Crimson

Malware updated a year ago (2024-11-29T14:17:37.084Z)
Download STIX
Preview STIX
Crimson is a malware used in various cyber-espionage campaigns, most notably in Operation Crimson Palace. This operation has been active since March 2023, with heightened activity observed in 2024. It is a concerted effort by three Chinese Advanced Persistent Threat (APT) groups targeting Southeast Asian governmental and public service organizations. The malware was distributed through multiple channels, including a domain known as “sahirlodhi[.]com”, which was also utilized by ProjectM for the download of the Crimson tool. A blog with an Indian theme resembling the India News Tribe (intribune[.]blogspot[.]com) blog was also used by ProjectM in Operation Transparent Tribe to deliver Crimson payloads. The operational strategy of Crimson Palace is likened to a heist movie, where each participating group has a unique specialty. They establish command-and-control (C2) communications channels, often using one victim as a relay point to attack another. Despite being actively pursued by cybersecurity analysts, the three arms of Crimson Palace have managed to breach several public and private organizations in Asia, stealing sensitive strategic data and materials. The targets include more than a dozen entities in Southeast Asia, among them prominent government agencies. Researchers at Sophos Managed Detection and Response uncovered this complex, multi-cluster Chinese state-sponsored cyberespionage operation, attributing the hacking activity with high confidence to clusters associated with Chinese state-sponsored activities. The discovery emphasizes the unpredictability of such threat actors. As demonstrated by Crimson Palace, even if one group excels at a certain technique, it does not preclude the use of completely different techniques later on, making the prediction of their next moves challenging.
Description last updated: 2024-10-17T12:17:31.308Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Peppy is a possible alias for Crimson. Peppy is a malicious software (malware) that has been identified as part of a broader cyber threat landscape. The malware, which is a Python-based Remote Access Trojan (RAT), was discovered during an analysis of the registration information of several Trojan command and control domains used by Proje
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Red Hat
Rat
Trojan
Chinese
State Sponso...
Telegram
Aws
Vulnerability
Exploit
Extortion
Espionage
Sophos
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Hunters Malware is associated with Crimson. Malware hunters, often referred to as bug hunters, play a critical role in cybersecurity by identifying and addressing vulnerabilities in software systems. In 2023, these professionals proved their worth at the Pwn2Own Toronto event where they identified 58 unique zero-day vulnerabilities, earning aUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Transparent Tribe Threat Actor is associated with Crimson. Transparent Tribe is a threat actor known for conducting malicious campaigns against organizations in South Asia. The group has been linked to the ObliqueRAT malware and CrimsonRAT through its infrastructure, which includes the domains vebhost[.]com, zainhosting[.]net/com, and others. The group has Unspecified
4
The APT36 Threat Actor is associated with Crimson. APT36, also known as Transparent Tribe, is a Pakistan-based threat actor that has been persistently targeting Indian government organizations, diplomatic personnel, and military facilities. This group has been involved in several malicious campaigns, with the most recent one being tracked by Cisco TUnspecified
4
The Lapsus Threat Actor is associated with Crimson. Lapsus is a significant threat actor that has been active since its inception in early 2022. The group gained notoriety for its cyberattacks, including a high-profile breach of Nvidia, an American multinational technology company, in the same year. This attack led to the leak of thousands of passworUnspecified
2
Source Document References
Information about the Crimson Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Checkpoint
11 days ago
Unit42
13 days ago
Krebs on Security
16 days ago
Checkpoint
18 days ago
Securityaffairs
22 days ago
Securityaffairs
2 months ago
DARKReading
a year ago
Checkpoint
a year ago
DARKReading
a year ago
DARKReading
a year ago
InfoSecurity-magazine
a year ago
BankInfoSecurity
a year ago
DARKReading
a year ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CISA
2 years ago