Operation Tainted Love: New Cyberespionage Campaign by Chinese

Diving into details

• Once access is gained, the attackers engage in a range of activities, including reconnaissance, credential theft, lateral movement, and data exfiltration.
• Operation Soft Cell relies heavily on a custom credential theft malware called mim221, which features modified versions of Mimikatz and advanced anti-detection capabilities.
• Mim221 is an actively maintained and updated version of credential theft malware, demonstrating the attackers' commitment to enhancing their toolset for maximum stealth. 

Attribution

• The attribution tooling suggests a link to the Operation Soft Cell campaign but is unclear on the specific threat actor involved.
• APT41 is a possible connection, due to shared code similarities and the use of a common code signing certificate.
• There is a medium-confidence assessment that Gallium is involved, based on previous target and TTP overlaps and familiarity with victim environments.

Latest Chinese attacks

• The Chinese state-sponsored threat group Mustang Panda was discovered targeting entities in Asia Pacific and Europe, in a campaign ongoing since 2020. It used the MQsTTang custom backdoor. 
• In February, DEV-0147—a Chinese cyberespionage gang—was spotted targeting South American diplomatic entities. It used the ShadowPad backdoor, in conjunction with other tools, in its campaign. 

The bottom line