Naikon

Bitdefender's Cyber Threat Intelligence Lab published 'NAIKON — Traces from a Military Cyber-Espionage Operation', documenting a June 2019 to March 2021 campaign against military organisations in Southeast Asia. The operators used the Aria-body loader and the Nebulae backdoor for initial compromise and added the RainyDay backdoor starting in September 2020, abusing DLL side-loading against legitimate binaries from McAfee, Sandboxie, Outlook, and Quick Heal to evade detection.

Check Point Research published 'Naikon APT: Cyber Espionage Reloaded', detailing a previously undocumented backdoor called Aria-body deployed against ministries of foreign affairs, science and technology, and government-owned companies in Australia, Indonesia, the Philippines, Vietnam, Thailand, Myanmar, and Brunei. Check Point attributed the activity to Naikon via shared infrastructure with prior Naikon campaigns, debug-string overlap with the XsFunction backdoor, and reuse of the djb2 hashing algorithm.

MITRE published the Naikon group entry (G0019) in ATT&CK, characterising the actor as a state-sponsored Chinese cyber-espionage group active since at least 2010 and primarily targeting government, military, and civil organisations in Southeast Asia along with international bodies including the UN Development Programme and ASEAN. The page consolidates associated software including Aria-body, RainyDay, Nebulae, SslMM, WinMM, and RARSTONE.

ThreatConnect and Defense Group Inc. released Project CAMERASHY, attributing the Naikon APT to the Chinese People's Liberation Army Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020) based on technical analysis of intrusion infrastructure and native-language research that linked the greensky27.vicp.net handle to Ge Xing, an officer assessed to be a member of Unit 78020. The report documented five-plus years of espionage against South China Sea claimant states and ASEAN.