• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Security Affairs newsletter Round 532 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

McDonald’s job app exposes data of 64 Million applicants

 | 

Athlete or Hacker? Russian basketball player accused in U.S. ransomware case

 | 

U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

 | 

UK NCA arrested four people over M&S, Co-op cyberattacks

 | 

PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

 | 

Qantas data breach impacted 5.7 million individuals

 | 

DoNot APT is expanding scope targeting European foreign ministries

 | 

Nippon Steel Solutions suffered a data breach following a zero-day attack

 | 

Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

 | 

Hackers weaponize Shellter red teaming tool to spread infostealers

 | 

Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

 | 

Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

 | 

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

 | 

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • APT
  • Breaking News
  • Intelligence
  • Malware
  • Security
  • China-linked APT41 group targets Hong Kong with Spyder Loader

China-linked APT41 group targets Hong Kong with Spyder Loader

Pierluigi Paganini October 18, 2022

China-linked threat actors APT41 (a.k.a. Winnti) targeted organizations in Hong Kong, in some cases remaining undetected for a year.

Symantec researchers reported that cyberespionage group APT41 targeted organizations in Hong Kong in a campaign that is a likely continuation of the Operation CuckooBees activity detailed by Cybereason in May. Winnti (aka APT41, Axiom, Barium, Blackfly) is a cyberespionage group that has been active since at least 2007.

The Operation CuckooBees had been operating under the radar since at least 2019, threat actors conducted multiple attacks to steal intellectual property and other sensitive data from victims.

The attacks detailed by Cybereason targeted technology and manufacturing companies primarily located in East Asia, Western Europe, and North America.

Symantec pointed out that the attacks against government organizations in Hong Kong remained undetected for a year in some cases.

Symantec observed the attackers deploying a custom malware called Spyder Loader on the target networks

“We saw the Spyder Loader (Trojan.Spyload) malware deployed on victim networks, indicating this activity is likely part of that ongoing campaign. While we did not see the ultimate payload in this campaign, based on the previous activity seen alongside the Spyder Loader malware it seems likely the ultimate goal of this activity was intelligence collection.” reads the analysis published by Symantec.

Spyder Loader is a sophisticated modular backdoor that according to the experts is under continuous evolution. The sample analyzed by Symantec is compiled as a 64-bit PE DLL, it is a modified copy of sqlite3.dll, which includes the malicious export sqlite3_prepare_v4.

Spyder Loader loads AES-encrypted blobs to create the wlbsctrl.dll which acts as a next-stage loader that executes the content.

Like the sample analyzed by Cyberreason, the Spyder Loader sample analyzed by Symantec uses the CryptoPP C++ library. The variant used in recent attacks against Hong Kong relies on ChaCha20 algorithm encryption for string obfuscation. To prevent analysis, the malware also cleans up created artifacts, overwriting the content of the dropped wlbsctrl.dll file before deleting it.

Another similarity between the recent campaign and the Spyder Loader activity described by Cybereason is the use of the rundll32.exe for the execution of the malware loader.

Once gained access to the target network, threat actors used Mimikatz to harvest credentials and used it for lateral movement.

“We also saw Mimikatz being executed on victim networks, as well as a Trojanized ZLib DLL that had multiple malicious exports, one of which appeared to be waiting for communication from a command-and-control (C&C) server, while the other would load a payload from the provided file name in the command-line.” continues the report.

Although Symantec researchers were not able to retrieve the final payload, they believe that the recent attacks are part of a long-running intelligence-gathering campaign conducted by APT41.

Symantec also shared Indicators of Compromise (IoCs) for this campaign.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT41)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

APT41 Hacking hacking news information security news IT Information Security Pierluigi Paganini Security Affairs Security News Spyder Loader

you might also like

Pierluigi Paganini July 13, 2025
Security Affairs newsletter Round 532 by Pierluigi Paganini – INTERNATIONAL EDITION
Read more
Pierluigi Paganini July 12, 2025
McDonald’s job app exposes data of 64 Million applicants
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Security Affairs newsletter Round 532 by Pierluigi Paganini – INTERNATIONAL EDITION

    Breaking News / July 13, 2025

    McDonald’s job app exposes data of 64 Million applicants

    Hacking / July 12, 2025

    Athlete or Hacker? Russian basketball player accused in U.S. ransomware case

    Cyber Crime / July 11, 2025

    U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

    Hacking / July 11, 2025

    UK NCA arrested four people over M&S, Co-op cyberattacks

    Cyber Crime / July 10, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT