Crimson Palace

Crimson Palace is a Chinese state-sponsored cyberespionage operation/campaign identified by Sophos MDR, targeting a high-profile government organization in Southeast Asia. Sophos reported related activity from early 2022 through at least April 2024 and assessed with high confidence that the objective was long-term espionage in support of Chinese state interests, including collection of military, political, technical, and infrastructure-related information. Reported collection included documents related to South China Sea strategies, infrastructure architecture data, and credentials or tokens. Sophos tracked at least three intrusion clusters within Crimson Palace: Cluster Alpha (STAC1248), Cluster Bravo (STAC1807), and Cluster Charlie (STAC1305). Sophos assessed with moderate confidence that these were distinct but coordinated actors operating with shared objectives under a central authority. Cluster Alpha focused on DLL sideloading, persistent C2, subnet and Active Directory reconnaissance, and service-based persistence using instsrv.exe and srvany.exe. Cluster Bravo used valid accounts for lateral movement and deployed the CCoreDoor backdoor for persistence, discovery, credential dumping, and external C2. Cluster Charlie deployed multiple PocoProxy implants, conducted mass Event Log analysis and large-scale ping sweeps, used a custom HUI loader to inject Cobalt Strike into mstsc.exe, injected an LSASS logon credential interceptor into svchost.exe on domain controllers, and later re-entered the victim network via a web shell after defensive disruption. The campaign used extensive DLL sideloading, with more than 15 distinct sideloading scenarios involving Windows services, Microsoft binaries, and antivirus vendor software. Sophos identified previously unreported malware families CCoreDoor and PocoProxy, as well as an updated EAGERBEE variant capable of disrupting communications with antivirus vendor domains. Additional tooling observed in the campaign included NUPAKAGE, Merlin C2 Agent, Cobalt Strike, PhantomNet, RUDEBIRD, and PowHeartBeat. Sophos also reported advanced evasion, including overwriting ntdll.dll in memory to unhook the Sophos AV agent process from the kernel. Sophos reported overlaps between Crimson Palace activity and publicly reported China-affiliated actors or reporting on Earth Estries, REF5961, BackdoorDiplomacy, Worok/TA428, Unfading Sea Haze, and Earth Longzhi (APT41 subgroup), but explicitly refrained from high-confidence attribution to a single known actor because of shared infrastructure and tooling across Chinese operations. The alias directly supported in the content is Crimson Palace.