Chinese Espionage Campaign Breached Middle East Telcos via Exchange Servers
Chinese state-linked attackers infiltrated telecommunications providers in the Middle East after compromising internet-facing Microsoft Exchange servers, according to SentinelLABS and QGroup. The intrusions, first observed in early 2023, used webshell-based command execution to establish access and then expanded into reconnaissance, credential theft, lateral movement, and staging for data exfiltration. Researchers assessed the activity as highly likely tied to a Chinese cyberespionage actor associated with Operation Soft Cell, with Gallium judged a likely participant and possible links to APT41 or shared tooling among Chinese state-sponsored groups.
A key element of the campaign was mim221, a custom credential-theft framework derived from Mimikatz and built to steal credentials from LSASS while reducing detection opportunities. SentinelLABS said the malware chain used reflective loading, abuse of LSASS security packages, and selective termination of Windows Event Log service threads to limit forensic visibility, underscoring continued Chinese intelligence interest in regional telecom networks and a broader shift toward stealthier post-compromise tooling.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Chinese-linked intrusions target Middle East telecom providers
SentinelLABS and QGroup observed initial attack phases in Q1 2023 targeting telecommunication providers in the Middle East. The intrusions began via compromised Internet-facing Microsoft Exchange servers and webshell-based command execution, followed by reconnaissance, credential theft, lateral movement, and preparation for exfiltration.
SentinelLABS details WIP26 cloud-based telco espionage tradecraft
On 2025-04-11, SentinelLABS disclosed a likely espionage cluster tracked as WIP26 targeting Middle East telecom providers with WhatsApp lures and Dropbox-hosted archives that deployed the CMD365 and CMDEmber backdoors. The report said the actor abused Microsoft 365 Mail, Google Firebase, Azure, and Dropbox for command-and-control, hosting, and exfiltration to blend malicious traffic with legitimate cloud services.
SentinelLABS discloses mim221 credential theft framework
On 2025-04-11, SentinelLABS publicly described mim221, a custom and actively maintained credential theft framework used in the campaign. The modified Mimikatz-based malware chain stole credentials from LSASS and used reflective loading, LSASS Security Package abuse, and selective termination of Windows Event Log service threads to reduce forensic visibility.
Researchers link telecom campaign to Operation Soft Cell cluster
In the SentinelLABS report published on 2025-04-11, researchers assessed the activity as highly likely linked to a Chinese cyberespionage actor associated with Operation Soft Cell. They also assessed with medium confidence that Gallium was involved, while noting possible links to APT41 and potential tool-sharing among Chinese state-sponsored actors.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Chinese State-Backed Espionage Campaign Breached Global Service Providers and Customer Networks
Australia’s ACSC and CISA warned that Chinese state-sponsored actors compromised networks worldwide as part of a broad espionage operation that targeted IT service providers and then leveraged that access to reach downstream customer environments. U.S. government reporting tied the activity to Chinese cyber actors associated with the Ministry of State Security, describing a long-running campaign that stole intellectual property and sensitive data from organizations across at least 12 countries and sectors including information technology, energy, healthcare, communications, and critical manufacturing. The intrusions relied on stolen administrative credentials, abuse of digital certificates, and post-compromise tooling including **PowerShell**, **PowerSploit**, **REDLEAVES**, and **PLUGX** to maintain persistence and move laterally. Authorities said the malware used techniques such as **DLL side-loading**, in-memory execution, and **RC4**-encrypted command-and-control over port `443`, including spoofed domains masquerading as Windows update infrastructure, and urged defenders to strengthen privileged account protections, network segmentation, logging, and monitoring for suspicious administrative share activity and protocol mismatches.
May 27, 2026
China-Aligned Shadow-Earth-053 Breached Exchange Servers for Long-Term Espionage
Trend Micro disclosed that the China-aligned cluster **SHADOW-EARTH-053** compromised more than a dozen organizations in at least eight countries by exploiting vulnerable Microsoft Exchange and IIS servers, including the `ProxyLogon` chain, then deploying **GODZILLA** web shells and the **ShadowPad** backdoor to maintain access. Victims included government agencies, defense contractors, technology firms, transportation organizations, and at least one target in Poland, with activity observed from December 2024 through April 2026. Researchers said the intrusions resemble broader Chinese state-linked operations such as Salt Typhoon and Volt Typhoon and may support long-term espionage, prepositioning, and potential future disruption. Post-compromise activity included DLL sideloading with a renamed Toshiba Bluetooth Stack executable, registry-resident shellcode execution via `EnumDesktopsA` callback injection, scheduled-task persistence, mailbox collection from Exchange, credential theft, and lateral movement using tools such as **IOX**, **GOST**, **Wstunnel**, **Sharp-SMBExec**, **Mimikatz**, and **Evil-CreateDump**. Trend Micro also identified overlap with a related cluster, **SHADOW-EARTH-054**, including shared tool hashes, reused vulnerabilities, and compromises at some of the same organizations, although the company assessed the relationship as overlapping exploitation rather than clearly coordinated operations. Defenders were urged to patch Exchange and IIS systems quickly and review IIS worker process activity, web-shell indicators, and other signs of stealthy post-exploitation.
May 15, 2026
China-Linked CL-STA-1087 Spied on Southeast Asian Militaries With AppleChris and MemFun
Palo Alto Networks Unit 42 disclosed a long-running cyberespionage campaign, tracked as **CL-STA-1087**, that has targeted military organizations across Southeast Asia since at least 2020. The intrusions were aimed at collecting highly specific intelligence on military capabilities, organizational structures, **C4I** environments, joint military efforts, official meeting records, and cooperation with Western armed forces, rather than conducting broad data theft. Researchers said the activity was first uncovered after suspicious PowerShell behavior on an unmanaged endpoint exposed an already-established foothold, with the attackers using delayed execution, dormant periods lasting months, and reverse shells to preserve stealth and support long-term access. The operation used custom malware including the **AppleChris** backdoor, the in-memory **MemFun** backdoor, and **Getpass**, a modified Mimikatz-based credential theft tool. Investigators reported tradecraft including DLL hijacking, process hollowing, reflective DLL loading, timestomping, malicious Windows service creation, and lateral movement with WMI and native .NET tooling across domain controllers, web servers, IT workstations, and executive systems. Command-and-control traffic was hidden through dead-drop resolvers on legitimate services such as **Pastebin** and **Dropbox**, while infrastructure patterns, UTC+8 working hours, China-based cloud hosting, and Simplified Chinese artifacts led researchers to assess the campaign with moderate confidence as China-linked state-backed espionage.
Jun 8, 2026