Suspected China-based hackers target Middle East telecommunications, Asian government


Hackers targeted a Middle Eastern telecommunications organization and an Asian government in a recent espionage operation, according to a report released Thursday.

The Budworm hacker group, also known as Emissary Panda and APT27, is believed be based in China. Last year, he attacked a US state legislature using a Log4j vulnerability.

In its latest campaign in August, Budworm used a never-before-seen version of its custom backdoor called SysUpdate to spy on the unnamed telecom company’s Asian government body, as reported by Symantec researchers.

SysUpdate is “a feature-rich backdoor” that can remove services, take screenshots, rename and download files, and execute commands on targeted devices. Hackers have been using SysUpdate since at least 2020 and have improved its capabilities since then.

Besides SysUpdate, the group also used publicly available tools in the August attacks, including PasswordDumperm to extract passwords, Curl for data transfers, and SecretsDump to retrieve secrets from remote computers.

The group’s activity may have been stopped early because they only succeeded in stealing credentials, Symantec said.

Budworm has been active since at least 2013, primarily focusing on espionage campaigns, according to Symantec. The group is known for targeting high-value victims in Southeast Asia, the Middle East and the United States, with a focus on organizations in the government, technology and defense sectors.

Symantec suggests that Budworm’s repeated use of known malware such as SysUpdate indicates that hackers do not fear detection.

Although researchers have not directly attributed this campaign to China, Dick O’Brien, senior intelligence analyst at Symantec, previously said Future News has recorded that there is “general consensus” that the APT27 hackers are based in China.

Get more information with the

Future saved

Intelligence cloud.

Learn more.

No previous articles

No new articles

Daryna Antoniuk

Daryna Antoniuk is a freelance journalist for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe, and the state of the Ukraine-Russia cyberwar. She was previously a tech journalist for Forbes Ukraine. His work has also been published in Sifted, The Kyiv Independent and The Kyiv Post.

Leave a comment