Sophos, a cybersecurity solutions provider, has identified an expansion of a Chinese state-sponsored cyberespionage campaign, Operation Crimson Palace, across Southeast Asia (SEA).
According to Sophos, the campaign, ongoing for nearly two years, involves three clusters of activity — Cluster Alpha, Bravo, and Charlie — targeting a high-profile government organization and other regional entities.
The Sophos’ latest report, “Crimson Palace: New Tools, Tactics, Targets,” reveals that the clusters have shifted their tactics. Cluster Charlie has moved from using custom malware to open-source tools, increasing their adaptability. Sophos also uncovered a new keylogger, dubbed “Tattletale,” designed to impersonate legitimate users and steal sensitive information, including cached passwords and security settings.
Sophos threat hunters noticed a resurgence of Cluster Bravo and Charlie activity after a hiatus in August 2023. Both clusters expanded their reach to new organizations, raising concerns about a broader espionage campaign.
“The shift to open-source tools shows how these groups quickly adapt,” said Paul Jaramillo, director of Threat Intelligence at Sophos. “While we’ve disrupted parts of their infrastructure, the pivot in tactics keeps them persistent.”
Cluster Charlie has been linked to the Chinese group Earth Longzhi, while Cluster Bravo shares traits with Unfading Sea Haze, another nation-state actor. Sophos warns that these groups are refining their tactics and could extend their operations further across Southeast Asia.