One long-running campaign targets at least nine governments across Asia, the Middle East, and Africa. The APT group uses rare backdoors to maintain persistence and hacks email servers for intelligence, as reported by Unit 42 of Palo Alto Networks. Active since at least late 2022, the group, codenamed CL-STA-0043, is tracked under Operation Diplomatic Specter.
The group exhibits persistence and adaptability, targeting diplomatic and economic missions, officials, military entities, ministries, and embassies. They monitor geopolitical developments and exfiltrate information daily, often infiltrating mail servers and exploiting known vulnerabilities like ProxyLogon and ProxyShell in Microsoft Exchange servers.
They use various tools, including custom backdoors TunnelSpecter and SweetSpecter, which share code with SugarGh0st, a RAT linked to previous attacks. Cisco Talos noted that SugarGh0st, first seen in 2023, targets users in South Korea and Uzbekistan's Ministry of Foreign Affairs via phishing emails.
Attackers often reuse tools, complicating attribution. Unit 42 found overlaps in the infrastructure of Operation Diplomatic Specter with other Chinese APT campaigns, suggesting Beijing ties. The group uses tools like Gh0st RAT, PlugX, Htran, and China Chopper, with malware featuring Mandarin code comments and debug strings.
China's cyberespionage efforts are vast, involving hundreds of thousands of individuals and contractors. Recent reports highlight increased use of mesh networks and new APT groups like Unfading Sea Haze, which employs malware linked to Chinese APT groups like APT41.