A recent report from Qi’anxin Threat Intelligence Center exposes an advanced cyber-espionage campaign dubbed Operation Sea Elephant, which has been targeting research institutions, universities, and governmental organizations in South Asia. The operation, allegedly conducted by the CNC group, employs a sophisticated suite of custom plug-ins and malware to conduct surveillance, data exfiltration, and lateral movement across networks.
“The CNC group mainly delivers spear emails to target researchers or units to gain initial access, and then controls the IM software (WeChat, QQ) of the target personnel and sends bait programs for the Win platform to colleagues, teachers and students to make lateral movements,” the report states.
The attack campaign starts with highly targeted phishing emails containing malicious attachments that exploit trusted relationships within academic and research communities. Once the target is compromised, the malware spreads laterally by leveraging compromised WeChat and QQ accounts to distribute trojanized bait programs.
Qi’anxin’s analysis identified multiple custom plug-ins used by the CNC group, each designed for specific attack objectives.
- Remote Command Execution (RCE) Backdoor – The CNC group deploys two variations of RCE plug-ins, including malware disguised as windowassistance.exe, HuaweiHiSuiteService64.exe, and mscleanup64.exe, which execute arbitrary CMD commands remotely.
- GitHub API-Based Trojan – The malware, named windowsfilters.exe, leverages GitHub’s API to receive commands and manage infected machines.
- Keylogger – The CNC group deploys a keylogger under the guise of sogou_pinyinupdater.exe, which stores keystroke logs in plaintext.
- USB Worm – A self-propagating plug-in, YoudaoGui.exe, spreads through USB drives, exfiltrating .doc and .ppt files to a remote C2 server.
- File Theft Modules – The attack incorporates steganographic methods to steal and exfiltrate documents, using malware such as tericerit.exe and filecoauthx86.exe to target sensitive research data.
One of the most sophisticated aspects of Operation Sea Elephant is its reliance on GitHub and cloud services to evade detection. The attackers store malicious payloads in repositories and use API requests to fetch commands dynamically. For instance, the windowsfilters.exe trojan requests files like Ameroyt2dstg.txt and Filgwru5va.txt via the GitHub API, which contain base64-encoded victim lists and attack commands.
This approach allows the CNC group to operate without maintaining dedicated C2 infrastructure, making traditional network-based detection ineffective.
According to Qi’anxin, the campaign aligns with a broader effort by a South Asian nation to establish a strategic foothold in the Indian Ocean. The stolen documents suggest a focus on marine research, ocean carbon sequestration, and aerospace engineering.
Related Posts:
- Hacking the Hacker: Researcher Found Critical Flaw (CVE-2024-45163) in Mirai Botnet
- Many website are using backdoored WordPress Plugins
- PHP Everywhere WordPress Plugin Remote Code Execution Alert
