A Chinese state-backed advanced persistent threat group (APT) is attacking governments and non-governmental organizations (NGOs) around the world, Symantec reported on its threat intelligence blog Tuesday.

Symantec’s Threat Hunter Team reported that the Cicada campaign, aka APT10, was heavily focused on espionage-style operations as far back as 2009 and targeted Japanese-linked companies several years ago. It has recently been observed attacking managed service providers with a more global footprint.

Since mid-2021, victims of the APT’s current campaign — with the most recent activity observed in February — include those in a wide number of sectors, such as government-related institutions, NGOs in the education and religious fields, as well as telecoms, legal and pharmaceutical sectors in Europe, Asia and North America. 

The Threat Hunter Team said that initial activity is seen on Microsoft Exchange Servers to deploy various tools, such as a custom loader and the Sodamaster backdoor. Sodamaster is believed to be exclusively used by Cicada and is capable of deploying multiple functions. Other tools used by Cicada allow the APT to obtain credentials and control victim machines remotely.