Dragon Hackers use Cobalt Strike & Backdoors to breach governments

TLDR:

• Sharp Dragon hackers, previously known as Sharp Panda, have shifted their focus to targeting governmental organizations in Africa and the Caribbean.
• They are using Cobalt Strike Beacon as their primary payload and have refined their tactics to minimize exposure.

The Chinese threat actor group Sharp Dragon, formerly Sharp Panda, has been known for targeted phishing campaigns since 2021, focusing primarily on Southeast Asia. Recently, they have expanded their operations to target governmental organizations in Africa and the Caribbean. They have shifted to using Cobalt Strike Beacon as their main payload, demonstrating a more refined approach to their attacks with increased operational security awareness.

Historically, Sharp Dragon has deployed payloads such as VictoryDLL and the Soul framework through sophisticated phishing emails aimed at high-profile targets. However, their recent activities show a notable expansion in their geographical focus, targeting governmental entities in Africa and the Caribbean since November 2023.

The group has been using highly tailored lures related to intergovernmental relations to establish footholds in these new regions. They have also shifted from using dedicated servers to compromised servers as C&C servers, showcasing a strategic shift in their tactics.

Sharp Dragon’s new infection chain involves executables disguised as documents that write and execute the 5.t DLL loader, creating a scheduled task for persistence. This change underscores the dynamic nature of their evolving strategies and the importance of robust cybersecurity measures to protect high-profile organizations from such sophisticated threats.