The report details a campaign by the Chinese advanced persistent threat (APT) group Stately Taurus, which carried out cyberespionage operations against government entities in Southeast Asia. The group employed a novel technique that leveraged the reverse shell feature of Visual Studio Code to gain initial access and deliver additional malware payloads. This represents the first observed instance of threat actors exploiting this vulnerability. The campaign exhibits strong connections to a previous Stately Taurus operation through shared tactics, techniques, procedures (TTPs), timelines, and victimology. Furthermore, the report examines a potential link between the Stately Taurus activity and a separate cluster involving the ShadowPad backdoor within the same targeted environment. Author: AlienVault
Related Tags:
credentialtheft
POISONPLUG.SHADOW
ShadowPad – S0596
T1218.011
T1003.002
T1569.002
T1021.004
exfiltration
reverseshell
Associated Indicators:
8FDAC78183FF18DE0C07B10E8D787326691D7FB1F63B3383471312B74918C39F
506FC87C8C96FEF1D2DF24B0BA44C8116A9001CA5A7D7E9C01DC3940A664ACB0
0F11B6DD8FF972A2F8CB7798B1A0A8CD10AFADCEA201541C93EF0AB9B141C184
AA2C0DE121AE738CE44727456D97434FAFF21FC69219E964E1E2D2F1CA16B1C5
456E4DAE82A12BCDA0506A750EAC93BF79CC056B8AAD09EC74878C90FD67BD8F
39CEB73BCFD1F674A9B72A03476A9DE997867353172C2BF6DDE981C5B3AD512A
5BFC45F7FCE27D05E753A61DDE5FAB623EFFF3E4DF56FB6A0CF178A0B11909CE
3CC5EE93A9BA1FC57389705283B760C8BD61F35E9398BBFA3210E2BECF6D4B05
AC34E1FB4288F8AD996B821C89B8CD82A61ED02F629B60FFF9EB050AAF49FC31