New Darktrace research identified that Chinese-nexus cyber operations are increasingly defined by persistence, strategic intent, and behavioral consistency rather than discrete, campaign-driven activity. The analysis shows that these intrusions are not opportunistic one-offs but part of a broader, long-horizon approach aligned with national priorities, including economic positioning and critical infrastructure leverage. Organizations in critical national infrastructure sectors account for the overwhelming majority of observed compromises, with roughly 88% of cases tied to such environments. This targeting pattern reflects a deliberate focus on systems that underpin economic stability and national resilience, reinforcing the idea that cyber activity is being used as a tool of statecraft rather than simple intellectual property theft.
In its report titled ‘Crimson Echo: Understanding Chinese-Nexus Cyber Tradecraft,’ Darktrace noted that operationally, the data reveals two distinct modes of execution. Short-duration intrusions tend to emphasize rapid exploitation of internet-facing systems, quick tooling deployment, and immediate C2 (command-and-control) establishment, often resembling ‘smash-and-grab’ or validation-style operations.
In contrast, longer-duration compromises prioritize deep network penetration, sustained access, and staged activity over weeks or months. Median dwell time sits at around 10 days, but the distribution stretches into extremely long-tail cases exceeding 600 days, underscoring how persistence is selectively applied based on target value. Notably, in high-value environments, attackers often expand laterally before initiating data exfiltration, suggesting that control and positioning take precedence over immediate data theft.
In a blog post, Nathaniel Jones, vice president for security and AI strategy, Field CISO at Darktrace, detailed trends from the analysis. These included that targeting is concentrated in strategically important sectors. Across the dataset, 88% of intrusions occurred in organizations classified as critical infrastructure, including transportation, critical manufacturing, telecommunications, government, healthcare, and IT services.
He added that strategically important Western economies are a primary focus. The U.S. alone accounted for 22.5% of observed cases, and when combined with major European economies including Germany, Italy, Spain, and the U.K., over half of all intrusions (55%) were concentrated in these regions. Lastly, nearly 63% of intrusions of intrusions began with the exploitation of internet-facing systems, reinforcing the continued risk posed by externally exposed infrastructure.
Darktrace reports that Chinese-nexus cyber operations are best understood as continuous strategic planning rather than episodic campaigns. Detection of short dwell time intrusions should not be interpreted as a failure of tradecraft but as a deliberate operational choice. Western security models remain overly incident-centric and continue to undervalue the risks associated with persistent identity exposure. China’s cyber activity is no longer limited to intellectual property theft but is increasingly aligned with Belt and Road Initiative dependencies and the strategic leverage of critical infrastructure globally, with particular emphasis on the U.S.
A key takeaway is that traditional, incident-centric security models are poorly suited to detect this style of activity. Chinese-nexus operators frequently rely on living-off-the-land techniques, legitimate administrative tools, and cloud infrastructure, blending into normal network behavior and evading signature-based defenses. Behavioral indicators such as anomalous credential use, DNS tunneling, and bursts of reconnaissance or lateral movement emerge as more reliable signals.
The Darktrace findings point to a shift in defensive strategy, where continuous monitoring, anomaly detection, and an understanding of attacker workflows become critical. In this context, cyber defense is less about stopping isolated breaches and more about managing persistent exposure across complex, interconnected environments.
The team structured its threat hunting into two coordinated phases to avoid duplication and maximize coverage across the dataset. The first phase focused on campaign and malware investigations, while the second centered on tactics, techniques, and procedures (TTPs) and sequence-based behavioral hypothesis testing. Each phase followed a consistent, sequence-driven methodology, enabling analysts to map activity against known intrusion patterns and uncover related behaviors across environments.
The campaign and malware investigation phase began with a review of previously documented Chinese-nexus activity from external security research. Analysts aggregated open-source intelligence and third-party reporting, using these insights to guide retrospective searches within the customer base for related activity. This functioned as a structured literature review, linking reported campaigns to observed network behavior.
The team also investigated malware commonly associated with Chinese-nexus actors, including ShadowPad, PlugX, and SnappyBee. However, they did not treat malware presence as definitive attribution, recognizing that shared tooling and false flag operations are common among nation-state actors. To address this, malware analysis was reinforced with proprietary telemetry, external intelligence, and industry-sourced insights to build a more reliable evidentiary base.
The second phase shifted from known campaigns to pattern discovery. Analysts used insights from the first phase to extract recurring operational themes and translate them into TTP-driven threat hunting queries. These included exploitation of internet-facing infrastructure, use of living-off-the-land binaries, DLL sideloading and search order hijacking, and DNS-based tunneling for command and control.
While execution details varied across cases, consistent behavioral elements allowed researchers to apply sequence-based detection methods to identify previously unlinked intrusions. This approach emphasized common attacker workflows over isolated indicators, enabling broader detection of Chinese-nexus activity even in the absence of clear campaign attribution.
Darktrace found that the U.S. accounted for roughly one-fifth of all cases involving critical national infrastructure customers, with activity concentrated across transportation systems, healthcare and public health, government services and facilities, and the information technology sector.
Beyond the U.S., three of the top five most prevalent countries within the dataset are all EU members: Italy, Spain, and Germany. These countries include some of the largest economies in the Eurozone, and many of the organizations identified during the threat hunting process operate in core sectors of economic interest for the Chinese government, including digital infrastructure, advanced technology, manufacturing, synthetic materials, and agricultural technology.
Across Europe, the Middle East, and Africa, more than three-quarters of critical national infrastructure cases were concentrated in transportation systems, communications, critical manufacturing, information technology, and food and agriculture.
Asia-Pacific and Japan were the least represented regions in the dataset, even when low-confidence events were included, with cases relatively evenly distributed across countries. All affected nations were aligned with ASEAN or the QUAD, and targeting patterns point to cyber operations supporting China’s regional security priorities, particularly around the South China Sea and Taiwan, while activity in Hong Kong likely reflects internal security objectives.
Incidents in the region were more concentrated in the public sector and media, with about half involving government or communications entities, in contrast to the broader mix of economic targets seen in EMEA. Overall, the pattern suggests that targeting in APJ is driven more by traditional espionage and regional security goals, while activity in EMEA aligns more closely with economic interests and Belt and Road Initiative objectives.
In its conclusion, Darktrace observed that the dataset reinforces that Chinese-nexus operations show a distinct preference for organizations within critical national infrastructure categories and strategically important sectors such as transportation, telecommunications, manufacturing, healthcare, and digital infrastructure. These targeting patterns broadly appear to reflect goals set by the Chinese state to support both traditional espionage for strategic advantage and BRI/industrial espionage goals.
“This contextual data emphasizes how important it is that C-suite executives understand how and where in the CNI framework their organization resides,” according to the report. “Investment into cyber defense resourcing, focus on proactive threat hunting, and the cadence of IT security control reviews may need to be reassessed given the intent to act on strategic objectives by Chinese nexus actors in such critical sectors. Implicit in this data is the fact that organizational risk will be directly impacted and better mitigated by an understanding of medium- and long-term strategic planning by the Chinese state apparatus. CISOs and decision makers can benefit from a more nuanced understanding of how their organization may be viewed as a potential target for such objectives.”
Operational insights from this report, including dwell-time trends, technique co-occurrences, and kill-chain sequencing, can help SOC teams refine threat-hunting parameters, including time frames and prioritize defensive monitoring. Rather than relying solely on static indicators or actor-specific profiles, defenders can focus on recurring patterns of behavior such as anomalous credential use, reconnaissance activity, unusual cloud connections, and bursts of lateral movement.
The findings also underscore the growing importance of anomaly-based detection. Chinese-nexus actors frequently employ living-off-the-land (LOTL) techniques, cloud infrastructure, and legitimate administrative tools that evade traditional signature-based controls. Detecting these operations, therefore, depends increasingly on identifying deviations from established patterns of network behavior.
