• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Charon Ransomware targets Middle East with APT attack methods

 | 

Hackers leak 2.8M sensitive records from Allianz Life in Salesforce data breach

 | 

SAP fixed 26 flaws in August 2025 Update, including 4 Critical

 | 

August 2025 Patch Tuesday fixes a Windows Kerberos Zero-Day

 | 

Dutch NCSC: Citrix NetScaler zero-day breaches critical orgs

 | 

Chrome sandbox escape nets security researcher $250,000 reward

 | 

Smart Buses flaws expose vehicles to tracking, control, and spying

 | 

MedusaLocker ransomware group is looking for pentesters

 | 

Google confirms Salesforce CRM breach, faces extortion threat

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 57

 | 

Security Affairs newsletter Round 536 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Embargo Ransomware nets $34.2M in crypto since April 2024

 | 

Germany limits police spyware use to serious crimes

 | 

Phishing attacks exploit WinRAR flaw CVE-2025-8088 to install RomCom

 | 

French firm Bouygues Telecom suffered a data breach impacting 6.4M customers

 | 

Columbia University data breach impacted 868,969 people

 | 

SonicWall dismisses zero-day fears after Ransomware probe

 | 

Air France and KLM disclosed data breaches following the hack of a third-party platform

 | 

CISA, Microsoft warn of critical Exchange hybrid flaw CVE-2025-53786

 | 

Microsoft unveils Project Ire: AI that autonomously detects malware

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • APT
  • Breaking News
  • Malware
  • China-Linked BRONZE PRESIDENT APT targets Government officials worldwide

China-Linked BRONZE PRESIDENT APT targets Government officials worldwide

Pierluigi Paganini September 10, 2022

China-linked BRONZE PRESIDENT group is targeting government officials in Europe, the Middle East, and South America with PlugX malware.

Secureworks researchers reported that China-linked APT group BRONZE PRESIDENT conducted a new campaign aimed at government officials in Europe, the Middle East, and South America with the PlugX malware.

Attacks part of this campaign were spotted in June and July 2022.

PlugX is modular malware has backdoor capabilities that could be extended by downloading additional plugins.

“Several characteristics of this campaign indicate that it was conducted by the likely Chinese government-sponsored BRONZE PRESIDENT threat group, including the use of PlugX, file paths and naming schemes previously used by the threat group, the presence of shellcode in executable file headers, and politically-themed decoy documents that align with regions where China has interests.” reads the analysis published by Secureworks.

The Bronze President group is targeting political and law enforcement organizations and NGOs in Asia.

The China-based group has been active at least since 2014, it focused on political and law enforcement organizations and NGOs in Asia. The APT group leverages both custom remote access tools and publicly available remote access and post-compromise to compromise target networks.

In the recent campaign, the malware is included in RAR archive files. Once opened the archive, it will displays a Windows shortcut (LNK) file that masquerades as a document. Upon clicking the Windows shortcut file, the malware will be executed. 

The archive also includes a hidden folder that contains the malware, embedded eight levels deep in a sequence of hidden folders named with special characters. The attackers used this trick in an attempt of bypassing mail-scanning products.

BRONZE PRESIDENT

The shortcut executes a renamed legitimate file contained in the eighth hidden folder. The attackers also drop a malicious DLL and an encrypted payload file, noticing that the legitimate binary files are vulnerable to DLL search order hijacking.

“When executed, they import the malicious DLL that loads, decrypts, and executes the payload file. In each sample analyzed by CTU researchers, the shortcut file metadata indicates the file was created on a Windows system either with hostname “desktop-n2v1smh” or “desktop-cb248vr”.” continues the report.

“Once running, the payload drops a decoy document to the logged-on user’s %Temp% directory and copies the three files to a ProgramData subdirectory using the pattern “<Application><3 characters>” (e.g., Operavng)”

The researchers recommend organizations in geographic regions of interest to China to monitor the activity of this APT group, they also shared indicators of compromise for this campaign.

“BRONZE PRESIDENT has demonstrated an ability to pivot quickly for new intelligence collection opportunities. Organizations in geographic regions of interest to China should closely monitor this group’s activities, especially organizations associated with or operating as government agencies.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, BRONZE PRESIDENT)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

Bronze President China Cyberespionage Hacking hacking news information security news IT Information Security malware Pierluigi Paganini PlugX malware Security Affairs Security News

you might also like

Pierluigi Paganini August 13, 2025
Charon Ransomware targets Middle East with APT attack methods
Read more
Pierluigi Paganini August 13, 2025
Hackers leak 2.8M sensitive records from Allianz Life in Salesforce data breach
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Charon Ransomware targets Middle East with APT attack methods

    Malware / August 13, 2025

    Hackers leak 2.8M sensitive records from Allianz Life in Salesforce data breach

    Data Breach / August 13, 2025

    SAP fixed 26 flaws in August 2025 Update, including 4 Critical

    Uncategorized / August 13, 2025

    August 2025 Patch Tuesday fixes a Windows Kerberos Zero-Day

    Hacking / August 12, 2025

    Dutch NCSC: Citrix NetScaler zero-day breaches critical orgs

    Hacking / August 12, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT