Skip to main content
Mallory
Back to threat actors
7 malware families

Crimson Palace

Also known ascrimson_palace

Crimson Palace is a Chinese state-sponsored cyberespionage operation/campaign targeting government organizations in Southeast Asia. Sophos reported a long-running intrusion against a high-profile Southeast Asian government organization, with activity mainly from March to December 2023, evidence of related activity dating back to early 2022, and one cluster continuing into at least April 2024. Sophos tracked at least three intrusion clusters within the campaign: Cluster Alpha (STAC1248), Cluster Bravo (STAC1807), and Cluster Charlie (STAC1305). Sophos assessed with high confidence that the campaign supported Chinese state interests, but refrained from attributing it with high confidence to a single known actor because of common infrastructure and tool sharing across Chinese intrusion sets. The campaign emphasized long-term persistence, redundancy, and espionage. Reported objectives and victim data of interest included military, political, and technical information, including documents related to South China Sea strategy. Tradecraft included extensive DLL sideloading across more than 15 scenarios, abuse of legitimate Microsoft and security-vendor software, Windows service persistence, use of valid accounts for lateral movement, reconnaissance, credential dumping and credential interception, mass event log analysis, automated ping sweeps, and exfiltration attempts. Sophos also reported evasion including in-memory replacement of ntdll.dll to unhook security tooling, and an updated EAGERBEE variant capable of disrupting or blackholing communications to antivirus-vendor domains. Malware and tooling directly reported in connection with Crimson Palace include CCoreDoor, PocoProxy, EAGERBEE, NUPAKAGE, Merlin Agent, Cobalt Strike, PhantomNet (DOWNTOWN), RUDEBIRD, PowHeartBeat, and a custom HUI loader. BitDefender reportedly designated CCoreDoor as EtherealGh0st. Public reporting also linked Crimson Palace-related activity or tooling overlaps with Earth Estries, REF5961, BackdoorDiplomacy, Unfading Sea Haze, Worok/TA428, and APT41 subgroup Earth Longzhi. Separate reporting cited textinputhost.dat as previously leveraged by Crimson Palace in attacks against Southeast Asia, and Unit 42 noted that Masol RAT and EggStreme had been publicly associated with campaigns such as Crimson Palace and Earth Estries. Known aliases directly present in the content: crimson_palace.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Government & Administration
MITRE ATT&CK

Tradecraft

11 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

8 of 15 tactics16 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0002
Execution
2 techniques
T1059×2
Command and Scripting Interpreter
T1129
Shared Modules
TA0004
Privilege Escalation
1 technique
T1055
Process Injection
TA0005
Stealth
1 technique
T1055
Process Injection
TA0006
Credential Access
1 technique
T1056
Input Capture
T1056.001
Keylogging
TA0007
Discovery
2 techniques
T1016
System Network Configuration Discovery
T1083
File and Directory Discovery
TA0009
Collection
2 techniques
T1056
Input Capture
T1056.001
Keylogging
T1115
Clipboard Data
TA0011
Command and Control
3 techniques
T1071
Application Layer Protocol
T1105
Ingress Tool Transfer
T1219
Remote Access Tools
TA0010
Exfiltration
1 technique
T1567
Exfiltration Over Web Service
T1567.002
Exfiltration to Cloud Storage
ARSENAL

Associated malware families

7 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
DonutThis decrypted payload is Donut (aka DonutLoader, aka donut_injector) shellcode – an open-source, in-memory loader.1May 8, 2026
EggStreme LoaderThe researchers reported that in 2025, the CL-STA-1048 cluster deployed multiple espionage tools against a Southeast Asian target, including EggStremeFuel, Masol RAT, EggStreme Loader (Gorem RAT), and TrackBak.1Mar 30, 2026
EggStremeFuelThe researchers reported that in 2025, the CL-STA-1048 cluster deployed multiple espionage tools against a Southeast Asian target, including EggStremeFuel, Masol RAT, EggStreme Loader (Gorem RAT), and TrackBak. EggStremeFuel used RC4-encrypted C2 configs to upload/download files and control reverse shells.1Mar 30, 2026
FluffyGh0stFluffyGh0st, linked to China-aligned groups like Unfading Sea Haze and Sophos-tracked Crimson Palace, enables remote control and plugin-based functionality, showing advanced persistence and espionage capabilities.1Mar 30, 2026
Hypnosis LoaderCluster CL-STA-1049 used a stealthy “Hypnosis” DLL loader to deploy FluffyGh0st RAT via DLL sideloading with a legitimate Bitdefender executable.1Mar 30, 2026

2 additional families tracked in Mallory.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
sophos blogNews
May 7, 2026
Donuts and Beagles: Fake Claude site spreads backdoor | SOPHOS

Associated with multiple attacks against government organizations in Southeast Asia.

Read more
palo alto networks unit 42 blogNews
Mar 26, 2026
Converging Interests: Analysis of Threat Clusters Targeting a Southeast Asian Government

China-aligned espionage campaign referenced as overlapping with CL-STA-1048 and CL-STA-1049 through shared tooling such as Masol RAT and FluffyGh0st.

Read more
sophos threat researchNews
Jun 5, 2024
Operation Crimson Palace: Sophos threat hunting unveils multiple clusters of Chinese state-sponsored activity targeting Southeast Asian government | SOPHOS

Chinese state-sponsored cyberespionage campaign against a Southeast Asian government organization, focused on long-term access, reconnaissance, credential theft, and exfiltration of sensitive military/political documents, using extensive DLL sideloading, multiple redundant C2 implants, and evasion (including in-memory unhooking).

Read more
verizon businessNews
Nov 25, 2025

China-linked espionage actor conducting targeted campaigns to collect sensitive technical information, recon specific users, and access critical IT systems.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping11

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal7

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.