The China-based Bronze President hacking group has shifted its focus to Russia, likely gathering intelligence on Russian state officials and military personnel close to the city of Blagoveshchensk, Secureworks Counter Threat Unit discovered.
Despite not officially condemning the war in Ukraine, China has been on alert, actively exploiting its cyber capabilities to stay on top of the developing situation in the country. This includes collecting information on Russia.
The researchers discovered a malicious executable file masked as a PDF and titled after a Border Guard Detachment in the Russian city of Blagoveshchensk, located close to the Chinese border.
“This connection suggests that the filename was chosen to target officials or military personnel familiar with the region,” the report says.
The file downloads four documents, three of which are malicious and typical of the Bronze President hacking group. One of the documents is likely the PlugX malware, which, once installed, “provides access to the compromised host to extract sensitive system information, upload and download files, and execute a remote command shell.”
The staging server hosts a domain that has previously been used by the same group to target European diplomatic entities.
The discovery suggests that Bronze President is shifting its focus from Southeast Asia (where it has been extensively targeting countries like Hong Kong, Myanmar, and Vietnam) to a broader range of Russian and European companies and officials.
The researchers add that the shift likely reflects updated tasks established by the Chinese government.
“To mitigate exposure to this malware, CTU researchers recommend that organizations use available controls to review and restrict access using the indicators listed in Table 2. Note that IP addresses can be reallocated. The domains, IP addresses, and URLs may contain malicious content, so consider the risks before opening them in a browser,” the report suggests.
More from Cybernews:
Subscribe to our newsletter