Chamelgang

ChamelGang is a suspected Chinese cyberespionage threat group, also referred to as CamoFei. Reporting in the provided content links the group to espionage-oriented intrusions as well as repeated deployment of ransomware and encryptors for financial gain, disruption, distraction, misattribution, and removal of evidence. Researchers associated ChamelGang with attacks on the Presidency of Brazil and the All India Institute of Medical Sciences in 2022 involving CatB ransomware, and with 2023 targeting of a government organization in East Asia and an aviation organization in the Indian subcontinent. Prior reporting cited in the content also states that ChamelGang has targeted government and private organizations in the United States, Taiwan, and Japan, and impacted critical sectors in Russia, including aviation. Elastic Security Labs assessed REF2924 activity as likely consistent with ChamelGang based on shared malware, file names, techniques, victimology, and strategic targeting priorities, and linked related campaigns with Winnti and ChamelGang with moderate confidence. Malware and tooling mentioned in the content in connection with ChamelGang-linked activity include BeaconLoader, CatB ransomware, the DOORME IIS backdoor, the SIESTAGRAPH .NET implant using Microsoft Graph API, Outlook drafts, and OneDrive for command and control, and a SHADOWPAD loader delivered via DLL sideloading. The content describes associated tradecraft including compromise of internet-facing IIS and Exchange servers, covert remote access, in-memory shellcode execution, file transfer, command execution, screenshots, network discovery, mailbox collection, persistence via services and registry-stored encrypted payloads, and use of ransomware or legitimate encryption tools to conceal or disrupt operations.