South Asian Cyber Threat Persists: APT-Q-36 Upgrades Spyder Loader, Targets Remcos Delivery

Spyder Loader

The Qi’anxin Threat Intelligence Center cybersecurity expert has recently identified new activities by the APT-Q-36 group, also known as Maha Gras, Patchwork, Hangover, and Dropping Elephant. This group, with its roots in South Asia, has been engaging in cyber espionage since 2009, primarily targeting government and military institutions, as well as organizations in the fields of energy, industry, science, education, politics, and economy across Asia.

Recently, the group utilized the Spyder Loader as a means to disseminate the Remcos Remote Access Trojan (RAT), a tool typically employed for cyber espionage and the theft of sensitive information. This use of Spyder, which has undergone several updates in recent months, demonstrates its capability to download and execute files from a Command and Control (C2) server. Notably, the utilization of encrypted strings to evade static detection by antivirus programs, as well as the adaptation of data formats for communication with C2 servers, were observed.

The group’s potential targets included Pakistan, Bangladesh, and Afghanistan, indicating a high level of determination and strategic planning in their efforts to evade detection and successfully carry out intelligence-gathering missions.

Qi’anxin urges users to remain vigilant, avoid suspicious links on social media and email attachments of unknown origin, refrain from running unknown files, and avoid installing software from unreliable sources. Cybersecurity remains a critical area of focus as groups like this continue to evolve their attack methods and evasion techniques.

Furthermore, the cybersecurity report for the third quarter of 2023, recently published by HP Wolf Security, highlights a significant increase in campaigns using RAT trojans. Experts have noted a rise in the use of RATs, often concealed in seemingly legitimate Excel and PowerPoint files attached to emails.

In addition, a major phishing campaign was detected in September, targeting over 40 large companies across various sectors in Colombia. The attackers aimed to covertly install the Remcos RAT on the computers of employees, facilitating further compromise and valuable data acquisition.

Additionally, in 2022, Symantec reported a series of attacks attributed to the APT41 group (Winnti), which breached government institutions in Hong Kong and in some instances remained undetected for a year. During these attacks, the hackers employed the Spyder Loader, a signature tool previously used in other assaults.