China-Linked Hackers Target Southeast Asian Edge Routers With Custom Linux Implant

HomeCyber Security News China-Linked Hackers Target Southeast Asian Edge Routers With Custom Linux Implant By Tushar Subhra Dutta May 26, 2026 A sophisticated China-linked hacking group has been caught targeting edge routers across Southeast Asia, deploying a custom-built Linux implant that gives them deep control over network traffic. The campaign has been rated critical in severity, and its reach extends well beyond the initial devices it compromises. The attackers install a malicious file called router.elf directly onto border routers, turning them into silent surveillance posts. Once inside, the implant quietly connects back to attacker-controlled servers using an encrypted channel, making it very difficult for standard security tools to detect the activity. The campaign is designed to fly entirely under the radar of endpoint defenses. Analysts at Qiita identified the intrusion and noted that the campaign reflects a clear strategic decision to target network infrastructure rather than individual computers. By owning the router, the attackers position themselves to monitor and manipulate every device that connects through it. That makes this threat far more dangerous than a typical malware infection. What makes this operation especially alarming is its dual focus. The same group that compromised the routers also deployed a separate hacking tool onto Windows computers within the same networks, using a technique known as DLL sideloading. Both attack streams share the same command infrastructure, confirming that a single, well-coordinated threat actor is running this entire operation. Qiita said in a report shared with Cyber Security News (CSN) that multiple clues point strongly to a China-based origin. These include Mandarin language strings buried inside the implant’s code, a hardcoded language setting of zh-CN in its communication profile, and the use of a cracked hacking tool with a license ID consistently tied to China-linked operations. How the Implant Takes Over Edge Routers Once router.elf is installed and running, it establishes a persistent connection to attacker servers over encrypted HTTPS traffic on port 443. To avoid being caught by DNS monitoring tools, it routes its domain lookups through Cloudflare’s DNS over HTTPS service, which wraps the requests inside normal-looking web traffic. This is a deliberate evasion technique that helps the implant stay hidden for long periods. The malware also plants firewall rules directly on the router using a built-in Linux tool called iptables. These rules silently redirect all DNS queries from every device behind the router to servers the attackers control. That means the hackers can manipulate what websites people think they are visiting, intercept software updates, and target specific destinations using a dynamic list called evil_fix. A secondary backdoor named client_rc_start is installed alongside the main implant to ensure continued access even if the primary payload is removed. Windows Endpoints Caught in the Crossfire The campaign does not stop at the router level. The threat group extended its reach to Windows computers inside the same networks by planting a Cobalt Strike Beacon, a well-known hacking framework, through DLL sideloading. A malicious file called version.dll is dropped into a folder under CrashReport.exe, and when the legitimate process runs, it unknowingly loads the attacker’s payload alongside it. The Beacon connects back to the same command-and-control domains as the router implant, using identical web traffic patterns, cookie markers, and the same sleep timing of fifty seconds between check-ins. This tight alignment between both attack tools confirms that neither was deployed in isolation. The same attacker controls both, working together as part of one coordinated espionage effort. Security teams are urged to immediately audit all edge routers for unauthorized firewall rules, especially any that redirect DNS traffic to unfamiliar IP addresses. All the listed domains and IP addresses should be blocked at the perimeter firewall without delay. Linux-based network devices should be scanned for router.elf and client_rc_start, while Windows machines should be checked for the malicious version.dll and any CrashReport.exe processes running from the AllUsers profile folder. Longer term, organizations should enforce firmware integrity monitoring on network devices, restrict management access using multi-factor authentication, and set up alerts for any changes to firewall rules on routers and gateways. Indicators of Compromise (IoCs):- Type Indicator Description File Name router.elf Primary Linux router RAT (custom implant) MD5 Hash 6401cdc783b4afcbcc294954b4cc5dd2 router.elf MD5 hash SHA-256 Hash 6a43de021fa79dc3eb5f6ed509b605ef617f56af7de8b136698e5dd86c7775ae router.elf SHA-256 hash File Name client_rc_start Secondary router backdoor for redundant persistence MD5 Hash 92ED4D259940D4294190E60ADD5CC587 client_rc_start MD5 hash File Name version.dll Cobalt Strike Beacon DLL sideload payload MD5 Hash 20C196FD5CF9A4845D048006321A52B8 version.dll MD5 hash Domain contextlayerrun.com Router implant C2 domain Domain specialclouds.com Cobalt Strike Beacon C2 domain Domain specialclouds.top Cobalt Strike Beacon C2 domain Domain namefilecode.com Cobalt Strike Beacon C2 domain Domain valuecode.top Associated C2 domain Domain windowsweatherkb.top Associated C2 domain Domain function.windowsoftmessages.com Associated C2 domain Domain perfectgo.top Associated C2 domain Domain safelyhome.top Associated C2 domain Domain discovercoded.com Associated C2 domain IP Address 8.211.130.16 C2 server (port 443) IP Address 8.213.217.130 Rogue DNS resolver, primary (port 8090) IP Address 47.81.37.109 Rogue DNS resolver, failover (port 8090) IP Address 23.254.129.112 Traffic redirection node (ipset target) URI Pattern /api/v1/get C2 polling URI used by both implant and Beacon URI Pattern /api/v1/post C2 exfiltration URI used by both implant and Beacon ipset Name evil_fix Malicious ipset name on compromised routers for targeted traffic hijacking Cookie Marker UK= GET request metadata cookie used in C2 profile Cookie Marker ZF= POST request session cookie used in C2 profile Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News New Microsoft Defender 0‑Days Actively Exploited in the Wild Two U.S. Executives Plead Guilty in India-Based Tech-Support Fraud Schemes Microsoft Defender Now Automatically Isolates Compromised Devices to Stop Ransomware macOS Malware Installs Fake Google Software Update LaunchAgent for Persistence Hackers Actives Scanning SonicWall Firewall Interfaces – 597,000 Sessions Observed Latest News Cyber Security Microsoft Defender Now Automatically Isolates Compromised Devices to Stop Ransomware Cyber Security Microsoft SharePoint Server Vulnerability Enables Remote Code Execution Attacks Cyber Security News NightSpire Ransomware Uses RDP Access and Remote Admin Tools for Stealthy Persistence Cyber Security News GitHub Down – Authentication Issues Denying Access to Actions  Cyber Security News Hackers Exploit Ghost CMS CVE-2026-26980 to Poison 700 Websites With ClickFix Malware