China-based spies are hacking East Asian semiconductor companies, report says


Chinese state-backed hackers have targeted the semiconductor industry in East Asia with a new espionage campaign, according to new research.

The Dutch cybersecurity firm EclecticIQ attributed the campaign to China because the hackers used the HyperBro loader, which is associated with a state-backed group labeled Budworm or APT27 by researchers.

Budworm has been associated with espionage operations that targeted a Middle Eastern telecom organization and an Asian government in September, as well as a U.S. state legislature last year.

In the recent campaign targeting semiconductor companies, the group posed as Taiwan Semiconductor Manufacturing Company (TSMC) to trick victims into clicking on malicious links. TSMC is a major player in the industry, making microchips for big companies like Apple and Nvidia.

Targets were infected with a Cobalt Strike beacon, EclecticIQ said. The software is a penetration testing tool commonly used by cybersecurity professionals to simulate cyberattacks and test the security of computer systems. However, it is often abused by criminals to remotely issue commands and steal information from victims.

The Cobalt Strike beacon was installed on victims’ computers using the HyperBro loader. When the loader is executed, it shows a PDF file that pretends to be from TSMC, to confuse the user.

The hackers also used a new backdoor called ChargeWeapon, which was designed to get remote access to the victim and send device and network information from an infected computer to an attacker’s server.

“This information is very likely collected by threat actors to perform initial reconnaissance against infected hosts and identify high-value targets,” said EclecticIQ.

While the report doesn’t specify how the attackers first got into the system, they likely sent phishing emails to their targets.

Earlier this month, researchers identified another China-linked cyber espionage campaign targeting government agencies in Guyana with a previously undocumented backdoor called DinodasRAT.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk
is a freelance reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

MGM Resorts says cyberattack cost $100 million, resulted in theft of customer info

Next Post

Rhysida ransomware gang claims attacks on governments in Portugal, Dominican Republic

Related Posts

Russia’s APT28 Exploited Windows Print Spooler Flaw to Deploy ‘GooseEgg’ Malware

The Russia-linked nation-state threat actor tracked as APT28 weaponized a security flaw in the Microsoft Windows Print Spooler component to deliver a previously unknown custom malware called GooseEgg. The post-compromise tool, which is said to have been used since at least June 2020 and possibly as early as April 2019, leveraged a now-patched flaw that allowed for
Read More

How Cynet Makes MSPs Rich & Their Clients Secure

Managed service providers (MSPs) are on the front lines of soaring demand for cybersecurity services as cyberattacks increase in volume and sophistication. Cynet has emerged as the security vendor of choice for MSPs to capitalize on existing relationships with SMB clients and profitably expand their client base. By unifying a full suite of cybersecurity capabilities in a simple, cost-effective
Read More