• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

PyPI maintainers alert users to email verification phishing attack

 | 

FBI seizes 20 BTC from Chaos Ransomware affiliate targeting Texas firms

 | 

Critical SAP flaw exploited to launch Auto-Color Malware attack on U.S. company

 | 

Orange reports major cyberattack, warns of service disruptions

 | 

Hackers leak images and comments from women dating safety app Tea

 | 

Pro-Ukraine hacktivists claim cyberattack on Russian Airline Aeroflot that caused the cancellation of +100 flights

 | 

Seychelles Commercial Bank Reported Cybersecurity Incident

 | 

Microsoft uncovers macOS flaw allowing bypass TCC protections and exposing sensitive data

 | 

U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog

 | 

Critical WordPress Post SMTP plugin flaw exposes 200K+ sites to full takeover

 | 

Scattered Spider targets VMware ESXi in using social engineering

 | 

China-linked group Fire Ant exploits VMware and F5 flaws since early 2025

 | 

Allianz Life data breach exposed the data of most of its 1.4M customers

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55

 | 

Security Affairs newsletter Round 534 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

 | 

Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

 | 

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber warfare
  • Hacking
  • Intelligence
  • Malware
  • China-based TEMP.Periscope APT targets Cambodia’s elections

China-based TEMP.Periscope APT targets Cambodia’s elections

Pierluigi Paganini July 12, 2018

FireEye uncovered a large-scale Chinese phishing and hacking campaign powered by Temp.periscope APT aimed at Cambodia’s elections.

Security researchers at FireEye have uncovered a large-scale Chinese phishing and hacking campaign aimed at Cambodia’s elections.

The hackers distributed a remote access trojan (RAT) and data exfiltration operation targeting the poll.

The experts from FireEye attributed the attacks to an APT group tracked as TEMP.Periscope that targeted in past operations American engineering and maritime operations.

FireEye found evidence of infection on systems used by election-related entities in Cambodia, including the National Election Commission, human rights advocates, an MP for the Cambodia National Rescue Party, two Cambodian diplomats in overseas posts, and some media outlets.

“FireEye has examined a range of TEMP.Periscope activity revealing extensive interest in Cambodia’s politics, with active compromises of multiple Cambodian entities related to the country’s electoral system. This includes compromises of Cambodian government entities charged with overseeing the elections, as well as the targeting of opposition figures.” reads the analysis published by FireEye.

“This campaign occurs in the run up to the country’s July 29, 2018, general elections.”

TEMP.Periscope used the same infrastructure of other campaigns against other targets, including the defense industrial base in the United States and a chemical company based in Europe.

Analyzing this campaign, FireEye found files on three open indexes operated by the attackers, in this way the company gathered information about group’s TTPs and its targets. The activity on these servers extends from at least April 2017 to the present, with the most current operations focusing on Cambodia’s government and elections.

Two servers (chemscalere[.]com and scsnewstoday[.]com) is used to operate a typical Command and Control infrastructure and hosting sites, while a third one, mlcdailynews[.]com, works as an active SCANBOX server.

SCANBOX is another APT that FireEye has monitored in various campaigns since 2015, the presence of a SCANBOX server suggested TEMP.Periscope was also planning to target individuals with an interest in US-East Asia politics, Russia, and NATO affairs in forthcoming campaigns.

The servers contain both malware and logs, the analysis of the latter revealed:

  • Analysis of logs from the three servers revealed:
    • Potential actor logins from an IP address located in Hainan, China that was used to remotely access and administer the servers, and interact with malware deployed at victim organizations.
    • Malware command and control check-ins from victim organizations in the education, aviation, chemical, defense, government, maritime, and technology sectors across multiple regions. FireEye has notified all of the victims that we were able to identify.
  • The malware present on the servers included both new families (DADBOD, EVILTECH) and previously identified malware families (AIRBREAK, EVILTECH, HOMEFRY, MURKYTOP, HTRAN, and SCANBOX) .

Cambodia TEMP.Periscope

The servers were administered by operators based in Hainan (one of the IP addresses, 112.66.188[.]28, is located in Hainan, China), and experts found two new malware families hosted on them, DADBOD and EVILTECH, and other malware families detected in the past (AIRBREAK, EVILTECH, HOMEFRY, MURKYTOP, HTRAN, and SCANBOX)”.

The most active tolls of this campaign were the AIRBREAK backdoor, the HOMEFRY password cracker and dumper; the LUNCHMONEY uploader and a command line reconnaissance tool called MURKYTOP.

FireEye says it had seen these in previous campaigns, and it also spotted two new tools in the Cambodian operation. There’s a backdoor called EVILTECH, a Javascript-based RAT, and the DADBOD credential stealer.

Malware Function Details
EVILTECH Backdoor
  • EVILTECH is a JavaScript sample that implements a simple RAT with support for uploading, downloading, and running arbitrary JavaScript.
  • During the infection process, EVILTECH is run on the system, which then causes a redirect and possibly the download of additional malware or connection to another attacker-controlled system.
DADBOD Credential Theft
  • DADBOD is a tool used to steal user cookies.
  • Analysis of this malware is still ongoing.

The experts attributed the attacks to China, other IP addresses involved in the campaign are associated with virtual private servers, but researchers noticed that artifacts indicate that the computers used to log in all cases are configured with Chinese language settings.

“The activity uncovered here offers new insight into TEMP.Periscope’s activity.” concludes FireEye. “Notably, Cambodia has served as a reliable supporter of China’s South China Sea position in international forums such as ASEAN and is an important partner. While Cambodia is rated as Authoritarian by the Economist’s Democracy Index, the recent surprise upset of the ruling party in Malaysia may motivate China to closely monitor Cambodia’s July 29 elections”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Cambodia, TEMP.Periscope)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

Cambodia cyber espionage elections Hacking TEMP.Periscope

you might also like

Pierluigi Paganini July 30, 2025
PyPI maintainers alert users to email verification phishing attack
Read more
Pierluigi Paganini July 30, 2025
FBI seizes 20 BTC from Chaos Ransomware affiliate targeting Texas firms
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    PyPI maintainers alert users to email verification phishing attack

    Hacking / July 30, 2025

    FBI seizes 20 BTC from Chaos Ransomware affiliate targeting Texas firms

    Cyber Crime / July 30, 2025

    Critical SAP flaw exploited to launch Auto-Color Malware attack on U.S. company

    Malware / July 30, 2025

    Orange reports major cyberattack, warns of service disruptions

    Security / July 29, 2025

    Hackers leak images and comments from women dating safety app Tea

    Data Breach / July 29, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT