China-Linked Espionage Campaign Compromises Southeast Asian Edge Routers
Researchers reported a China-linked espionage campaign targeting enterprise edge routers in Southeast Asia with a custom Linux implant called router.elf. The malware uses encrypted HTTPS command-and-control over port 443 and Cloudflare DNS over HTTPS to conceal communications, while modifying iptables NAT rules to redirect downstream DNS traffic to attacker-controlled resolvers. Analysts said this gives the operators an infrastructure-level foothold for surveillance, traffic interception, and possible manipulation of internal network activity, including software update flows.
The operation also appears to extend from compromised routers into Windows environments. Investigators linked the Linux activity to a secondary backdoor, client_rc_start, and to a Windows intrusion chain that deploys a Cobalt Strike Beacon through DLL sideloading, using a malicious version.dll loaded by CrashReport.exe. Shared command-and-control domains, URI patterns, cookie markers, user-agent values, and beacon timing indicate centralized control across the Linux and Windows components, while attribution clues cited in reporting include Mandarin-language strings, a zh-CN setting, and tooling overlaps with earlier China-linked operations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Akamai identifies P2P cryptominer campaign targeting exposed Ollama services
Akamai Security Intelligence Response Team identified a cryptominer campaign scanning for exposed Ollama services on port 11434 and using automated API requests to execute an entry script named i.sh. The malware used a Go-based libp2p architecture, deployed an adjusted XMRig miner, and maintained persistence with a root crontab job.
QiAnXin links router and Windows intrusions in Southeast Asia campaign
QiAnXin researchers identified a cyber-espionage campaign targeting edge routers in Southeast Asia with a custom Linux implant named router.elf, alongside a related Windows intrusion chain delivering Cobalt Strike via DLL sideloading. The report cited shared infrastructure and tooling patterns and assessed the activity as China-linked.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Custom Linux Router Implant Striking Southeast Asia
securityonline.info
Open sourceP2P Cryptominer Malware Threat Targets Ollama Endpoints
securityonline.info
Open sourceChina-Linked Hackers Target Southeast Asian Edge Routers With Custom Linux Implant
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
China-Linked Groups Built Covert Botnets From Compromised Routers and IoT Devices
A joint advisory from the UK **NCSC**, the United States, and other international partners warned that China-nexus threat actors are increasingly using large covert networks of compromised **SOHO routers, IoT devices, firewalls, and NAS systems** to route malicious traffic, hide attribution, and support espionage and disruptive operations. The warning said these botnet-style proxy networks are used across the full cyber kill chain, from reconnaissance and malware delivery to command-and-control and data theft, and identified activity tied to **Volt Typhoon**, **Flax Typhoon**, and the **Raptor Train** botnet. Officials said Volt Typhoon’s **KV Botnet** relied heavily on end-of-life Cisco and Netgear routers, while Raptor Train infected more than **200,000** devices worldwide and was reportedly controlled by **Integrity Technology Group**. Governments said the scale and churn of these compromised-device networks make traditional static IP blocklists increasingly ineffective, creating what some reporting described as rapid indicator loss or “IOC extinction.” Agencies urged organizations to map internet-facing and edge assets, baseline normal traffic from routers and IoT devices, enforce **MFA**, apply dynamic threat intelligence, use allow-listing and **zero trust** controls, and actively hunt for suspicious proxy-node behavior on residential, branch, and enterprise-connected infrastructure. The disclosures also linked the threat to broader Chinese pre-positioning activity against critical infrastructure and telecom environments, underscoring how weakly secured edge devices continue to provide durable operational cover for state-backed intrusions.
Apr 27, 2026
China-Linked Espionage Campaigns Target Regional Government and Military Interests
Security researchers reported multiple **China-linked espionage operations**, but they are not the same incident. One campaign tracked by Palo Alto Networks as **CL-STA-1087** targeted military organizations in Southeast Asia over several years, focusing on intelligence collection related to military capabilities, organizational structures, and cooperation with Western armed forces. The activity used custom malware including the **AppleChris** and **MemFun** backdoors and a **Getpass** credential harvester, alongside stable infrastructure and selective file collection consistent with long-term state-sponsored espionage. A separate report from Zscaler described a **China-nexus** intrusion set targeting entities in the Persian Gulf using conflict-themed lures to deliver **PlugX**. That attack chain relied on a ZIP archive containing a deceptive `.lnk` file, which downloaded a malicious CHM file, used `hh.exe` for extraction, displayed a decoy PDF about Iranian missile strikes, and ultimately installed a multi-stage PlugX payload. The other references are unrelated: one is a technical review of **CVE-2026-25185** in Windows shortcut handling, and another covers malicious Packagist themes shipping trojanized jQuery tied to **FUNNULL** infrastructure rather than the China-linked espionage activity described in the relevant reports.
Mar 21, 2026
China-Linked CL-STA-1087 Spied on Southeast Asian Militaries With AppleChris and MemFun
Palo Alto Networks Unit 42 disclosed a long-running cyberespionage campaign, tracked as **CL-STA-1087**, that has targeted military organizations across Southeast Asia since at least 2020. The intrusions were aimed at collecting highly specific intelligence on military capabilities, organizational structures, **C4I** environments, joint military efforts, official meeting records, and cooperation with Western armed forces, rather than conducting broad data theft. Researchers said the activity was first uncovered after suspicious PowerShell behavior on an unmanaged endpoint exposed an already-established foothold, with the attackers using delayed execution, dormant periods lasting months, and reverse shells to preserve stealth and support long-term access. The operation used custom malware including the **AppleChris** backdoor, the in-memory **MemFun** backdoor, and **Getpass**, a modified Mimikatz-based credential theft tool. Investigators reported tradecraft including DLL hijacking, process hollowing, reflective DLL loading, timestomping, malicious Windows service creation, and lateral movement with WMI and native .NET tooling across domain controllers, web servers, IT workstations, and executive systems. Command-and-control traffic was hidden through dead-drop resolvers on legitimate services such as **Pastebin** and **Dropbox**, while infrastructure patterns, UTC+8 working hours, China-based cloud hosting, and Simplified Chinese artifacts led researchers to assess the campaign with moderate confidence as China-linked state-backed espionage.
Jun 8, 2026