“Override Panda” Hacking Group Emerges Again with New Espionage Operations

In recent weeks, the Chinese state-sponsored hacking group known as Override Panda has made headlines again, launching a sophisticated phishing campaign aimed at acquiring sensitive information. This resurgence focuses on utilizing spear-phishing tactics to compromise targeted entities.

According to a report by Cluster25, this threat actor leveraged a spear-phishing email to deliver a component from the Red Team framework known as ‘Viper.’ While the specific targets of this recent attack remain unidentified, past behaviors suggest it could be aimed at a government organization in a South Asian nation.

Also recognized as Naikon, Hellsing, and Bronze Geneva, Override Panda has been operating on behalf of Chinese interests since at least 2005, primarily conducting intelligence-gathering operations against ASEAN countries. Their strategies often involve deploying decoy documents attached to phishing emails designed to entice victims into opening them, a tactic that compromises their systems with malware.

In April 2022, the group was linked to a broad cyber-espionage campaign targeting military organizations in Southeast Asia. Subsequently, in August 2021, Naikon was implicated in cyberattacks against the regional telecom sector, highlighting their ongoing operations in the region.

The recent campaign uncovered by Cluster25 mirrors these previous activities. Attackers fortified their methodology by incorporating a weaponized Microsoft Office document to initiate a malicious infection chain. This process includes employing a loader that launches shellcode, ultimately injecting a beacon for the Viper framework.

Viper, which is publicly available on GitHub, positions itself as a “graphical intranet penetration tool” that modularizes and weaponizes common tactics and technologies used in intranet infiltration. Similar in nature to Cobalt Strike, it features over 80 modules designed to facilitate initial access, maintain persistence, enable privilege escalation, and execute arbitrary commands.

Researchers observing Naikon’s operations note that the group tends to engage in long-term intelligence and espionage missions, indicative of their focus on foreign governments and officials. Their strategic evolution includes adapting tactics, techniques, and procedures over time to minimize detection and maximize their impact.

The MITRE ATT&CK framework offers insights into the potential adversary techniques employed in these recent attacks, including initial access via phishing, persistence through malware deployment, and privilege escalation techniques to further compromise systems. This approach not only underscores the group’s technical capabilities but also highlights the ongoing threat posed by state-sponsored actors in cyberspace.