Go to listing page

Naikon APT Group is Now Using Nebulae Backdoor

Naikon APT Group is Now Using Nebulae Backdoor
Naikon, a cyberespionage group from China, has been actively employing a new backdoor for multiple cyberespionage operations targeting military organizations in Southeast Asia. The backdoor, identified as Nebulae, is used for gaining persistence on infected systems.

What has been discovered?

A malicious activity was conducted by Naikon APT between June 2019 and March 2021. 
  • At the beginning of its operation in 2019, the APT had used the Aria-Body loader and Nebulae as the first stage of the attack.
  • Starting September 2020, the APT group included the RainyDay backdoor in its toolkit, while the attribution to Naikon is based on C2 servers and artifacts utilized in its attacks.
  • The APT group now delivers RainyDay (aka FoundCore) as a first-stage payload to propagate second-stage malware and tools, including the Nebulae backdoor.

About Nebulae

  • It has the ability to collect LogicalDrive info, manipulate files and folders, download and upload files from and to the C2 server, and terminate/list/execute processes on infected devices.
  • In addition, the malware adds a registry key that automatically runs the malicious code on system reboots after login. It is used as a backup access point for the victim in case of an adverse scenario for actors.

Additional insights

Naikon targeted several organizations located in various countries around the South China Sea, such as Malaysia, Singapore, Indonesia, Thailand, and the Philippines. It focuses on government and military entities.
  • Bitdefender experts disclosed a long-running campaign linked with the APT group. Additionally, the group mostly uses the DLL hijacking technique to execute its malicious code.
  • The APT group abuses legitimate software, as well such as VirusScan (McAfee), Sandboxie COM Services (SANDBOXIE L.T.D), Outlook Item Finder (Microsoft), and Mobile Popup Application (Quick Heal).


Naikon APT group has been running the operation silently for two years and has launched multiple cyberespionage operations. Moreover, the group has been active since 2010 and still poses a severe threat to several military organizations in Southeast Asia. Thus, security agencies and professionals need to keep a strict eye on this threat.
Cyware Publisher