0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

@Y4er

INTRUSION ANALYSIS: China-Nexus Adversary Targeting Southeast Asian Edge Network Infrastructure

0
Posted at

THREAT INTELLIGENCE REPORT

INTRUSION ANALYSIS: China-Nexus Adversary Targeting Southeast Asian Edge Network Infrastructure

Report ID: TIR-2026-0525-SEA
Date: 2026-05-25
Adversary: Suspected China-nexus cluster (undesignated)
Target Region: Southeast Asia
Target Vertical: Network Infrastructure (Edge Routers / Gateways)
Severity: CRITICAL
TLP: AMBER

KEY FINDINGS

A China-nexus intrusion set has been identified conducting a large-scale campaign targeting edge network devices across Southeast Asia. The adversary deploys a custom Linux ELF implant (router.elf) directly onto compromised border routers, establishing persistent command-and-control (C2) via DNS over HTTPS (DoH) while simultaneously weaponizing the router's iptables subsystem to hijack downstream DNS traffic at scale.

Correlated Windows-side tradecraft leverages a cracked Cobalt Strike 4.4 Beacon delivered via DLL sideloading (version.dll), sharing identical C2 infrastructure and malleable C2 profiles with the router implant — confirming unified operational control.

This campaign demonstrates a deliberate strategic choice to compromise network infrastructure rather than endpoints, enabling the adversary to:

  1. Evade endpoint detection and response (EDR) solutions entirely
  2. Maintain visibility and control over all network traffic transiting the device
  3. Conduct downstream attacks (DNS poisoning, supply chain hijacking, credential harvesting) against all devices behind the compromised router

ADVERSARY PROFILE

Attribute Assessment
Nexus People's Republic of China (PRC)
Confidence HIGH
Motivation Espionage / Persistent Access
Capability Advanced (custom implant development, cross-platform tooling, infrastructure-layer tradecraft)
Target Scope Southeast Asian organizations with Linux-based edge routing infrastructure

Attribution Basis:

  • Mandarin-language strings embedded in implant binary (设置非阻塞模式失败)
  • Accept-Language: zh-CN hardcoded in C2 communication profile
  • Cracked Cobalt Strike License ID 666666666 — a signature consistently observed in PRC-nexus operations
  • C2 infrastructure registration patterns consistent with known PRC-affiliated clusters
  • Operational tempo and targeting aligned with PRC strategic intelligence interests in Southeast Asia

CAMPAIGN OVERVIEW

┌─────────────────────────────────────────────────────────────────┐
│                    ATTACK CHAIN ARCHITECTURE                      │
├─────────────────────────────────────────────────────────────────┤
│                                                                   │
│  ┌──────────────┐     ┌──────────────┐     ┌──────────────┐     │
│  │ Border Router │────▶│  DNS Hijack  │────▶│  Downstream  │     │
│  │   (root)     │     │  (iptables)  │     │   Victims    │     │
│  └──────┬───────┘     └──────────────┘     └──────────────┘     │
│         │                                                         │
│         ├── router.elf (Custom RAT, DoH C2)                      │
│         ├── client_rc_start (Secondary backdoor)                  │
│         └── iptables DNAT rules + ipset "evil_fix"               │
│                                                                   │
│  ┌──────────────┐                                                │
│  │   Windows    │                                                │
│  │  Endpoints   │── version.dll (DLL Sideload → CS Beacon)      │
│  └──────────────┘                                                │
│                                                                   │
│  ┌──────────────────────────────────────────────────────────┐   │
│  │              SHARED C2 INFRASTRUCTURE                      │   │
│  │  specialclouds.com/top │ contextlayerrun.com              │   │
│  │  namefilecode.com │ valuecode.top │ perfectgo.top         │   │
│  │  URI: /api/v1/get (poll) │ /api/v1/post (exfil)          │   │
│  └──────────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────────┘

TECHNICAL ANALYSIS

Implant: router.elf

Property Value
Platform Linux x86-64
Type ELF PIE, static-pie linked, stripped
Size 480,480 bytes
Compiler GCC 11.2.1
Crypto mbedTLS (static)
MD5 6401cdc783b4afcbcc294954b4cc5dd2
SHA256 6a43de021fa79dc3eb5f6ed509b605ef617f56af7de8b136698e5dd86c7775ae

Anti-Analysis Techniques:

  • Static linking eliminates shared library dependencies
  • Symbol stripping removes all debug information
  • PIE compilation randomizes load addresses
  • Multi-layer configuration encryption (XOR + Xorshift PRNG stream cipher)
  • Sensitive string obfuscation via XOR 0x5a encoding

C2 Configuration Encryption:

The implant protects its embedded C2 configuration using a custom stream cipher:

  1. 12-byte encrypted seed stored in .data section (offset 0x240)
  2. Seed decrypted via XOR with hardcoded key BOOTKEYSlot!
  3. Decrypted seed initializes three 32-bit Xorshift PRNG state variables
  4. PRNG keystream combined with ROR rotation decrypts 6,132 bytes of configuration
; BOOTKEYSlot! XOR seed decryption (0x80c1)
80c1: mov    rax, [rip+0x26b198]        ; load encrypted seed
80cd: lea    rcx, [rip+0x26b17c]        ; rcx = "BOOTKEYSlot!"
80e5: mov    dl, [rax+rbx*1]            ; dl = seed[i]
80e8: xor    dl, [rcx+rax*1]            ; dl ^= key[i]
80f2: cmp    rax, 0xc                    ; 12 iterations

; Xorshift PRNG decryption loop (0x812c) — 1533 iterations
8140: mov    eax, esi                    ; eax = PRNG state
8142: shl    eax, 0xd                    ; xorshift step 1
8145: xor    eax, esi
8149: shr    esi, 0x11                   ; xorshift step 2
814c: xor    eax, esi
8150: shl    esi, 0x5                    ; xorshift step 3
8153: xor    esi, eax
815d: xor    eax, r8d                    ; combine with state
8163: xor    eax, esi                    ; XOR with keystream
8165: ror    eax, cl                     ; rotate by counter

Decrypted Configuration (excerpt):

  0x012e: contextlayerrun.com,/api/v1/get    [C2 domain + GET path]
  0x0234: Mozilla/5.0 (Windows NT 10.0; ...)  [User-Agent]
  0x0339: /api/v1/post                        [POST path]
  0x048e: Accept: */*                         [HTTP headers]
  0x04a0: Accept-Language: zh-CN,zh;q=0.9     [Language header]

String Obfuscation (XOR 0x5a):

Sensitive runtime strings are encoded with single-byte XOR 0x5a and decoded dynamically:

; Runtime XOR 0x5a decode (0xc911)
c911: mov    dl, [rcx+rax*1]            ; read encoded byte
c919: xor    edx, 0x5a                   ; XOR 0x5a decode
c91c: mov    [rsp+rax*1+0x3b], dl       ; store decoded byte

Example: 75 2a 28 35 39 75 29 3f 36 3c 75 3f 22 3f 5a/proc/self/exe

DNS over HTTPS (DoH) Resolution:

The implant resolves its C2 domain via Cloudflare DoH, bypassing traditional DNS monitoring:

; Load DoH resolver hostname (0x954c)
954c: lea    rsi, [rip+0x46605]          ; "cloudflare-dns.com"
9556: call   0x15186                      ; set TLS hostname

; Construct DoH POST request
958a: lea    rcx, [rip+0x465da]          ; "/dns-query"
95a1: lea    r8, [rip+0x465b0]           ; "cloudflare-dns.com"
95b7: call   0x45f60                      ; snprintf HTTP request

Implant C2 Profile:

Parameter Value
C2 Domain contextlayerrun.com
Port 443/TCP (HTTPS)
GET URI /api/v1/get
POST URI /api/v1/post
Beacon Interval ~50,000 ms (50s)
DNS Resolution DoH via cloudflare-dns.com
TLS Library mbedTLS (embedded)

Router DNS Hijacking (iptables DNAT)

The adversary implants persistent iptables NAT rules on the compromised router to redirect all downstream DNS traffic to attacker-controlled resolvers:

DNAT  udp  --  0.0.0.0/0  0.0.0.0/0  udp dpt:53  to:8.213.217.130:8090
DNAT  udp  --  0.0.0.0/0  0.0.0.0/0  udp dpt:53  to:47.81.37.109:8090
DNAT  all  --  0.0.0.0/0  0.0.0.0/0  match-set evil_fix dst  to:23.254.129.112
Rule Protocol Trigger Redirect Target Purpose
1 UDP dst port 53 8.213.217.130:8090 Primary rogue DNS resolver
2 UDP dst port 53 47.81.37.109:8090 Failover rogue DNS resolver
3 ALL ipset evil_fix match 23.254.129.112 Targeted traffic redirection for specific destinations

Operational Impact:

  • Complete control over DNS resolution for all devices behind the router
  • Non-standard port 8090 evades port-53-based DNS security auditing
  • Dynamic ipset (evil_fix) enables targeted hijacking of software update channels, security vendor domains, or specific victim traffic
  • Confirms adversary holds root-level access to the network device

Secondary Router Backdoor: client_rc_start

Property Value
Filename client_rc_start
MD5 92ED4D259940D4294190E60ADD5CC587
Role Redundant persistence backdoor on compromised router

Deployed alongside router.elf to ensure continued access if the primary implant is detected and removed.

Windows Cobalt Strike Beacon (DLL Sideloading)

The adversary extends operations from network infrastructure to Windows endpoints using a cracked Cobalt Strike 4.4 Beacon delivered via DLL sideloading.

Delivery Mechanism:

Component Value
Sideloaded DLL version.dll (MD5: 20C196FD5CF9A4845D048006321A52B8)
Host Process CrashReport.exe / CrashReport64.exe
Spawn Path (x86) %allusersprofile%\CrashReport\CrashReport.exe
Spawn Path (x64) %allusersprofile%\CrashReport\CrashReport64.exe

Beacon Configuration:

Parameter Value
Beacon Type windows-beacon_https-reverse_https
CS Version 4.4 (cracked, License ID: 666666666)
Sleep 50,000 ms (50s)
Jitter 30%
Port 443 (HTTPS)
Proxy IE settings

C2 Servers:

Domain Method URI
specialclouds.com GET /api/v1/get
specialclouds.com POST /api/v1/post
specialclouds.top GET /api/v1/get
namefilecode.com GET /api/v1/get

Malleable C2 Profile (HTTP Headers):

GET Request:
  User-Agent    : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/536.36
                  (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
  Content-Type  : application/*; charset=utf-8
  Accept        : */*
  Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
  Accept-Encoding: gzip, deflate
  Priority      : u=1, i
  Cookie        : _UK=<Base64URL-encoded metadata>

POST Request:
  [Same headers as GET]
  Cookie        : _ZF=<Base64URL-encoded session ID>

Process Injection Configuration:

Parameter Value
Initial Memory Protection PAGE_READWRITE
Execution Memory Protection PAGE_EXECUTE_READ
Minimum Allocation 10,192 bytes
Thread Entry Point ntdll!RtlUserThreadStart

RSA Public Key:

30819f300d06092a864886f70d010101050003818d00308189028181009793f0
6442851056a387957c4189a34110f5fff6172fb8684c6785b437f2989a6cbba3
728927ba0940a9aad6e595aeb9fd56925386f5179dbe47a30803f35f2e0a6f48
aecda3c0a9f1ec91f6ac6ff206f44e4723ad144daaa53a5b8182133e4ce69e02
f8973ffe95079e08fa4348e65167194ceacef0209a70832c4857a5e701020301
000100

DNS Beacon Strategy:

Parameter Value
Strategy Round-robin (mode 2)
Fail Threshold 5 failures before rotation
Rotation Timeout Unlimited (-1)
Fail Timeout Unlimited (-1)

Cross-Platform Infrastructure Correlation

The router implant and Windows Cobalt Strike Beacon share the following indicators, confirming unified adversary control:

Indicator router.elf CS Beacon
User-Agent AppleWebKit/536.36 ... Chrome/135.0.0.0 Identical
URI Pattern /api/v1/get, /api/v1/post Identical
Cookie Markers _UK=, _ZF= Identical
Sleep Interval 50,000 ms 50,000 ms
C2 Domains contextlayerrun.com specialclouds.com/top (shared infra)
Port 443 443
Language zh-CN zh-CN

INDICATORS OF COMPROMISE

File Indicators

Filename MD5 Description
router.elf 6401cdc783b4afcbcc294954b4cc5dd2 Linux router RAT (primary implant)
router.elf SHA256: 6a43de021fa79dc3eb5f6ed509b605ef617f56af7de8b136698e5dd86c7775ae
client_rc_start 92ED4D259940D4294190E60ADD5CC587 Router secondary backdoor
version.dll 20C196FD5CF9A4845D048006321A52B8 CS Beacon DLL sideload payload

Network Indicators

C2 Domains:

Domain Usage
contextlayerrun.com Router implant C2
specialclouds.com CS Beacon C2
specialclouds.top CS Beacon C2
namefilecode.com CS Beacon C2
valuecode.top Associated C2
windowsweatherkb.top Associated C2
function.windowsoftmessages.com Associated C2
perfectgo.top Associated C2
safelyhome.top Associated C2
discovercoded.com Associated C2

C2 IP Addresses:

IP Port Usage
8.211.130.16 443 C2 server
8.213.217.130 8090 Rogue DNS resolver (primary)
47.81.37.109 8090 Rogue DNS resolver (failover)
23.254.129.112 Traffic redirection node (ipset target)

C2 URI Patterns:

GET  /api/v1/get
POST /api/v1/post

Network Signatures:

Indicator Value
DoH Resolver cloudflare-dns.com/dns-query (used by non-browser process)
User-Agent Anomaly AppleWebKit/536.36 (legitimate version is 537.36)
Cookie Markers _UK= (GET metadata), _ZF= (POST session)
ipset Name evil_fix (on compromised routers)

MITRE ATT&CK MAPPING

Tactic Technique ID
Initial Access Exploit Public-Facing Application T1190
Execution Command and Scripting Interpreter: Unix Shell T1059.004
Persistence Boot or Logon Autostart Execution T1547
Persistence Traffic Signaling T1205
Defense Evasion Obfuscated Files or Information T1027
Defense Evasion Encrypted Channel T1573
Defense Evasion Hijack Execution Flow: DLL Side-Loading T1574.002
Discovery System Information Discovery T1082
Discovery File and Directory Discovery T1083
Collection Data from Local System T1005
Command and Control Application Layer Protocol: Web Protocols T1071.001
Command and Control Protocol Tunneling (DoH) T1572
Command and Control Dynamic Resolution: Domain Generation T1568.002
Exfiltration Exfiltration Over C2 Channel T1041
Impact Network Denial of Service (DNS Hijack) T1498

RECOMMENDATIONS

Immediate Actions (Critical)

  1. Audit all edge routers and gateways — Check iptables NAT rules for unauthorized DNAT entries; search for ipset collections named evil_fix or similar
  2. Block all IOC domains and IPs at perimeter firewall and DNS sinkhole
  3. Hunt for router.elf and client_rc_start on all Linux-based network devices (routers, firewalls, load balancers)
  4. Scan Windows endpoints for version.dll (MD5: 20C196FD5CF9A4845D048006321A52B8) and CrashReport.exe in %allusersprofile%\CrashReport\
  5. Verify DNS integrity — Compare DNS responses from internal resolvers against known-good authoritative answers for critical domains

Detection Opportunities

  1. Non-browser DoH traffic — Alert on processes other than web browsers connecting to cloudflare-dns.com:443
  2. User-Agent anomalyAppleWebKit/536.36 is an incorrect version number (should be 537.36); signature-worthy
  3. iptables audit — Scheduled integrity checks on router NAT rules; alert on UDP/53 DNAT to non-standard ports
  4. Cookie pattern — HTTP traffic with _UK= or _ZF= cookie fields to unknown domains
  5. Cobalt Strike signatures — Named pipe patterns, spawnto process creation from CrashReport.exe

Hardening

  1. Implement firmware integrity monitoring on all edge network devices
  2. Restrict management access to network devices (out-of-band management, MFA)
  3. Deploy encrypted DNS (DoT/DoH) at the resolver level to prevent downstream hijacking
  4. Enable iptables rule change logging and alerting
  5. Segment network device management plane from data plane

APPENDIX: ENCRYPTED CONFIGURATION STORAGE

Raw encrypted data in .data section (file offset 0x73240):

00073240  17 ba 32 3a 8b 9b f0 cd 70 28 94 eb 8d 17 b4 2f  |..2:....p(...../|
00073250  42 4f 4f 54 4b 45 59 53 6c 6f 74 21 00 00 00 00  |BOOTKEYSlot!....|
00073260  59 58 02 1a 81 df 9a 83 6f c8 80 91 06 b3 ad a8  |YX......o.......|
00073270  db 05 e7 5a 80 34 46 91 a3 88 65 f1 42 ff f6 bc  |...Z.4F...e.B...|
00073280  0c a4 80 3a 69 6c 8e 0a 78 fe 33 83 c2 6c 70 a3  |...:il..x.3..lp.|
00073290  e1 57 91 83 cd 89 e3 0d c1 e2 a1 2c 31 a2 5d fb  |.W.........,1.].|
000732a0  e0 a0 4f 9f 7a 5a 3a c2 23 cd da 97 c9 82 7a 26  |..O.zZ:.#.....z&|
000732b0  9d a5 91 26 5a 27 45 41 ad c1 fa 8a d4 fe 77 fd  |...&Z'EA......w.|

DoH configuration strings (file offset 0x4fb50):

0004fb50  31 2e 31 2e 31 2e 31 00 63 6c 6f 75 64 66 6c 61  |1.1.1.1.cloudfla|
0004fb60  72 65 2d 64 6e 73 2e 63 6f 6d 00 2f 64 6e 73 2d  |re-dns.com./dns-|
0004fb70  71 75 65 72 79 00 50 4f 53 54 20 25 73 20 48 54  |query.POST %s HT|

XOR 0x5a encoded string (file offset 0x4fed8):

0004fed0  00 00 00 00 00 00 00 00 75 2a 28 35 39 75 29 3f  |........u*(59u)?|
0004fee0  36 3c 75 3f 22 3f 5a 00 1e ce fb ff 2d ce fb ff  |6<u?"?Z.....-...|

END OF REPORT

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?