The Chinese state-sponsored threat actor DEV-0147 has been spotted targeting diplomatic entities in South America with the ShadowPad remote access Trojan (RAT), also known as PoisonPlug.
Microsoft shared the findings on Twitter on Monday, saying the threat actor's new campaign represents a notable expansion of the group's data exfiltration operations that previously targeted government agencies and think tanks in Asia and Europe.
From a technical standpoint, the technology giant said it observed DEV-0147 deploy ShadowPad, a RAT associated with other China-based actors, to achieve persistence, and QuasarLoader, a webpack loader, to download and execute additional malware.
"DEV-0147's attacks in South America included post-exploitation activity involving the abuse of on-premises identity infrastructure for recon and lateral movement and the use of Cobalt Strike for command and control and data exfiltration," reads one of the Twitter posts.
"Microsoft 365 Defender detects these DEV-0147 attacks through Microsoft Defender for Identity and Defender for Endpoint. Organizations are also strongly advised to enforce [multi-factor authentication] MFA."
DEV-0147 is not the only threat actor in China leveraging ShadowPad in recent times. A June 2022 advisory by Kaspersky saw Chinese threat actors using the malware to target unpatched Microsoft Exchange servers in different Asian countries.
According to security researchers at Secureworks, ShadowPad has evolved from the PlugX malware. It is frequently employed by Chinese adversarial groups connected to the Ministry of State Security (MSS) and the People's Liberation Army (PLA).
"Evidence available as of this publication suggests that ShadowPad has been deployed by MSS-affiliated threat groups, as well as PLA-affiliated threat groups that operate on behalf of the regional theater commands," reads a Secureworks advisory from February 2022.
"The malware was likely developed by threat actors affiliated with BRONZE ATLAS and then shared with MSS and PLA threat groups around 2019. Given the range of groups leveraging ShadowPad, all organizations that are likely targets for Chinese threat groups should monitor for [tactics, techniques and procedures] TTPs associated with this malware."