Reportseverity: Medium2021-04-27

Bitdefender details Naikon RainyDay and Nebulae backdoors used against Southeast Asian militaries

published by Bitdefender

Actor

NaikonCN · ChinaAPT

PRC state-sponsored intrusion set publicly attributed by ThreatConnect and Defense Group Inc. to the People's Liberation Army Unit 78020 (Chengdu Military Region Second Technical Reconnaissance Burea…

Summary

Bitdefender's Cyber Threat Intelligence Lab published 'NAIKON — Traces from a Military Cyber-Espionage Operation', documenting a June 2019 to March 2021 campaign against military organisations in Southeast Asia. The operators used the Aria-body loader and the Nebulae backdoor for initial compromise and added the RainyDay backdoor starting in September 2020, abusing DLL side-loading against legitimate binaries from McAfee, Sandboxie, Outlook, and Quick Heal to evade detection.

Primary source

bitdefender.com

Other Naikon events

2020-05-07Check Point exposes Naikon's Aria-body backdoor in five-year APAC government campaign
2017-05-31MITRE ATT&CK adds Naikon as Group G0019
2015-09-23ThreatConnect and Defense Group publish Project CAMERASHY attributing Naikon to PLA Unit 78020

Summary

Tags

Primary source

Other Naikon events