniques, and malware implants like VELETRIX and VShell. Dubbed Operation DRAGONCLONE, this campaign demonstrates significant overlaps with the activities of UNC5174 (a.k.a. Uteus) and Earth Lamia—two China-aligned threat actor clusters.
The attack begins with a ZIP file named 附件.zip (“attachment.zip”) containing a decoy executable disguised as an internal training program. This executable loads legitimate DLLs—including Wondershare Repairit’s drstat.dll—through DLL sideloading.
“We can confirm that the threat actor used DLL-Sideloading against the target to launch the implant, which we have decided to term as VELETRIX,” Seqrite Labs states.
VELETRIX, a custom 64-bit loader, employs advanced evasion techniques:
- Anti-sandbox trick: Uses Sleep and Beep APIs inside a loop to delay execution and confuse sandbox detection.
- IPFuscation technique: Obfuscates shellcode as IPv4 strings decoded via RtlIpv4StringToAddressA.
- Callback shellcode execution: Executes payload using EnumCalendarInfoA, passing the shellcode as a callback.
“EnumCalendarInfoA expects a callback function pointer as a parameter—the malware passes its shellcode address… causing Windows to unknowingly execute the malicious code,” the report explains.
Loaded by VELETRIX, VShell is a modular implant originally part of a legitimate open-source adversary simulation project. Written in Go, it supports C2 communications via TCP, using WinSock APIs like connect, send, and receive.
Seqrite found a consistent encryption salt (qwe123qwe) in 44 other implants during threat hunting, indicating a wide-reaching campaign with numerous variants targeting Linux, Windows, and cross-platform systems.
“We found a total number of 44 implants, using the exact similar salt… multiple EXEs, ELF, DLLs both signed and unsigned,” the report notes.
Operation DRAGONCLONE’s infrastructure is closely aligned with past UNC5174 and Earth Lamia campaigns:
- Reuse of VShell, SuperShell, Cobalt Strike
- Use of the Asset Lighthouse System (an open-source reconnaissance platform)
- Exploitation of CVE-2024-1709 (ScreenConnect) and CVE-2025-31324 (SAP NetWeaver)
- Command-and-control servers were found to host tools like Cobalt Strike and web shells, including malicious servers mimicking Asset Lighthouse interfaces over non-standard ports (e.g., 5003).
“We also saw that the command-and-control server has also been hosting Cobalt Strike to be used against the targets…”
The combination of malware implants, TTPs (tactics, techniques, and procedures), and infrastructure reuse has led Seqrite to attribute this campaign with high confidence to China-aligned threat entities.
Operation DRAGONCLONE showcases the continued innovation and persistence of Chinese threat groups in targeting strategic industries. Through the use of VELETRIX’s obfuscated loader, VShell’s extensible payload, and recon platforms like Asset Lighthouse, the attackers are maintaining stealth and adaptability across a wide range of targets.
Related Posts:
- UNC5174: Chinese Threat Actor Deploys New VShell RAT in Campaign
- Critical 0-Day: Cityworks Flaw Actively Exploited by Chinese APT UAT-6382
- Silent Lynx APT Group: A New Espionage Threat Targeting Central Asia
- Doctors warn that medical implants may be the hacker’s future goals
- Multi-Layered Attack: Formbook Stealer Bypasses Detection with Memory-Based Execution
Donate