Security researchers at Symantec released an advisory claiming that the Spyder Loader malware has been observed targeting government organizations in Hong Kong. The security researchers believe that the attacks are likely part of a larger campaign called Operation CuckooBees, which was first discussed publicly in March 2021. Cybereason has also discussed the campaign, and has stated that the threat actors have been active since at least 2019. Symantec has revealed that the victims were recently observed remaining on some networks belonging to Hong Kong government organizations for more than a year.
The cybersecurity experts have also identified other malware samples being used during the attacks on Hong Kong victims as part of the operation. This includes a modified SQLite dynamic-link library, the Mimikatz exploit, and a Trojanized ZLib DLL. The campaign has been active for several years and includes different variants of the Spyder Loader malware. The group has the capability to conduct stealthy operations on victim networks and remain on the networks for long periods of time. This suggests that the actors behind this activity are persistent adversaries with technical abilities and sophisticated tactics.