China-Linked VELETRIX Loader Used in Attacks on Telecommunications Infrastructure
A China-Nexus Threat Actor has launched a highly advanced assault against China Mobile Tietong Co., Ltd., a division of China Mobile, one of the biggest telecom behemoths in the nation, in a compelling illustration of state-aligned cyberwarfare.
Named “DragonClone” by Seqrite Labs APT-Team, this operation underscores the strategic motivations behind China-linked cyber threats, which go far beyond financial gain.
Sophisticated Cyber Warfare Tactics
Unlike eCrime actors driven by ransomware or malware-as-a-service models, these adversaries operate with state-backed objectives, focusing on long-term intelligence gathering and mass espionage.
By infiltrating a key telecommunications provider, the attackers gain access to critical backbone infrastructure, enabling them to monitor vast amounts of traffic and position the Chinese state to preemptively address potential threats.
This campaign reflects decades of investment by the Chinese government in cyber capabilities through entities like the People’s Liberation Army (PLA) and the Ministry of State Security (MSS), embedding cyber warfare as a civic duty within society and private sectors.
Technical Breakdown of the DragonClone Campaign
The DragonClone campaign begins with a spearphishing attack (T1566.001), delivering a ZIP file masquerading as an internal training program for China Mobile Tietong employees.
The file, with the SHA256 hash “fef69f8747c368979a9e4c62f4648ea233314b5f41981d9c01c1cdd96fb07365,” contains a malicious executable named to lure victims: “2025年中国移动有限公司内部培训计划即将启动,请尽快报名.exe” (translated as “China Mobile Limited’s internal training program for 2025 is about to start, please sign up as soon as possible”).
This executable leverages DLL side-loading via the legitimate Wondershare Recoverit software, exploiting a dependency on “drstat.dll” to load a customized malicious loader identified as VELETRIX.
drstat.dllUpon execution, VELETRIX employs anti-sandbox techniques, such as a 10-second sleep loop and system sound checks via the Beep API, to evade detection.
It then dynamically loads Windows APIs like VirtualAllocExNuma and RtlIpv4StringToAddressA using LoadLibraryA and GetProcAddress, while obfuscating its intent with stack strings.
A unique obfuscation method transforms encrypted shellcode into a series of IPv4 addresses, which are decrypted via an XOR operation with the key 0x6f.
The shellcode is injected unconventionally using EnumCalendarInfoA, executing with PAGE_EXECUTE_READWRITE permissions to bypass traditional monitoring.
Further analysis reveals the shellcode initializes network communication via Winsock APIs like WSAStartup and connect, targeting a hardcoded Command and Control (C&C) server at 62.234.24.38 on TCP port 9999, confirmed to be hosted on Tencent Cloud infrastructure in Beijing, China.
Captured traffic shows the server sending nearly 5MB of encrypted data, decrypted via XOR with key 0x99, revealing a second-stage Golang DLL, potentially a reverse shell for AMD64 systems.
Additional samples matching custom Yara rules indicate consistent patterns across multiple campaigns, with C&C IPs like 121.37.80.227 and 156.238.236.130 also tracing back to Chinese infrastructure or hosting Chinese-language services.
These findings suggest the use of VShell, a suspected Offensive Security Tool (OST) prevalent among China-Nexus actors.
The targeting of telecommunications infrastructure, combined with infrastructure attribution, points to a state-aligned operation prioritizing espionage over disruption, marking a critical evolution in cyber warfare tactics.
Researchers are urged to remain vigilant for VELETRIX and VShell indicators in their environments as these threats continue to evolve.
Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.
Source link
