Chinese threat actor DEV-0147 has targeted several South American diplomatic entities with the ShadowPad remote access trojan, also known as PoisonPlug, in a bid to facilitate network infiltration and persistent access, reports The Hacker News.
Aside from ShadowPad, DEV-0147 has also been leveraging the QuasarLoader webpack loader to enable further payload delivery, according to Microsoft.
"DEV-0147's attacks in South America included post-exploitation activity involving the abuse of on-premises identity infrastructure for recon and lateral movement, and the use of Cobalt Strike for command-and-control and data exfiltration," said Microsoft.
Meanwhile, more Chinese threat actors were previously reported to have used ShadowPad in their attacks, with the RAT also being utilized by unidentified attackers in an intrusion that sought to compromise a foreign ministry in an ASEAN country.
Such attack activity named "REF2924" by Elastic Security Labs "represents an attack group that appears focused on priorities that, when observed across campaigns, align with a sponsored national strategic interest," said Elastic Security Labs.
BleepingComputer reports that several U.S. financial institutions and numerous cryptocurrency apps are having their users mostly targeted by an expanded Xenomorph malware campaign leveraging an updated version of the Android banking trojan that also set sights on users in Canada, Italy, Spain, Belgium, and Portugal.