A new malicious espionage campaign is targeting telecommunications organizations and governments across Central and Southeast Asia, CheckPoint Research has discovered.
The campaign, which CheckPoint tracks as ‘Stayin’ Alive’, has been active since at least 2021 and is tied to the Chinese cyber espionage group ToddyCat.
The campaign leverages spear-phishing emails to deliver archived files using DLL side-loading schemes, hijacking dal_keepalives[dot]dll in Audinate’s Dante Discovery software (CVE-2022-23748).
CheckPoint also found several loaders and downloaders, some were used as initial infection vectors against high-profile Asian organizations in Kazakhstan, Uzbekistan, Pakistan, and Vietnam.
One of them, CurKeep, is deployed by running the legitimate executable, signed by Zoom, which loads dal_keepalives[dot]dll. The DLL file then loads CurKeep.
Other tools include CurLu, CurCore and StylerServ. They are all custom-made.
“The simplistic nature of the tools we observed in the campaign and their wide variation suggests they are disposable, mostly utilized to download and run additional payloads. These tools share no clear code overlaps with products created by any known actors and do not have much in common with each other,” reads the CheckPoint report.
Their infrastructure led CheckPoint researchers to attribute the campaign to ToddyCat, which likely conducted the Stayin’ Alive campaign as part of a much broader espionage campaign.
Who Is ToddyCat?
ToddyCat is a Chinese-affiliated advanced persistent threat (APT) group that has been active since at least 2020. The group is known for targeting high-profile organizations in Asia, including telecoms, government agencies, and military contractors.
The group uses various techniques to gain access to target systems, including spear-phishing emails, zero-day exploits, and supply chain attacks. Once ToddyCat has gained access to a system, the group can deploy various malware, including backdoors, trojans, and keyloggers.
Questions remain over ToddyCat's goals, but the group is believed to be motivated by espionage. The group has been known to steal sensitive data, such as intellectual property, trade secrets, and government documents.