A previously unidentified threat activity cluster aimed at Western organizations, especially those in the healthcare sector, to deploy PlugX and its successor, ShadowPad. The intrusions eventually led to the deployment of a ransomware called NailaoLocker in some cases.
The campaign, codenamed Green Nailao by Orange Cyberdefense CERT, involved the exploitation of a new-patched security flaw in Check Point network gateway security products ( , CVSS score: 7.5 ). The incidents occurred between June and October of 2024.
In a complex statement shared with The Hacker News, the company claimed that the campaign relied on DLL search-order kidnapping to build ShadowPad and PlugX, two implants frequently linked to China-nexus targeted incursions.
The original access provided by the exploitation of susceptible Check Point instances is said to have enabled the danger actors to authenticate user accounts and join to the VPN using a reputable account.
In the following step, the attackers used remote desktop protocol ( RDP ) to perform network reconnaissance and lateral movement to gain more privileges, then executed a legitimate binary ( “logger” ). exe” ) to sideload a rogue DLL ( “logexts. dll ) that then acts as a loader for a fresher malware.
Similar tradecraft was used in previous iterations of the attacks discovered in August 2024 to deliver , which also uses DLL side-loading using a McAfee executable ( “mcoemcpy ). exe” ) to sideload” McUtil. dll”.
Similar to PlugX, ShadowPad is a privately held piece of malware that has been used by Chinese spy players since at least 2015. Along with communicating with a remote server and enabling frequent remote access to target systems, the variant identified by Orange Cyberdefense CERT has powerful subterfuge and anti-debug measures.
The risk players may have attempted to exfiltrate information by creating ZIP archives and accessing the file system. Three files, each a legitimate executable signed by Beijing Huorong Network Technology Co., Ltd., are transmitted using Windows Management Instrumentation ( WMI ) as the culmination of the intrusions. exe” ), a loader named NailaoLoader ( “sensapi. dll” ), and NailaoLocker ( “usysdiag. file. dat” ).
Once again, the DLL record is sideloaded via “usysdiag. exe” to decipher and trigger the execution of NailaoLocker, a C++-based ransom that encrypts files, appends them with a” .locked” extension, and drops a ransom note that demands victims to make a cryptocurrency pay or contact them at a Proton Mail address.
According to researchers Marine Pichon and Alexis Bonnefoi,” NailaoLocker is largely innocent and poorly designed, and it appears not to be intended to maintain full encryption.”
It doesn’t “scan network shares,” it doesn’t” stop” services or processes that might compromise the encryption of some crucial files,” and it doesn’t” control” whether a file is being debugged.
Due to the use of the ShadowPad transplant, DLL side-loading methods, and the fact that similar ransomware schemes have been linked to another Chinese threat group known as , Orange has given the artist a medium confidence.
What’s more, the use of “usysdiag. Previous attacks mounted by a China-linked intrusion set tracked by Sophos under the name (aka STAC1248 ) have been carried out using “exe” to sideload next-stage payloads.
Although the precise objectives of the espionage-and-ransomware promotion are undetermined, it’s believed that the threat actors are aiming to make quick cash on the side.
” This could help explain the class distinction between ShadowPad and NailaoLocker, with NailaoLocker sometimes even attempting to imitate ShadowPad’s loading methods”, the researchers said. Although these campaigns can occasionally be carried out opportunistically, they frequently give threat groups access to information systems that can be used to launch additional offensive operations.