Nspx30

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
NSPX30 is a sophisticated multistage malware implant discovered by ESET researchers. Its evolution traces back to a small backdoor named Project Wood, first compiled in 2005, designed for data collection from victims. The implant is composed of several components including a dropper, an installer, loaders, an orchestrator, and a backdoor. NSPX30's design allows for packet interception, enabling operators to hide their infrastructure. It can establish a reverse shell, add itself to allowlists in Chinese antivirus tools, and intercept network traffic, marking the apogee of all cyber espionage that came before it. The malware was found being deployed through adversary-in-the-middle (AitM) attacks hijacking update requests from legitimate software such as Tencent QQ, WPS Office, and Sogou Pinyin. This method doesn't employ typical tricks like phishing or infected webpages; instead, it injects its backdoor when certain legitimate programs attempt to download updates from corporate servers via unencrypted HTTP. The software products used to spread NSPX30 have extensive user bases, making this a significant threat. The discovery of NSPX30 highlights the importance of vigilance and robust endpoint protection. Mathieu Tartare, a senior malware researcher at ESET, advises users to ensure their endpoint protection tool blocks NSPX30 and to pay attention to malware detections related to legitimate software systems. The ability of NSPX30 to conceal itself within updates for popular software products has allowed it to operate undetected for over half a decade, underscoring the sophistication and stealthiness of this malware.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Eset
Dropper
AITM
Implant
Malware
Antivirus
Chinese
Rootkit
Phishing
Apt
Windows
Loader
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ZLibUnspecified
1
Zlib is a known malware, a harmful program designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can cause significant damage, including stealing personal information, disrupting opera
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Nspx30 Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
ESET
6 months ago
Blackwood hijacks software updates to deploy NSPX30 – Week in security with Tony Anscombe
DARKReading
6 months ago
Newly ID'ed Chinese APT Hides Backdoor in Software Updates
InfoSecurity-magazine
6 months ago
China-Aligned APT Group Blackwood Unleashes NSPX30 Implant
ESET
6 months ago
NSPX30: A sophisticated AitM-enabled implant evolving since 2005
ESET
6 months ago
NSPX30: A sophisticated AitM-enabled implant evolving since 2005