SpyderLoader active in Hong Kong.

Researchers at Symantec (a Broadcom company) warn that the “Operation CuckooBees” campaign (first observed by Cybereason in May 2022) now appears to be targeting government entities in Hong Kong with the Spyder Loader malware:

“The victims observed in the activity seen by Symantec were government organizations, with the attackers remaining active on some networks for more than a year. We saw the Spyder Loader (Trojan.Spyload) malware deployed on victim networks, indicating this activity is likely part of that ongoing campaign. While we did not see the ultimate payload in this campaign, based on the previous activity seen alongside the Spyder Loader malware it seems likely the ultimate goal of this activity was intelligence collection.”

Attribution unclear, but signs point to Winnti.

Symantec doesn’t attribute the campaign to any particular threat actor, but Cybereason tied the earlier activity to the Chinese APT Winnti.

Symantec adds, “The fact that this campaign has been ongoing for several years, with different variants of the Spyder Loader malware deployed in that time, indicates that the actors behind this activity are persistent and focused adversaries, with the ability to carry out stealthy operations on victim networks over a long period of time. Companies that hold valuable intellectual property should ensure that they have taken all reasonable steps to keep their networks protected from this kind of activity.”