Researchers have discovered TA423, a Chinese cyberespionage threat actor, targeting energy and manufacturing firms worldwide. It aimed attacks on entities conducting energy exploration in the South China Sea, Australia, Malaysia, and Europe.

Attack campaign in three phases

The latest Phase 3 was conducted from April to mid-June, against Australia and Malaysia.
  • It is effectively a phishing/watering hole campaign that delivers a customized version of ScanBox, a JavaScript code used to collect information about the visitor’s system.
  • The Australian targets included the federal government, defense and public health sectors.
  • The Malaysian targets included offshore drilling and deep-water energy exploration firms, and global marketing and finance companies.
  • Phase 2 occurred in March and used RTF template injection attachments, which returned a macro-laden Microsoft Word document. Moreover, phase 1 of the phishing campaign involved weaponized RTF attachments that ultimately retrieved versions of the Meterpreter shellcode.

Targeted entities

TA423 is active since 2013, targeted organisations include defence contractors, manufacturers, universities, government agencies, legal firms involved in diplomatic disputes, and foreign companies involved with South China Sea operations.

Operation details

In an instance, a phishing email was sent to victims that redirected them to a malicious website masquerading as an Australian news website.
  • Targets who visited the website were served with ScanBox.
  • The primary payload sets its configuration, including the information to be gathered and the C2 server to be contacted. It harvests detailed data on the browser being used.
  • Subsequent plugins delivered to the victim include a keylogger, browser plugin identification, browser fingerprinting, a peer connection plugin, and a security check for Kaspersky Internet Security.
  • The ScanBox exploitation framework is believed to be used by other Chinese threat groups as well.


The most recent developments confirm that the phishing campaign has been active for over a year and has a global reach. To keep yourself abreast with all the key developments in threat landscape, security analysts has a viable option to engage with threat intel platform. Here’s how to choose one.
Cyware Publisher