Sharp Panda Targets Africa & Caribbean in New Cyber Espionage Campaign

The Chinese hacker group Sharp Panda, known for its cyber espionage campaigns, has begun targeting government organizations in Africa and the Caribbean. This was reported by experts from Check Point in their recent report.

The campaign employs the malicious software Beacon, part of the Cobalt Strike framework, which provides functionalities for remote control of infected systems and command execution. The use of this toolkit minimizes the reliance on custom tools and reduces the risk of detection. Check Point experts believe this approach demonstrates a profound understanding of the attack objectives.

Sharp Panda, also known as Sharp Dragon, was first discovered in June 2021, when it attacked the government of a Southeast Asian country using the VictoryDLL malware. In subsequent attacks, the hackers utilized the modular Soul framework, which allows the retrieval of additional components from servers controlled by the attackers for advanced information gathering.

Research indicates that the development of Soul began in October 2017. This backdoor includes features borrowed from Gh0st RAT and other publicly available tools commonly used by Chinese cybercriminals.

In June 2023, the group targeted high-ranking officials from G20 countries, indicating a continued focus on government structures for intelligence collection. A key element of Sharp Panda’s operations is the exploitation of zero-day vulnerabilities, such as CVE-2023-0669, to infiltrate infrastructure and use it as C2 servers.

Recent attacks on governments in Africa and the Caribbean demonstrate an expansion of their target scope. The attackers use compromised email accounts of high-ranking officials from Southeast Asia to send phishing emails with malicious attachments, utilizing the Royal Road tool to distribute the “5.t” loader. This loader performs reconnaissance and launches the Cobalt Strike Beacon, enabling the hackers to gather precise information about the targeted systems.

The use of Cobalt Strike not only reduces the risk of detecting custom tools but also indicates a “sophisticated approach to target evaluation,” as noted by Check Point. Recently, the hackers have also started using executables disguised as documents to increase the likelihood of infection, reflecting a continuous improvement in their tactics.

The strategic expansion of Sharp Dragon’s activities to Africa and the Caribbean reflects the Chinese cybercriminals’ ambition to strengthen their presence and influence in these regions.

Hacker groups like Sharp Panda continually refine their methods, adapting tactics and employing the latest tools to penetrate government structures in various countries. Their activities transcend regional boundaries, indicating a drive to expand influence and collect confidential information on a global scale.

Such malicious activities underscore the need to enhance cybersecurity and strengthen international cooperation in combating cybercrime to protect critical government structures and data.