An espionage campaign using a previously undocumented toolset has targeted a range of organizations in South East Asia. Among the identified targets are organizations in the defense, healthcare, and information and communications technology (ICT) sectors. The campaign appears to have begun in September 2020 and ran at least until May 2021.
The toolset used by the attackers includes loaders, a modular backdoor, a keylogger, and an exfiltration tool designed to abuse cloud storage service Dropbox.
The initial infection vector employed by the attackers remains unknown. The earliest sign of attempted compromise is a loader that decrypts and loads a payload from a .dat file. At least two different file names have been observed for the .dat file: sdc-integrity.dat and scs-integrity.dat. The loader also calls the DumpAnalyze export from the decrypted payload.