A surveillance operation launched by SharpPanda APT group is active right now and targeting a Southeast Asian government. The campaign is using a previously unknown malware backdoor now identified as Victory. According to researchers, malware has been under development for the past three years.

The multi-stage infection chain

According to Check Point Research, attackers are using spear-phishing emails laden with malicious Word documents to gain initial access. They are also exploiting older Office security vulnerabilities.
  • The malicious documents were sent to various employees of a government entity in Southeast Asia. In some cases, the emails are spoofed, pretending to be sent from other government-related entities.
  • The attachments with these emails are weaponized copies of legitimate-looking official documents and use a remote template method to start the next stage from the attacker’s server.
  • The malicious documents download a template from multiple URLs, which are .RTF files created with RoyalRoad weaponizer - a tool for creating maldocs that exploit Equation Editor’s vulnerabilities.
  • The RoyalRoad-generated RTF document has a shellcode and an encrypted payload. To decrypt the payload from the package, the APT group uses the RC4 algorithm with the key 123456 and drops a DLL file.

Victory backdoor

The multi-stage chain ultimately results in the installation of the backdoor module, identified as Victory. It steals information and provides attackers with consistent access to the victim.
  • It can take screenshots, manipulate files (such as deleting, creating, reading, and renaming them), collect information on the top-level opened windows, and shut down the computer.
  • Additionally, it can get TCP/UDP tables, CD-ROM drives data, registry keys info, and victim’s computer information.


The long-running Chinese operation managed to stay under the radar for more than three years. Additionally, attackers behind this campaign are using anti-analysis and anti-debugging techniques to hide the Victory backdoor. To protect from such threats, organizations are suggested to use a reliable anti-malware solution on all connected devices.

Cyware Publisher