Crimson

Malware Profile Updated a month ago

Download STIX

Preview STIX

Crimson is a type of malware that has been used in various cyber-espionage campaigns, notably by ProjectM. The malware was first observed in 2013 and has been continuously employed in attacks alongside other payloads like Capra RAT and Oblique RAT. ProjectM used multiple domains to control the Crimson, Andromeda, and Peppy Trojans, one of which was "sahirlodhi[.]com". This domain was also used as the download location for a sample of the Crimson tool. Additionally, ProjectM leveraged blogs with Indian themes, such as the India News Tribe (intribune[.]blogspot[.]com), to deliver Crimson payloads. The most recent and significant use of Crimson malware is in a long-term, Chinese state-sponsored cyber-espionage operation dubbed “Crimson Palace”. Unearthed by Sophos Managed Detection and Response, this complex operation involved three different threat teams conducting coordinated attacks against a Southeast Asian government agency. The campaign demonstrated a high degree of inter-APT collaboration, involving new malware tools, more than 15 dynamic link library (DLL) sideloading efforts, and novel evasion techniques. Tools and infrastructure associated with known Chinese threat actors, most notably Worok and the APT41 subgroup Earth Longzhi, were found to overlap with those used in Operation Crimson Palace. Sophos attributes the hacking activity in Operation Crimson Palace with high confidence to clusters associated with Chinese-state-sponsored activities. Despite the complexity and sophistication of the operation, it highlights that attribution alone does not necessarily predict an attacker's next moves. As the operation demonstrates, even highly skilled groups may employ completely different techniques in subsequent attacks. The Crimson Palace campaign began the following year, led by a team Sophos refers to as Cluster Alpha. This discovery underscores the increasing sophistication and coordination among advanced persistent threats (APTs) in their cyber-espionage campaigns.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Crimson Rat	1	Crimson RAT is a malicious software, or malware, primarily used by the threat actor known as APT36 or Transparent Tribe. This custom .NET Remote Access Trojan (RAT) has been observed in multiple instances of cyber-attacks, mainly targeting India and Afghanistan. Over time, alongside Crimson RAT, Tra
Peppy Trojan	1	None
Peppy	1	Peppy is a malicious software (malware) that has been identified as part of a broader cyber threat landscape. The malware, which is a Python-based Remote Access Trojan (RAT), was discovered during an analysis of the registration information of several Trojan command and control domains used by Proje

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Rat

Chinese

Trojan

State Sponso...

Vulnerability

Exploit

Espionage

iranian

Payload

Iran

Ransomware

China

Sophos

Implant

Worm

Microsoft’s

Microsoft

Sentinellabs

Sentinelone

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
DarkComet	Unspecified	1	DarkComet is a Remote Access Trojan (RAT) that opens a backdoor on infected computers, allowing unauthorized access and data theft. This malware has been classified among the top five Command and Control (C2) families, indicating its widespread usage by cybercriminals. DarkComet, along with other es

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Transparent Tribe	Unspecified	4	Transparent Tribe is a threat actor known for conducting malicious campaigns against organizations in South Asia. The group has been linked to the ObliqueRAT malware and CrimsonRAT through its infrastructure, which includes the domains vebhost[.]com, zainhosting[.]net/com, and others. The group has
APT36	Unspecified	4	APT36, also known as Transparent Tribe and Earth Karkaddan, is a notorious threat actor believed to be based in Pakistan. The group has been involved in cyberespionage activities primarily targeting India, with a focus on government, military, defense, aerospace, and education sectors. Their campaig
Tortoiseshell	Unspecified	1	Tortoiseshell is a prominent threat actor associated with multiple Iranian Advanced Persistent Threat (APT) groups, including MASN. It has been linked to a multi-year cyberattack campaign that targeted over a dozen US companies and government entities, including the Department of the Treasury. The c
CURIUM	Unspecified	1	Curium, also known as Crimson Sandstorm, is an Iranian threat actor group that has been meticulously targeting users over time. Unlike other threat actors who commonly utilize phishing emails, Curium employs a unique approach by creating a network of fictitious social media accounts to build trust w
Ta456	Unspecified	1	TA456, also known as Imperial Kitten, Tortoiseshell, and Crimson Sandstorm, is a threat actor believed to be based in Iran. This group has been implicated in various cyber-espionage activities, leveraging social engineering tactics and malware distribution to compromise their targets. In one notable
APT41	Unspecified	1	APT41, also known as Winnti, Wicked Panda, and Wicked Spider, is a sophisticated threat actor attributed to China. This group has been active since at least 2012, targeting organizations across 14 countries. The group is known for its extensive use of various code families and tools, with at least 4
Earth Longzhi	Unspecified	1	Earth Longzhi, a suspected subgroup of the notorious APT41, has reemerged after months of inactivity and is now attacking organizations across various industries in Southeast Asia. This group had been on hiatus since its last campaign which ran from August 2021 to June 2022. Trend Micro's investigat
ProjectM	Unspecified	1	ProjectM, also known as Transparent Tribe, APT36, Copper Fieldstone, and Mythic Leopard, is a threat actor group originating from Pakistan that has been active since 2013. The group has targeted Indian governmental, military, and research organizations, along with their employees, using a variety of

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Crimson Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
DARKReading	a month ago	Bug Bounty Programs, Hacking Contests Power China's Cyber Offense
InfoSecurity-magazine	2 months ago	Chinese State-Sponsored Operation “Crimson Palace” Revealed
BankInfoSecurity	2 months ago	Chinese South China Sea Cyberespionage Campaign Unearthed
DARKReading	2 months ago	Chinese Threat Clusters Triple-Team High-Profile Asian Government Org
CERT-EU	5 months ago	Search \| arXiv e-print repository
CERT-EU	7 months ago	Jim Harbaugh responds to Alabama players not watching film on iPads due to hacking allegations \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	7 months ago	Hacking Concerns Rose Bowl Teams \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	9 months ago	NVD - CVE-2023-5719
CERT-EU	9 months ago	SideCopy’s Multi-platform Onslaught: Leveraging WinRAR Zero-Day and Linux Variant of Ares RAT
CERT-EU	9 months ago	Red Lion Crimson
CISA	9 months ago	Red Lion Crimson \| CISA
CERT-EU	a year ago	Hackers Deliver Updated STRRAT Malware Using Weaponized PDF Files
CERT-EU	a year ago	Iranian Tortoiseshell Hackers Targeting Israeli Logistics Industry - GIXtools
MITRE	a year ago	ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe
MITRE	a year ago	Transparent Tribe: Evolution analysis, part 1 \| Securelist
CERT-EU	a year ago	Here is why Siege’s new operator Brava is going to be a game-changer with her hacking drone — SiegeGG \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker - National Cyber Security
InfoSecurity-magazine	a year ago	Pakistan-Aligned Hackers Disrupt Indian Education Sector
BankInfoSecurity	a year ago	APT36 Running Espionage Ops Against India's Education Sector
CERT-EU	a year ago	Pakistan-linked hackers target India’s education sector with Crimson malware \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker – National Cyber Security Consulting
CERT-EU	a year ago	Microsoft is giving hackers weather-themed names like storm, typhoon, and blizzard \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker – National Cyber Security Consulting