Cybersecurity News in Asia

Features
- Featured
  
  Moving away from reactive cybersecurity to preemptive, continuous AI-powered cyber vigilance
  
  Monday, January 12, 2026, 10:01 AM Asia/Singapore | Features, Newsletter
- Featured
  
  Leveraging digital twins to combat rising AI-powered threats
  
  Thursday, January 8, 2026, 1:58 PM Asia/Singapore | Features
- Featured
  
  Editor's pick: Cybersecurity trends in 2026
  
  Wednesday, January 7, 2026, 10:36 AM Asia/Singapore | Cyberthreat Landscape, Features, Newsletter
Opinions
Tips
Whitepapers
Awards 2025
Directory
E-Learning

China-linked hackers exploit Windows Group Policy in cyberespionage across SEA, Japan

By CybersecAsia editors | Monday, January 12, 2026, 11:45 AM Asia/Singapore

Researchers uncover government-targeted operations using stealthy malware, memory loaders, and cloud-based C2 infrastructure spanning Asia and Europe since 2023.

A newly identified China-linked advanced persistent threat (APT) group has been conducting cyberespionage operations targeting government institutions across Southeast Asia and Japan, according to new threat intelligence.

Researchers have found that the group abuses Windows Group Policy, a legitimate administrative mechanism used in Active Directory environments, to deploy malware and move laterally within victim networks. The technique enables attackers to push malicious configurations across multiple machines and maintain persistence without detection.

The campaign, active since at least September 2023, came to light in 2024 when investigators discovered previously undocumented malware in the network of a South-east Asian government agency. Activity linked to the same actors resumed in late 2025, with renewed targeting focusing on regional governmental infrastructure.

Modus operandi

The intrusions rely on multiple custom-developed tools designed for data theft, command execution, and long-term reconnaissance.

One of the tools, written in C#/.NET, collects browser history data from commonly used browsers. This information is reportedly used to determine subsequent targets for further compromise.
Another utility collects metadata from victim machines — including hostnames, usernames, and operating system details — and communicates with external command-and-control (C&C) servers.
Additional components in the toolkit include a credential and browser data stealer, a downloader that executes encrypted payloads directly in memory, and a keylogger derived from an existing open-source project.

Analysts have also identified a reverse SOCKS5 proxy and an auxiliary tool capable of launching external applications, one of which was used to activate video recording software — likely FFmpeg — to capture audio and visual feeds.

Investigators have also documented a related malware variant deployed against an organization based in the European Union. That sample had used the Yandex Disk cloud storage platform for its command and control &C infrastructure, diverging from earlier cases that had relied on Microsoft OneDrive and Google Drive. The overlap in tooling and shared malware elements suggest possible cooperation or code sharing among multiple China-aligned threat actors.

According to the researchers from ESET who discovered the China-linked APT, the malware may be distributed “among multiple China-aligned threat groups.” The campaign reflects an evolution in regional cyberespionage activity aimed at collecting intelligence from public sector and diplomatic networks in Asia and Europe. The use of legitimate administrative functions such as Group Policy underscores the attackers’ emphasis on stealth and persistence within government networks.