Chinese threat actor Sharp Panda has been targeting high-profile government entities in Southeast Asia since late last year in a cyber espionage campaign.
Israeli cybersecurity company Check Point has identified the use of a new version of the Soul modular framework as characterizing the intrusions, marking a departure from the group’s attack chains observed in 2021.
The campaign has historically targeted countries such as Vietnam, Thailand, and Indonesia. The Soul backdoor’s origins date back to 2017, and the attack chain begins with a spear-phishing email containing a lure document that leverages the Royal Road Rich Text Format weaponized to drop a downloader.
The downloader retrieves a loader known as SoulSearcher from a geofenced command-and-control server that only responds to requests originating from IP addresses corresponding to the targeted countries. The loader downloads decrypts, and executes the Soul backdoor, allowing the adversary to harvest a wide range of information.
The Soul main module communicates with the command-and-control server and has a “radio silence”-like the feature that specifies specific hours in a week when the backdoor is not allowed to communicate with the server.
The findings highlight the tool sharing prevalent among Chinese advanced persistent threat groups to facilitate intelligence gathering. The campaign is likely staged by advanced Chinese-backed threat actors, whose other tools, capabilities, and position within the broader network of espionage activities are yet to be explored.