Operation DRAGONCLONE: Chinese Telecom Targeted by Malware

June 9, 2025, 10:09 a.m.

Description

A sophisticated campaign targeting China Mobile Tietong Co., Ltd., a subsidiary of China Mobile, has been uncovered. The attack employs VELETRIX, a new loader, and VShell, a known adversary simulation tool. The infection chain begins with a malicious ZIP file containing executable and DLL files. VELETRIX uses anti-analysis techniques, IPFuscation, and a callback mechanism to execute VShell. The campaign shows overlaps with UNC5174 (Uteus) and Earth Lamia, known China-nexus threat actors. The infrastructure utilizes tools like SuperShell, Cobalt Strike, and Asset Lighthouse System. Active since March 2025, this operation demonstrates advanced tactics, techniques, and procedures associated with Chinese state-sponsored threat groups.

External References

https://www.seqrite.com/blog/operation-dragonclone-chinese-telecom-veletrix-vshell-malware
https://otx.alienvault.com/pulse/6844107300a6d8cdddd3cf53
Tags
cobalt strike
CVE-2024-1709
dll sideloading
supershell
china-nexus
vshell
CVE-2025-31324
unc5174
2025-06-06
2025-06-07
veletrix
earth lamia
asset lighthouse system
ipfuscation
callback-execution
dll-sideloading

Date

  • Created: June 7, 2025, 10:12 a.m.
  • Published: June 7, 2025, 10:12 a.m.
  • Modified: June 9, 2025, 10:09 a.m.

Attack Patterns

  • VELETRIX
  • VShell
  • SuperShell
  • Cobalt Strike - S0154
  • UNC5174

Additional Informations

  • Telecommunications
  • China