Blog Details

  • Home
  • Blog
  • Chinese-Linked Espionage Campaign Expands in Southeast Asia: Crimson Palace
Chinese-Linked Espionage Campaign Expands in Southeast Asia: Crimson Palace

Chinese-Linked Espionage Campaign Expands in Southeast Asia: Crimson Palace

A state-sponsored cyber espionage campaign, codenamed Crimson Palace, has been observed expanding its operations across Southeast Asia, compromising government organizations in the region. This renewed campaign, tracked by cybersecurity firm Sophos, consists of three threat activity clusters: Cluster Alpha (STAC1248), Cluster Bravo (STAC1870), and Cluster Charlie (STAC1305), together enhancing the scope and sophistication of the espionage effort.

The attackers leveraged compromised networks, masquerading as trusted access points to distribute malware and infiltrate target environments. According to Sophos researchers Mark Parsons, Morgan Demboski, and Sean Gallagher, a key tactic in this campaign involves using one organization’s systems as a command-and-control (C2) relay point and another’s compromised Microsoft Exchange Server to host malware.

 

Cluster Activities and Objectives

The Crimson Palace campaign was initially documented in June 2024, though the attacks began as early as March 2023 and have extended through April 2024. Cluster Bravo, which overlaps with a group called Unfading Sea Haze, was the first to be identified, while Cluster Charlie (Earth Longzhi) has more recently been found deploying different C2 frameworks like Cobalt Strike, Havoc, and XieBroC2 to facilitate further exploitation.

Each cluster plays a specific role in the attack chain:

  • Cluster Alpha is responsible for infiltrating target environments and conducting reconnaissance.
  • Cluster Bravo focuses on burrowing deeper into the network using various C2 mechanisms.
  • Cluster Charlie deals with data exfiltration, leveraging techniques like DLL hijacking and using custom malware like the keylogger TattleTale to steal sensitive information.

 

Cross-Pollination of Tactics

A striking element of the campaign is the "cross-pollination" of tactics among the clusters, such as DLL hijacking and the use of open-source programs like RealBlindingEDR and Alcatraz. These tools enable attackers to terminate antivirus processes and obfuscate executable files to evade detection.

The TattleTale keylogger, identified in August 2023, adds to this arsenal by collecting browser data from Google Chrome and Microsoft Edge, and accessing sensitive information such as password policies and security settings from compromised systems.

 

Countermeasures and Challenges

While Sophos and other security teams have worked to deploy countermeasures against this campaign, the adversaries have continually refined their techniques. They combine custom-developed tools with open-source penetration testing tools, adjusting their tactics based on the defensive measures deployed.

© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067