A targeted cyber espionage campaign has emerged across Southeast Asia, specifically affecting government and media organizations in countries surrounding the South China Sea.
The campaign, which has been actively monitored since early 2025, demonstrates advanced persistent threat characteristics with a focus on nations including Laos, Cambodia, Singapore, the Philippines, and Indonesia.
The attack chain begins with a seemingly legitimate file named “Proposal_for_Cooperation_3415.05092025.rar” that exploits CVE-2025-8088, a path traversal vulnerability in WinRAR software.
The attackers employ a multi-stage infection process that showcases their technical expertise and strategic planning.
Initial compromise occurs through spear-phishing emails containing the malicious RAR archive, which automatically triggers the vulnerability when victims attempt to extract the contents.
This exploitation allows the threat actors to install a persistence script in the user’s startup folder using path traversal combined with an Alternative Data Stream technique.
CyberArmor security researchers identified this sophisticated operation while tracking sustained espionage activities targeting critical infrastructure and information sectors.
The campaign demonstrates a clear preference for DLL sideloading techniques throughout multiple stages of infection.
Governments and media organizations represent high-value targets because they directly influence policy decisions, shape public opinion, and determine international strategic alignment.
.webp "China-Nexus APT Group Leverages DLL Sideloading Technique to Attack Government and Media Sectors 3")
The malicious campaign operates through four distinct stages, each designed to maintain persistence while avoiding detection by security products.
After the initial dropper executes, a batch script named “Windows Defender Definition Update.cmd” downloads additional payloads from Dropbox and establishes registry-based persistence.
The subsequent stages involve legitimate software components like OBS browser and Adobe Creative Cloud Helper being exploited to load malicious DLL files through search-order hijacking.
Technical Breakdown of the DLL Sideloading Mechanism
The DLL sideloading technique represents the core evasion strategy employed throughout this campaign. In Stage 2, the threat actors abuse a legitimate OBS open-source browser executable to automatically load a modified libcef.dll file.
This altered library executes malicious code while maintaining the appearance of normal software operation. The backdoor communicates with operators through Telegram using an encrypted bot token, providing three primary commands: shell execution, screenshot capture, and file upload capabilities.
Stage 3 continues the DLL sideloading approach by exploiting Adobe’s Creative Cloud Helper component. The legitimate “Creative Cloud Helper.exe” loads a malicious CRClient.dll file, which contains functionality to decrypt and execute the final backdoor payload stored as “Update.lib.”
The decryption process uses a simple XOR encoding technique, demonstrating that sophisticated encryption is not always necessary for successful operations.
The following code snippet shows the decryption function:-
// XOR decryption with hardcoded key
for (size_t i = 0; i < payload_size; i++) {
decrypted_data[i] = encrypted_data[i] ^ 0x3c;
}The final backdoor provides comprehensive remote access capabilities through HTTPS communication with command-and-control servers located at public.megadatacloud[.]com and IP address 104.234.37[.]45.
Network traffic remains encrypted using XOR operations, making detection challenging for traditional security monitoring systems.
The backdoor supports eight distinct command operations, including command execution, DLL loading, shellcode execution, file manipulation, and a kill switch function that terminates operations after random intervals.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
