Carderbee Attacks: Hong Kong Organizations Targeted via Malicious Software Updates

A previously undocumented threat cluster has been linked to a software supply chain attack targeting organizations primarily located in Hong Kong and other regions in Asia.

The Symantec Threat Hunter Team, part of Broadcom, is tracking the activity under its insect-themed moniker Carderbee.

The attacks, per the cybersecurity firm, leverage a trojanized version of a legitimate software called EsafeNet Cobra DocGuard Client to deliver a known backdoor called PlugX (aka Korplug) on victim networks.

“In the course of this attack, the attackers used malware signed with a legitimate Microsoft certificate,” the company said in a report shared with The Hacker News.


The use of Cobra DocGuard Client to pull off a supply chain attack was previously highlighted by ESET in its quarterly Threat Report this year, detailing a September 2022 intrusion in which an unnamed gambling company in Hong Kong was compromised via a malicious update pushed by the software.

The same company is said to have been infected before in September 2021 using the same technique. The attack, linked to a Chinese threat actor named Lucky Mouse (aka APT27, Budworm, or Emissary Panda), ultimately led to deployment of PlugX.

However, the latest campaign spotted by Symantec in April 2023 exhibits little commonalities to conclusively tie it to the same actor. Furthermore, the fact that PlugX is used by a variety of China-linked hacking groups makes attribution difficult.

As many as 100 computers in the impacted organizations are said to have been infected, although the Cobra DocGuard Client application was installed on roughly 2,000 endpoints, suggesting a narrowed focus.

“The malicious software was delivered to the following location on infected computers, which is what indicates that a supply chain attack or malicious configuration involving Cobra DocGuard is how the attackers compromised affected computers: ‘csidl_system_drive\program files\esafenet\cobra docguard client\update,'” Syamtec said.


In one instance, the breach functioned as a conduit to deploy a downloader with a digitally signed certificate from Microsoft, which subsequently was used to retrieve and install PlugX from a remote server.

The modular implant gives attackers a secret backdoor on infected platforms so they can go on to install additional payloads, execute commands, capture keystrokes, enumerate files, and track running processes, among others.

The findings shed light on the continued use of Microsoft-signed malware by threat actors to conduct post-exploitation activities and bypass security protections.

That having said, it’s unclear where Carderbee is based or what its ultimate goals are, and if it has any connections to Lucky Mouse. Many other details about the group remain undisclosed or unknown.

“It seems clear that the attackers behind this activity are patient and skilled actors,” Symantec said. “They leverage both a supply chain attack and signed malware to carry out their activity in an attempt to stay under the radar.”

“The fact that they appear to only deploy their payload on a handful of the computers they gain access to also points to a certain amount of planning and reconnaissance on behalf of the attackers behind this activity.”

Related Articles

Back to top button