Budworm Espionage Group

An advanced persistent threat (APT) actor known as Budworm targeted a U.S.-based entity for the first time in more than six years, according to latest research.

The attack was aimed at an unnamed U.S. state legislature, the Symantec Threat Hunter team, part of Broadcom Software, said in a report shared with The Hacker News.

Other "strategically significant" intrusions mounted over the past six months were directed against a government of a Middle Eastern country, a multinational electronics manufacturer, and a hospital in South East Asia.

Budworm, also called APT27, Bronze Union, Emissary Panda, Lucky Mouse, and Red Phoenix, is a threat actor that's believed to operate on behalf of China through attacks that leverage a mix of custom and openly available tools to exfiltrate information of interest.


"Bronze Union maintains a high degree of operational flexibility in order to adapt to the environments it operates in," Secureworks notes in a profile of the nation-state group, pointing out its ability to "maintain access to sensitive systems over a long period of time."

A prominent backdoor attributed to the adversarial collective is HyperBro, which has been put to use since at least 2013 and is in continuous development. Its other tools include PlugX, SysUpdate, and the China Chopper web shell.

The latest set of attacks are no different, with the threat actor leveraging Log4Shell flaws to compromise servers and install web shells, ultimately paving the way for the deployment of HyperBro, PlugX, Cobalt Strike, and credential dumping software.


The development marks the second time Budworm has been linked to an attack on a U.S. entity. Earlier this month, the U.S. government revealed that multiple nation-state hacking groups breached a defense sector organization using ProxyLogon flaws in Microsoft Exchange Server to drop China Chopper and HyperBro.

"In more recent years, the group's activity appears to have been largely focused on Asia, the Middle East, and Europe," the researchers said. "A resumption of attacks against U.S.-based targets could signal a change in focus for the group."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.