Crimson

Malware updated 7 days ago (2024-11-29T14:17:37.084Z)
Download STIX
Preview STIX
Crimson is a malware used in various cyber-espionage campaigns, most notably in Operation Crimson Palace. This operation has been active since March 2023, with heightened activity observed in 2024. It is a concerted effort by three Chinese Advanced Persistent Threat (APT) groups targeting Southeast Asian governmental and public service organizations. The malware was distributed through multiple channels, including a domain known as “sahirlodhi[.]com”, which was also utilized by ProjectM for the download of the Crimson tool. A blog with an Indian theme resembling the India News Tribe (intribune[.]blogspot[.]com) blog was also used by ProjectM in Operation Transparent Tribe to deliver Crimson payloads. The operational strategy of Crimson Palace is likened to a heist movie, where each participating group has a unique specialty. They establish command-and-control (C2) communications channels, often using one victim as a relay point to attack another. Despite being actively pursued by cybersecurity analysts, the three arms of Crimson Palace have managed to breach several public and private organizations in Asia, stealing sensitive strategic data and materials. The targets include more than a dozen entities in Southeast Asia, among them prominent government agencies. Researchers at Sophos Managed Detection and Response uncovered this complex, multi-cluster Chinese state-sponsored cyberespionage operation, attributing the hacking activity with high confidence to clusters associated with Chinese state-sponsored activities. The discovery emphasizes the unpredictability of such threat actors. As demonstrated by Crimson Palace, even if one group excels at a certain technique, it does not preclude the use of completely different techniques later on, making the prediction of their next moves challenging.
Description last updated: 2024-10-17T12:17:31.308Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Rat
Trojan
State Sponso...
Chinese
Exploit
Espionage
Sophos
Vulnerability
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The APT36 Threat Actor is associated with Crimson. APT36, also known as Transparent Tribe, is a Pakistan-based threat actor that has been persistently targeting Indian government organizations, diplomatic personnel, and military facilities. This group has been involved in several malicious campaigns, with the most recent one being tracked by Cisco TUnspecified
4
The Transparent Tribe Threat Actor is associated with Crimson. Transparent Tribe is a threat actor known for conducting malicious campaigns against organizations in South Asia. The group has been linked to the ObliqueRAT malware and CrimsonRAT through its infrastructure, which includes the domains vebhost[.]com, zainhosting[.]net/com, and others. The group has Unspecified
4
Source Document References
Information about the Crimson Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
2 months ago
Checkpoint
3 months ago
DARKReading
3 months ago
DARKReading
6 months ago
InfoSecurity-magazine
6 months ago
BankInfoSecurity
6 months ago
DARKReading
6 months ago
CERT-EU
9 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CISA
a year ago
CERT-EU
a year ago
CERT-EU
2 years ago
MITRE
2 years ago
MITRE
2 years ago
CERT-EU
2 years ago
InfoSecurity-magazine
2 years ago