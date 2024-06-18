A China-nexus cyber espionage actor has been suspected and attributed to a prolonged attack against an unnamed organization in East Asia.

The attack ran over a period of three years, and the threat actor was able to maintain the operation by using legacy F5 BIG-IP appliances as a method of command and control (C&C) for the purpose of defense evasion. The cybersecurity company Sygnia originally responded to the intrusion in late 2023, and tracked the activity of the threat actor using the moniker Velvet Ant. According to the company, Velvet Ant is extremely adept at using counter-remediation efforts “Velvet Ant is a sophisticated and innovative threat actor”. The threat actor used the backdoor Plugx (aka Korplug), which is a modular remote access trojan (RAT) frequently used in espionage operations. Similarly, PlugX is known to rely heavily on a technique known as DLL side-loading, to infiltrate devices.

