A China-nexus advanced persistent threat (APT) group has been conducting a sustained espionage campaign targeting government and media sectors across Southeast Asia, leveraging sophisticated DLL sideloading techniques as a primary attack vector.
The threat actor, tracked as Autumn Dragon, has targeted multiple nations surrounding the South China Sea, including Indonesia, Singapore, the Philippines, Cambodia, and Laos, with an increasing operational tempo throughout 2025.
The campaign demonstrates a carefully orchestrated four-stage attack chain that begins with spear-phishing emails delivering weaponized RAR archives.
The initial dropper exploits CVE-2025-8088, a critical path traversal vulnerability in WinRAR, to automatically deploy a batch script disguised as “Windows Defender Definition Update.cmd.”
This persistence mechanism enables the attacker to execute subsequent stages upon user login, establishing a foothold without requiring explicit user interaction beyond file extraction.
Following initial compromise, the threat actors deploy a lightweight backdoor leveraging Telegram as a command-and-control channel.
This second stage consists of a legitimate OBS browser executable paired with a modified libcef.dll, exemplifying the group’s preferred DLL sideloading technique (MITRE T1574).
The malicious DLL communicates with threat actor accounts via Telegram bot API, receiving three primary commands: shell command execution, screenshot capture, and file upload capabilities.
Advanced Persistence Mechanisms
This design minimizes functionality exposure while enabling reconnaissance and lateral movement decisions.
The attackers demonstrate hands-on operational activity, with observed command sequences revealing methodical victim assessment.
Bot controllers executed systeminfo queries to identify system specifications, tasklist commands to discover installed security products, and PowerShell commands to check Windows Defender threat detection status.
The malicious libcef.dll is written in C++ and uses Boost and the tgbot3 library to
communicate with the threat actor.
This reconnaissance data directly informs whether attacks proceed or are abandoned, indicating resource-constrained targeting focused on high-value objectives.
Subsequent attack stages employ additional DLL sideloading abusing legitimate applications from Adobe Creative Cloud, Opera GX, Microsoft Edge, and other mainstream software.
These campaigns show clear code reuse patterns and compilation timestamps clustering throughout 2025, particularly in Q3 and Q4, suggesting a single development team behind multiple variants.
The final backdoor stage communicates with command-and-control servers over HTTPS using XOR encryption, supporting advanced capabilities including shellcode execution, DLL loading, and file operations.
Victimology analysis reveals concentrated targeting of governments and media organizations with heavy emphasis on geographic specificity.
Cloudflare protection with geo-restrictions, custom User-Agent requirements, and decoy websites demonstrate operational security awareness and intent to prevent security researcher analysis.
Campaign indicators tied to specific nations suggest tailored payload delivery and separate operational tracks for different targets.
Indicators of interest include multiple command-and-control domains leveraging legitimate service fronts, staging directories in Public folders using randomized naming conventions, and encrypted payloads employing simple XOR operations rather than complex cryptography.
Organizations should monitor for DLL sideloading activity leveraging legitimate applications, unusual Dropbox and legitimate cloud storage access patterns, and network traffic to identified command-and-control infrastructure.
While direct attribution remains challenging, intermediate to advanced operational capabilities, persistent geographic focus on China’s periphery, and tactical similarities with known groups suggest state-level involvement.
The campaign represents significant ongoing threat to Southeast Asian government and media institutions, requiring immediate awareness and defensive measures.
Indicators of Compromise
| Indicator Value | Type | Context/Stage |
|---|---|---|
| 5b64786ed92545eeac013be9456e1ff03d95073910742e4 | Hash | Initial dropper |
| 5ff6b88a86e91901b | Hash | Initial dropper |
| e409736eb77a6799d88c8208eb5e58ea0dcb2c016479153f9e2c4c3c372e3ff6 | Hash | Batch script |
| 50855f0e3c7b28cbeac8ae54d9a8866ed5cb21b5335078a040920d5f9e386ddb | Hash | Next stage dropper |
| a3805b24b66646c0cf7ca9abad502fe15b33b53e56a04489cfb64a238616a7bf | Hash | 2nd stage implant |
| C:UsersPublicDocumentsMicrosoftwinupdate_v | Folder | Staging folder |
| 5d0d00f5d21f360b88d1622c5cafd42948eedf1119b4ce8026113ee394ad8848 | Hash | 3rd stage loader |
| 843fca1cf30c74edd96e7320576db5a39ebf8d0a708bde8ccfb7c12e45a7938c | Hash | 3rd stage loader |
| 2044a0831ce940fc247efb8ada3e60d61382429167fb3a220f277037a0dde438 | Hash | 4th stage encrypted payload |
| c691f9de944900566b5930f219a55afcfc61eaf4ff40a4f476dd98a5be24b23c | Hash | 4th stage decrypted payload |
| hxxps[:]//public.megadatacloud[.]com | Domain | C2 server |
| hxxps[:]//104.234.37[.]45 | IP (URL) | C2 server |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.