Operation DRAGONCLONE: Chinese Telecom Targeted by Malware

SUMMARY :

A sophisticated campaign targeting China Mobile Tietong Co., Ltd., a subsidiary of China Mobile, has been uncovered. The attack employs VELETRIX, a new loader, and VShell, a known adversary simulation tool. The infection chain begins with a malicious ZIP file containing executable and DLL files. VELETRIX uses anti-analysis techniques, IPFuscation, and a callback mechanism to execute VShell. The campaign shows overlaps with UNC5174 (Uteus) and Earth Lamia, known China-nexus threat actors. The infrastructure utilizes tools like SuperShell, Cobalt Strike, and Asset Lighthouse System. Active since March 2025, this operation demonstrates advanced tactics, techniques, and procedures associated with Chinese state-sponsored threat groups.

OPENCTI LABELS :

cobalt strike,cve-2024-1709,unc5174,supershell,china-nexus,vshell,dll-sideloading,cve-2025-31324,veletrix,earth lamia,ipfuscation,callback-execution


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Operation DRAGONCLONE: Chinese Telecom Targeted by Malware