Cyware Social will be sunset on April 15, 2026. The service is being replaced by Cyware's Daily Threat Intel Briefs,
offering curated security advisories on the latest threats. Enterprise users can contact us here → for more details.

Alerts Events DCR
Go to listing page

Peking Tom: Naikon APT Conducting Cyberespionage in APAC

Peking Tom: Naikon APT Conducting Cyberespionage in APAC
The China-based Naikon APT group has finally been unmasked after five long years of espionage campaigns against various governments in the APAC region. The group used a backdoor named Aria-body, which was first detected in 2015.  

What is happening?

Since the last five years, the threat actor has been targeting a specific region, i.e. Asia-Pacific. The backdoor has been used against national governments in Indonesia, Australia, The Philippines, Brunei, Thailand, and Myanmar. The targeted government entities include foreign affairs, science & technology ministries, and government-owned organizations.

The situation

  • Naikon APT compromises a government entity and then uses this compromised entity to attack another entity.
  • Various infection chains are used to deliver the backdoor. 
  • GoDaddy is used as the registrar and Alibaba is used to host the attacker’s infrastructure. 

What the experts are saying

  • This is the most extensive operation ever carried out by a China-based APT group. 
  • It is suspected that since 2015, the group has been penetrating the personal computers of diplomats and hijacking ministerial servers. This makes the threat actor highly successful in collecting intel.
  • The malware has been spotted to be spread via diplomatic emails between governments and embassies to evade detection in their communications networks. 

What else

  • Although it may seem that the group was under the radar since 2015, it doesn’t seem to be the case. They have been utilizing new server infrastructure and a new backdoor, along with other techniques.
  • The new variant of Aria-body contains a USB monitor module but lacks a reverse-socks module and keylogger component.

In essence

The entire report has been published by Check Point to be used as a resource by governments. The campaign is an extensive intelligence operation and the tactics employed by the espionage group are dangerous.

Cyware Publisher

Publisher

Cyware

Previous

WordPress Sites Under Constant Attack

Malware and Vulnerabilities

Next

Blue Mockingbird Exploiting Web Apps

Malware and Vulnerabilities

RESOURCES
Cyber Fusion Center Guide
EVENTS
News and Updates, Hacker News

Get in touch with us now!

1-855-692-9927

Download Cyware Social App

Terms of Use Privacy Policy © 2023