From Campus to C2 Tracking a Persistent Chinese Operation Against Vietnamese Universities
Occasionally, when threat actors are hosting payloads over HTTP, they accidentally expose the whole entire directory and subdirectory of files, rather than the singular payload they intended to share. This can introduce a massive operational security failure for adversaries, as additional tooling, victim data, adversary credentials, and more, can be exposed.
The research, found by @xorJosh and @polygonben with the assistance of @0xffaraday, identified a Chinese threat actor that had successfully compromised a minimum of 25 unique Vietnamese universities or educational facilities, many of which specialize in tech and engineering.
This wasn’t a smash-and-grab. The attackers built themselves a whole safety net - RDP tunnels, scheduled tasks, at least two different C2 frameworks running side by side, and layers of webshells all stitched into victim networks. Combined with the scale of universities hit, the heavy use of Chinese red-team tools, and the overlap with Earth Lamia’s TTPs, the goal here was information gathering across Vietnam’s education sector by a persistent Chinese actor.
If you’ve read this far, you’re clearly interested in the activities of this adversary. If you have additional information to share, or if you’d like further details about our research, please feel free to reach out to us at c0baltstrik3d [@] gmail [.] com. We welcome collaboration and the exchange of threat intelligence.
To read the complete article see: