CL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia

Jan. 30, 2025, 10:04 a.m.

Description

A sophisticated cyberespionage campaign targeting high-value entities in South Asia, particularly a telecommunications organization, has been identified. The threat actor, tracked as CL-STA-0048, employed rare techniques like 'Hex Staging' for payload delivery and DNS-based data exfiltration. The operation, likely originating from China, aimed to obtain personal information of government employees and sensitive organizational data. The attackers systematically exploited vulnerabilities in IIS, Apache Tomcat, and MSSQL services. They utilized various tools including PlugX backdoor, Cobalt Strike, and privilege escalation tools. The campaign's sophistication and objectives suggest a nation-state advanced persistent threat operation.

External References

https://unit42.paloaltonetworks.com/espionage-campaign-targets-south-asian-entities/
https://otx.alienvault.com/pulse/679aca57066d5c141e511c82
Tags
apt
plugx
cobalt strike
south asia
2025-01-30

Date

  • Created: Jan. 30, 2025, 12:39 a.m.
  • Published: Jan. 30, 2025, 12:39 a.m.
  • Modified: Jan. 30, 2025, 10:04 a.m.

Linked vulnerabilities

CVE-2025-0282

9.0
    Ivanti
  • Connect Secure
  • Neurons For Zero-Trust Access
  • Policy Secure
Published: January 8, 2025

CVE-2025-0283

7.0
    Ivanti
  • Connect Secure
  • Neurons For Zero-Trust Access
  • Policy Secure
Published: January 8, 2025

Indicators

  • c5af6fd69b75507c1ea339940705eaf61deadd9c3573d2dec5324c61e77e6098
  • edc9222aece9098ad636af351dd896ffee3360e487fda658062a9722edf02185
  • af0baf0a9142973a3b2a6c8813a3b4096e516188a48f7fd26ecc8299bce508e1
  • a09179dec5788a7eee0571f2409e23df57a63c1c62e4b33f2af068351e5d9e2d
  • 8dfc107662f22cff20d19e0aba76fcd181657255078a78fb1be3d3a54d0c3d46
  • 525540eac2d90c94dd3352c7dd624720ff2119082807e2670785aed77746301d
  • 508d6dd6c45027e3cda3d93364980f32ffc34c684a424c769954d741cf0d40d0
  • 3503d6ccb9f49e1b1cb83844d1b05ae3cf7621dfec8dc115a40abb9ec61b00bb
  • 35da93d03485b07a8387e46d1ce683a81ae040e6de5bb1a411feb6492a0f8435
  • 336892ff8f07e34d18344f4245406e001f1faa779b3f10fd143108d6f30ebb8a
  • 0f85b67f0c4ca0e7a80df8567265b3fa9f44f2ad6ae09a7c9b7fac2ca24e62a8
  • 43.247.135.106
  • 38.54.30.117
  • 38.54.56.88
  • 206.237.0.49
  • 154.201.68.57
  • https://h5.nasa6.com/shell/
  • web.nginxui.cc
  • test.nulq5r.ceye.io
  • sentinelones.com
  • mail.tttseo.com
Download all indicators here!

Attack Patterns

  • Stowaway
  • RasmanPotato
  • SspiUacBypass
  • BadPotato
  • Kaba
  • Sogu
  • DestroyRAT
  • TVT
  • Thoper
  • PlugX - S0013
  • ValleyRAT
  • Korplug
  • Cobalt Strike - S0154
  • CL-STA-0048
  • T1021.002
  • T1078.002
  • T1505.003
  • T1553.002
  • T1059.001
  • T1571
  • T1083
  • T1055
  • T1046
  • T1027
  • T1190
  • T1003
  • CVE-2025-0283
  • CVE-2025-0282

Additional Informations

  • Telecommunications
  • Government