China-linked hackers are conducting a stealthy infrastructure-centric espionage campaign across Southeast Asia by compromising Linux-based edge routers with a custom ELF implant and pairing it with a cracked Cobalt Strike Beacon on Windows systems for unified command-and-control over entire networks.
The operation enables full visibility into, and manipulation of, downstream traffic while largely bypassing traditional endpoint-focused defenses.
From this position, they can silently observe, redirect, or weaponize traffic impacting every device behind the compromised router.
On the router side, the attackers deploy a custom 64‑bit Linux ELF implant named router.elf, supported by a secondary backdoor (client_rc_start) and persistent iptables hijack rules.
According to Qiita, China-nexus intrusion set is targeting organizations in Southeast Asia that rely on Linux-based border and edge routers to front their enterprise networks. Instead of going after endpoints first, the actor implants the routers themselves, gaining root-level access to infrastructure that handles all ingress and egress traffic.
On the Windows side, the same operators deliver a cracked Cobalt Strike 4.4 Beacon via DLL sideloading of version.dll, using an identical C2 profile and overlapping infrastructure to confirm unified control across platforms.
SEA Edge Routers
Attribution points strongly to cyber operators aligned with the People’s Republic of China (PRC). The campaign’s motivation appears to be long-term espionage and persistent access to sensitive Southeast Asian networks rather than short, financially motivated intrusions.
Multiple factors support this assessment: Mandarin-language strings embedded in the Linux implant, Chinese language preferences in C2 HTTP headers, and cracked Cobalt Strike licenses consistent with previously documented PRC activity.
In addition, domain registration and infrastructure usage patterns align with known PRC-linked clusters that routinely target telecom and government networks in the region.
The router.elf payload is a statically linked, stripped, position-independent Linux x86‑64 binary compiled with GCC that functions as a full-featured remote access Trojan (RAT) for edge devices.
Static linking and symbol stripping remove obvious dependencies and debugging artifacts, while PIE compilation complicates memory forensics and exploitation by randomizing load addresses.
Configuration data, including C2 domains and HTTP profiles, is protected with a custom Xorshift-based stream cipher layered over simple XOR, making static extraction of indicators significantly harder. Sensitive runtime strings such as file paths and process names are obfuscated with a single-byte XOR routine and only decoded in memory at runtime.
Instead of relying on traditional DNS, the router implant resolves and communicates with its C2 domains via DNS over HTTPS (DoH), specifically leveraging Cloudflare’s cloudflare-dns.com endpoint.
By tunneling DNS lookups inside encrypted HTTPS traffic, the actor sidesteps many enterprise DNS logging and security controls that focus on clear-text port 53 traffic.
The decrypted configuration reveals a C2 profile that uses HTTPS on port 443 with URIs such as /api/v1/get for polling and /api/v1/post for data exfiltration, mimicking benign web APIs.
The implant also sets a Windows-like User-Agent string and an Accept-Language: zh-CN header to blend into typical browser traffic while still exposing subtle linguistic fingerprints of its operators.
Beyond C2, the adversary pushes persistent iptables DNAT rules to hijack all downstream DNS traffic traversing the compromised router.
These rules redirect UDP port 53 queries from any internal host to attacker-controlled DNS services listening on non-standard port 8090, effectively placing the actor in a man-in-the-middle position for name resolution.
A dedicated ipset (such as evil_fix) is used to selectively redirect traffic destined for specific domains or IP ranges, enabling precise hijacking of software update channels, security vendor sites, or high-value web services.
This combination gives the attackers complete control over which endpoints receive legitimate responses and which are silently pointed to trojanized infrastructure.
To ensure resilience, the operation also deploys a secondary component named client_rc_start as a redundant backdoor on infected routers. This binary is installed alongside router.elf and can be used to re-establish access, push new implants, or reapply iptables rules if the primary payload is removed.
Maintaining multiple footholds on the same device is consistent with other advanced China-linked router compromise campaigns, which prioritize durability on hard-to-monitor infrastructure nodes. Such redundancy significantly increases remediation complexity for defenders who may only identify and remove one of several persistence layers.
Cobalt Strike operations
On Windows endpoints, the threat actor uses DLL sideloading to execute a Cobalt Strike 4.4 Beacon under the guise of a legitimate-looking crash reporting application. A malicious version.dll is loaded by CrashReport.exe or CrashReport64.exe from a directory under %allusersprofile%, giving the Beacon a seemingly normal host process and path.
The Beacon configuration uses HTTPS on port 443, with the same /api/v1/get and /api/v1/post URIs and HTTP header structure as the router implant, including Chinese language preferences and custom cookies that encode victim metadata and session identifiers.
Process injection settings favor stealthier RW-to-RX memory transitions and use common Windows APIs for thread creation, aligning with documented malleable C2 tradecraft aimed at evading EDR signatures.
Telemetry from both the Linux router malware and the Windows Cobalt Strike Beacon shows a shared infrastructure backbone, including overlapping domains and near-identical network profiles. Both components beacon at approximately the same intervals, use the same URIs, and share cookie key patterns, clearly indicating that a single operator controls the full kill chain across platforms.
By compromising routers first and then selectively staging Windows beacons behind them, the actor can perform downstream attacks such as DNS poisoning, supply chain hijacking, and broad credential theft against any device that relies on the compromised gateway.
This infrastructure-centric approach allows the campaign to sidestep many endpoint controls, maintain long-term visibility into sensitive traffic, and pivot flexibly across entire victim environments.
IOCs
C2 Domains:
| Domain | Usage |
|---|---|
contextlayerrun.com | Router implant C2 |
specialclouds.com | CS Beacon C2 |
specialclouds.top | CS Beacon C2 |
namefilecode.com | CS Beacon C2 |
valuecode.top | Associated C2 |
windowsweatherkb.top | Associated C2 |
function.windowsoftmessages.com | Associated C2 |
perfectgo.top | Associated C2 |
safelyhome.top | Associated C2 |
discovercoded.com | Associated C2 |
File Indicators
| Filename | MD5 | Description |
|---|---|---|
| router.elf | 6401cdc783b4afcbcc294954b4cc5dd2 | Linux router RAT (primary implant) |
| router.elf | SHA256: 6a43de021fa79dc3eb5f6ed509b605ef617f56af7de8b136698e5dd86c7775ae | — |
| client_rc_start | 92ED4D259940D4294190E60ADD5CC587 | Router secondary backdoor |
| version.dll | 20C196FD5CF9A4845D048006321A52B8 | CS Beacon DLL sideload payload |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
