Sophos, a global leader in security solutions, has revealed the latest developments in a two-year-long Chinese cyberespionage campaign in Southeast Asia. Crimson Palace: New Tools, Tactics, Targets, which began in June, involved the discovery of three clusters of Chinese nation-state activity within a high-profile government organization. After a hiatus in August 2023, renewed activity was observed in Cluster Bravo and Cluster Charlie within the targeted and other regional organizations. Sophos X-Ops discovered a novel keylogger called “Tattletale,” which can impersonate users and gather information about password policies, security settings, cached passwords, browser information, and storage data. In contrast to the initial wave of the operation, Cluster Charlie increasingly used open-source tools instead of custom malware.

Cluster Charlie, which shares tactics, techniques, and procedures (TTPs) with the Chinese threat group Earth Longzhi, was originally active from March to August 2023 in a high-level government organization in Southeast Asia. While the cluster was dormant for several weeks, it re-emerged in September 2023 and was active until at least May 2024. During this second stage of the campaign, Cluster Charlie focused on penetrating deeper into the network, evading endpoint detection and response (EDR) tools, and gathering further intelligence. In addition to switching to open-source tools, Cluster Charlie began using tactics initially deployed by Cluster Alpha and Cluster Bravo, suggesting that the same overarching organization is directing all three activity clusters. Sophos X-Ops has tracked ongoing Cluster Charlie activity across other Southeast Asian organizations.

Cluster Bravo, which shares TTPs with the Chinese threat group Unfading Sea Haze, was originally only active in the targeted network for three weeks in March 2023. However, the cluster reappeared in January 2024, only this time targeting at least 11 other organizations and agencies in the same region. 

“Not only are we seeing all three of the ‘Crimson Palace’ clusters refine and coordinate their tactics, but they’re also expanding their operations, attempting to infiltrate other targets in Southeast Asia. Given how frequently Chinese nation-state groups share infrastructure and tools and that Cluster Bravo and Cluster Charlie are moving beyond the original target, we will likely continue to see this campaign evolve—and in potentially new locations. We will be monitoring it closely,” said Jaramillo. 

To learn more, read “Crimson Palace: New Tools, Tactics, Targets” on Sophos.com. For details about Sophos’ threat hunting and other services for disrupting cyberattacks, go to Sophos Managed Detection and Response (MDR). 

For an in-depth look at the threat hunting behind this nearly two-year-long cyber espionage campaign, register for the upcoming webinar “Intrigue of the Hunt: Operation Crimson Palace: Unveiling a Multi-Headed State-Sponsored Campaign” on Sept. 24 at 2 PM ET: https://events.sophos.com/operation-crimson-palace/.