East Asian DLP firm, customers targeted by Chinese APT operation

Suspected Chinese advanced persistent threat operation Tick, also known as Stalker Panda, Bronze Butler, Stalker Taurus, and REDBALDKNIGHT, has infiltrated the internal update servers of a data-loss prevention company in East Asia to target the firm's government and military clients, according to The Hacker News. After gaining access to the DLP company's network, Tick proceeded to deploy a trojanized installer of the Q-Dir app in an effort to facilitate the distribution of the ReVBShell and Netboy backdoors, as well as the ShadowPy and Ghostdown downloaders, an ESET report revealed. "To maintain persistent access, the attackers deployed malicious loader DLLs along with legitimate signed applications vulnerable to DLL search-order hijacking. The purpose of these DLLs is to decode and inject a payload into a designated process," said researcher Facundo Muoz. Meanwhile, Tick's attacks in February and June 2022 involved the use of the ANYSUPPORT and helpU remote support tools to transfer the trojanized installers to two customers of the DLP firm.