Chinese-speaking threat actor targets a telecoms company in Africa

An African telecommunications company, has become the latest victim of a China-linked hacking group, according to a recent report from Symantec, a cybersecurity software firm.

Although the company has not been named, the researchers have identified the Chinese hacking group responsible for the attack by using the PlugX malware, a hallmark of Chinese military hacking campaigns.

The group, known as ‘Daggerfly,’ has been identified as an advanced persistent threat (APT) by Symantec’s researchers. Although the group’s malicious activity against the company began in November 2022, there are indications that it is still ongoing. The researchers explained that telecoms companies are a prime target for intelligence-gathering campaigns due to their potential access to end user communications.

Part of the reasoning behind linking this activity to Daggerfly involves information from Symantec’s 2020 blog post detailing activity previously associated with Evasive Panda by Malwarebytes. Overlapping features between the two activities include the presence of a shared MgBot sample, a renamed ‘Rundll32.exe’ file called ‘dbengin.exe’ in the directory ‘ProgramData\Microsoft\PlayReady,’ and a loader DLL named ‘pMsrvd.dll’ in the directory ‘csidl_common_appdata\microsoft\playready\mdie942.tmp.’

In addition, the use of similar folder and file names and DLL side-loading techniques further support the attribution. While Malwarebytes documented their findings in 2020, Daggerfly has reportedly been active since at least 2014.