Chinese APT Group

Governmental entities in the Middle East, Africa, and Asia are the target of a Chinese advanced persistent threat (APT) group as part of an ongoing cyber espionage campaign dubbed Operation Diplomatic Specter since at least late 2022.

"An analysis of this threat actor's activity reveals long-term espionage operations against at least seven governmental entities," Palo Alto Networks Unit 42 researchers Lior Rochberger and Daniel Frank said in a report shared with The Hacker News.

"The threat actor performed intelligence collection efforts at a large scale, leveraging rare email exfiltration techniques against compromised servers."

The cybersecurity firm, which previously tracked the activity cluster under the name CL-STA-0043, said it's graduating it to a temporary actor group codenamed TGR-STA-0043 owing to its assessment that the intrusion set is the work of a single actor operating on behalf of Chinese state-aligned interests.

Targets of the attacks include diplomatic and economic missions, embassies, military operations, political meetings, ministries of targeted countries, and high-ranking officials.


CL-STA-0043 was first documented in June 2023 as targeting government agencies in the Middle East and Africa using rare credential theft and Exchange email exfiltration techniques.

A subsequent analysis from Unit 42 towards the end of last year uncovered overlaps between CL-STA-0043 and CL-STA-0002 arising from the use of a program called Ntospy (aka NPPSpy) for credential theft operations. Unit 42 told The Hacker News that the two clusters are different, but have overlaps and are connected to each other.

Chinese APT Group

Attack chains orchestrated by the group have involved a set of previously undocumented backdoors such as TunnelSpecter and SweetSpecter, which are both variants of the infamous Gh0st RAT, a tool used profusely in espionage campaigns orchestrated by Beijing government hackers.

TunnelSpecter gets its name from the use of DNS tunneling for data exfiltration, giving it an extra layer of stealth. SweetSpecter, on the other hand, is so called for its similarities to SugarGh0st RAT, another custom variant of Gh0st RAT that has been put to use by a suspected Chinese-speaking threat actor since August 2023.

Operation Diplomatic Specter

Both the backdoors allow the adversary to maintain stealthy access to their targets networks, alongside the ability to execute arbitrary commands, exfiltrate data, and deploy further malware and tools on the infected hosts.

"The threat actor appears to closely monitor contemporary geopolitical developments, attempting to exfiltrate information daily," the researchers said.

This is realized through targeted efforts to infiltrate targets' mail servers and to search them for information of interest, in some cases repeatedly attempting to regain access when the attackers' activities were detected and disrupted. Initial access is accomplished by the exploitation of known Exchange server flaws such as ProxyLogon and ProxyShell.

"The threat actor searched for particular keywords and exfiltrated anything they could find related to them, such as entire archived inboxes belonging to particular diplomatic missions or individuals," the researchers pointed out. "The threat actor also exfiltrated files related to topics they were searching for."

The Chinese links to Operation Diplomatic Specter further stem from the use of operational infrastructure exclusively used by China-nexus groups like APT27, Mustang Panda, and Winnti, not to mention tools like the China Chopper web shell and PlugX.

"The exfiltration techniques observed as part of Operation Diplomatic Specter provide a distinct window into the possible strategic objectives of the threat actor behind the attacks," the researchers concluded.

"The threat actor searched for highly sensitive information, encompassing details about military operations, diplomatic missions and embassies and foreign affairs ministries."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.