Executive Summary
- A suspected China-linked group is conducting a cyber espionage campaign against government and media organizations in Southeast Asia.
- The initial attack vector is a malicious WinRAR file that exploits the CVE-2025-8088 vulnerability to gain persistence on a victim’s system.
- The campaign relies on a multi-stage infection process that uses DLL sideloading, abusing legitimate software like OBS Browser and Adobe Creative Cloud.
- A final backdoor payload allows attackers to execute commands, capture screenshots, and exfiltrate data via encrypted channels.
A sophisticated cyber espionage campaign attributed to a China-nexus group is actively targeting government and media organizations across Southeast Asia, according to a new report from security researchers. The operation, monitored since early 2025, employs advanced techniques to compromise high-value targets in nations including Laos, Cambodia, Singapore, the Philippines, and Indonesia.
Attack Methodology
The attack begins with spear-phishing emails containing a malicious WinRAR archive file named “Proposal_for_Cooperation_3415.05092025.rar”. According to research from CyberArmor, this file exploits a path traversal vulnerability, tracked as CVE-2025-8088, which allows the attackers to covertly install a persistence script in the victim’s startup folder upon extraction.
The campaign’s core strategy involves a multi-stage infection process that relies heavily on DLL sideloading to evade detection. In one stage, the threat actors abuse a legitimate executable from the OBS open-source browser to load a malicious DLL file. A similar technique is used in a later stage, where Adobe’s Creative Cloud Helper is exploited to load another malicious library, which then decrypts and executes the final backdoor payload.
Payload and Objectives
The final payload establishes a connection with command-and-control servers, enabling the attackers to execute remote commands, capture screenshots, and exfiltrate files. Researchers observed that the backdoor communicates with its operators using Telegram and encrypted HTTPS traffic, further complicating detection efforts. The malware supports various functions, including command execution, file manipulation, and a kill switch to erase its presence.
The operation highlights a sustained espionage effort focused on entities that influence policy, public opinion, and strategic alignments in the contested South China Sea region. The use of legitimate software to mask malicious activity demonstrates the threat actor’s technical proficiency and careful planning in targeting sensitive sectors.