A new report from Unit 42 has linked the Stately Taurus threat actor to Bookworm malware, revealing a long-standing cyber espionage campaign targeting ASEAN organizations. This connection marks a major milestone in understanding the operational tactics of this Chinese-linked APT group.
Researchers at Unit 42 have identified key overlaps between Stately Taurus infrastructure and Bookworm malware variants. “Before discovering these overlaps with known Stately Taurus infrastructure, we hadn’t associated any threat actor with Bookworm, which we first published about in 2015,” researcher wrote. This finding confirms that Stately Taurus has been leveraging Bookworm malware for nearly a decade, with new campaigns observed in Myanmar and other ASEAN nations.
Stately Taurus employs DLL sideloading techniques to execute malicious payloads. “The Stately Taurus activity impacting Myanmar used a legitimate executable signed by an automation organization to load a malicious payload with a filename of BrMod104.dll.”
Additionally, Stately Taurus has been observed using malicious HTTP requests that mimic legitimate Windows update URLs, further camouflaging its operations. The PubLoad malware communicates with its C2 server by issuing HTTP requests that appear to be legitimate Windows update traffic.
The newly discovered Bookworm samples exhibit advanced capabilities, including:
- Shellcode loading via UUID obfuscation
- Heap-based execution to evade detection
- Modular payload deployment
These tactics align with previously known Stately Taurus operations, reinforcing their attribution to ASEAN-focused cyber espionage. Unit 42’s research highlights that Stately Taurus remains highly active, with persistent targeting of ASEAN organizations.
“We believe that it is likely that Stately Taurus will continue developing Bookworm and will continue to use it for the foreseeable future,” the report concludes.
Related Posts:
- Chinese APT Stately Taurus Exploits Visual Studio Code in Cyberespionage Attacks
- Chinese APTs Target ASEAN Entities, Stealing Sensitive Diplomatic and Economic Data
- Elastic Labs Exposes BLOODALCHEMY Backdoor: ASEAN’s New Threat
- Hackers use three malware simultaneously in cyber espionage against Ukraine
- A New Set of Tools for Cyber Espionage: Targeting the Middle East, Africa, and the US
