Chinese Cyber Threat Lurks In Critical Asian Sectors for Years

THREAT INTELLIGENCE VULNERABILITIES & THREATS REMOTE WORKFORCE CYBERATTACKS & DATA BREACHES NEWS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific Chinese Cyber Threat Lurks In Critical Asian Sectors for Years An undefined Chinese-speaking actor wields a combo of custom malware, open source tools, and LOTL binaries against Windows and Linux, likely for spying. Elizabeth Montalbano,Contributing Writer March 9, 2026 3 Min Read SOURCE: BRIAN JACKSON VIA ALAMY STOCK PHOTO A Chinese-speaking threat actor has been pummeling various critical-infrastructure sectors across Asia with cyber-espionage attacks for years, using a combination of custom malware, open source tools, and living-off-the-land binaries across both Windows and Linux environments. The threat cluster, tracked as CL-UNK-1068, has been targeting aviation, energy, government, law enforcement, pharmaceuticals, technology, and telecommunications organizations across South, Southeast, and East Asia since at least 2020, according to a recent report by Palo Alto Networks' Unit 42.  "Using primarily open source tools, community-shared malware, and batch scripts, the group has successfully maintained stealthy operations while infiltrating critical organizations," Unit 42's Tom Fakterman wrote in the post. Attackers gain initial access via exploitation of Web servers and the deployment of various Web shells, including the GodZilla Web shell, and a variation of AntSword. After gaining an initial foothold, the attackers use these shells to move laterally to additional hosts and SQL servers.  Related:INC Ransomware Group Holds Healthcare Hostage in Oceania The ultimate goal of the attacks is both credential theft and the exfiltration of sensitive data by the as-yet undetermined actor, who Unit 42 believes is linked to China based on their use of language, the origin of their tools, and "their consistent, long-standing targeting of critical infrastructure in Asia," Fakterman noted. Cross-Platform Cyberattack Capabilities In its attack methodology, the actor demonstrates a versatility in how it operates across both Windows and Linux environments, "using different versions of their tool set for each operating system," according to Unit 42. "While the focus on credential theft and sensitive data exfiltration from critical infrastructure and government sectors strongly suggests an espionage motive, we cannot yet fully rule out cybercriminal intention," Fakterman added. Once the actor compromises a system, they conduct reconnaissance and privilege escalation using a combination of various tools, including using the aforementioned Web shells for lateral movement.  CL-UNK-1068 then conducts credential theft using tools such as Mimikatz, which dumps passwords from memory, and LsaRecorder, which also captures passwords, according to the report. The actor also deploys DumpIt, a free multiplatform forensics tool, in combination with the widely known Volatility Framework to extract password hashes from memory.  Another tool in CL-UNK-1068's arsenal is a custom Go-based network scanning tool named ScanPortPlus, for which it has developed both Linux and Windows versions, according to the report. Related:LatAm Now Faces 2x More Cyberattacks Than US To maintain persistence and evade detection, the actor relies heavily on various stealth techniques, including DLL side-loading through legitimate Python executables. This allows malicious payloads to execute under trusted processes, Fakterman explained. Further, to maintain command-and-control (C2) access and bypass network controls, the actor also deploys modified builds of Fast Reverse Proxy (FRP) and occasionally installs the Xnote Linux backdoor. How to Defend Against the Chinese Cyber Threat Though Unit 42 has not made a definitive identification of the threat actor, some of its targeting and stealth activities are reminiscent of formidable Chinese threat actor Salt Typhoon, which infamously and persistently targeted at least nine US telecommunications companies without detection long enough to eavesdrop on US law-enforcement wiretaps and presidential campaigns. Indeed, China has numerous state-sponsored actors conducting espionage and financially motivated campaigns on its behalf. Just last week researchers from Check Point unveiled a newly documented spinoff of APT41 dubbed "Silver Dragon," which also was targeting Asia in a lengthy campaign. Related:Indian APT 'Sloppy Lemming' Targets Defense, Critical Infrastructure To ward off these advanced persistent threats, Unit 42 recommends that defenders pay attention to the "behavioral anomalies" associated with each group. To help them do this, there is a lengthy list of indicators of compromise (IoCs) included in the report. In the case of CL-UNK-1068, some key signs that organizations should aim to spot in their detections include misuse of legitimate Python binaries for side-loading, deployment of unauthorized tunneling tools like FRP, and execution of custom reconnaissance batch scripts. Fakterman said security teams also should look for evidence of credential-dumping tools like Mimikatz, inspect unusual RAR compression and Base64 encoding activity, harden Internet-facing Web servers, and monitor for Web shell deployments. Read more about: DR Global Asia Pacific About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like THREAT INTELLIGENCE Russia Pivots, Cracks Down on Resident Hackers by Nate Nelson, Contributing Writer OCT 22, 2025 THREAT INTELLIGENCE Chinese Gov't Fronts Trick the West to Obtain Cyber Tech by Nate Nelson, Contributing Writer OCT 06, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 THREAT INTELLIGENCE What CISA's Red Team Disarray Means for US Cyber Defenses by Becky Bracken, Senior Editor, Dark Reading MAR 21, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE