Researchers uncover government-targeted operations using stealthy malware, memory loaders, and cloud-based C2 infrastructure spanning Asia and Europe since 2023.

A newly identified China-linked advanced persistent threat (APT) group has been conducting cyberespionage operations targeting government institutions across Southeast Asia and Japan, according to new threat intelligence.

Researchers have found that the group abuses Windows Group Policy, a legitimate administrative mechanism used in Active Directory environments, to deploy malware and move laterally within victim networks. The technique enables attackers to push malicious configurations across multiple machines and maintain persistence without detection.

The campaign, active since at least September 2023, came to light in 2024 when investigators discovered previously undocumented malware in the network of a South-east Asian government agency. Activity linked to the same actors resumed in late 2025, with renewed targeting focusing on regional governmental infrastructure.

Modus operandi

The intrusions rely on multiple custom-developed tools designed for data theft, command execution, and long-term reconnaissance.

  • One of the tools, written in C#/.NET, collects browser history data from commonly used browsers. This information is reportedly used to determine subsequent targets for further compromise.
  • Another utility collects metadata from victim machines — including hostnames, usernames, and operating system details — and communicates with external command-and-control (C&C) servers.
  • Additional components in the toolkit include a credential and browser data stealer, a downloader that executes encrypted payloads directly in memory, and a keylogger derived from an existing open-source project.

Analysts have also identified a reverse SOCKS5 proxy and an auxiliary tool capable of launching external applications, one of which was used to activate video recording software — likely FFmpeg — to capture audio and visual feeds.

Investigators have also documented a related malware variant deployed against an organization based in the European Union. That sample had used the Yandex Disk cloud storage platform for its command and control &C infrastructure, diverging from earlier cases that had relied on Microsoft OneDrive and Google Drive. The overlap in tooling and shared malware elements suggest possible cooperation or code sharing among multiple China-aligned threat actors.

According to the researchers from ESET who discovered the China-linked APT, the malware may be distributed “among multiple China-aligned threat groups.” The campaign reflects an evolution in regional cyberespionage activity aimed at collecting intelligence from public sector and diplomatic networks in Asia and Europe. The use of legitimate administrative functions such as Group Policy underscores the attackers’ emphasis on stealth and persistence within government networks.