Chinese threat actors have been using the new Manjusaka attack framework, which is being promoted as an alternative to Cobalt Strike, according to BleepingComputer. Cisco Talos researchers first discovered Manjusaka in a malicious document posing as a COVID-19 case report in a Tibetan city, which had a VBA macro enabling the retrieval and loading of Cobalt Strike as a second-stage payload. However, Cobalt Strike was not only leveraged as the primary attack toolkit but also as a means to facilitate Manjusaka implant downloading for Windows or Linux systems. Similar capabilities have been found in Windows and Linux versions of Manjusaka, both of which have a remote access trojan with arbitrary command execution, browser-stored credential theft, and WiFi SSID and password exfiltration capabilities, as well as a file management module with file enumeration, directory creation, and file deletion features. "This new attack framework contains all the features that one would expect from an implant, however, it is written in the most modern and portable programming languages. The developer of the framework can easily integrate new target platforms like MacOSX or more exotic flavors of Linux as the ones running on embedded devices. The fact that the developer made a fully functional version of the C2 available increases the chances of wider adoption of this framework by malicious actors," said Cisco Talos.