Infrastructure-Centric Espionage: China-Linked Actors Compromise Southeast Asian Edge Routers
A sophisticated espionage campaign, attributed to China-nexus threat actors, is currently targeting organizations across Southeast Asia.
Unlike traditional attacks that focus on individual workstations, this operation utilizes an infrastructure-centric approach by compromising Linux-based edge routers. By establishing a foothold at the network perimeter, attackers gain the ability to manipulate downstream traffic and bypass many endpoint-centric security solutions.
The campaign employs a dual-platform strategy: a custom 64-bit Linux ELF implant on the router to control the gateway, paired with a cracked Cobalt Strike Beacon on Windows endpoints to maintain unified command-and-control (C2) over the entire environment.

The Perimeter Foothold: Linux-Based Router Exploitation
As detailed in recent technical analysis by Qiita, the attackers target Linux-based border gateways to achieve root-level access. This positioning allows them to monitor, redirect, or weaponize every packet entering or exiting the network.
Payload Analysis: router.elf
The primary payload, router.elf, is a highly optimized, statically linked, and stripped x86-64 binary. The use of Position-Independent Executable (PIE) compilation and symbol stripping indicates a high level of tradecraft designed to complicate memory forensics and reverse engineering.
To evade detection, the implant utilizes several advanced obfuscation techniques:
- Multi-layered Encryption: Configuration data (C2 domains and HTTP profiles) is protected via a custom Xorshift-based stream cipher layered over a standard XOR routine.
- Runtime De-obfuscation: Sensitive strings, such as file paths and process names, are obfuscated with a single-byte XOR routine and only decrypted in memory during execution.
- DNS over HTTPS (DoH): To circumvent traditional DNS monitoring (Port 53), the implant resolves C2 domains through Cloudflare’s DoH endpoint (
cloudflare-dns.com), effectively hiding its resolution activity within encrypted HTTPS traffic.

Traffic Hijacking and Persistence
The adversary achieves a Man-in-the-Middle (MitM) position by injecting iptables DNAT rules. These rules redirect all internal UDP port 53 traffic to an attacker-controlled listener on non-standard port 8090. By utilizing an ipset (e.g., evil_fix), they can selectively hijack traffic destined for specific high-value domains, such as security vendor update sites or software repositories.
For redundancy, a secondary backdoor, client_rc_start, is deployed alongside the primary implant. This ensures that even if router.elf is purged, the actor can re-establish access and re-apply persistence mechanisms.
Endpoint Escalation: Cobalt Strike Operations
Once the perimeter is secured, the attackers deploy a cracked Cobalt Strike 4.4 Beacon on Windows systems using DLL sideloading. A malicious version.dll is loaded by legitimate-looking processes like CrashReport.exe located in the %allusersprofile% directory.
The Windows Beacon is architecturally synchronized with the router implant. Both use the same C2 URI patterns (/api/v1/get and /api/v1/post) and share similar HTTP header structures, including Mandarin-language preferences (Accept-Language: zh-CN). This shared infrastructure backbone confirms that a single operator is managing the complete kill chain, from the edge router to the internal endpoint.
Indicators of Compromise (IOCs)
C2 Domains:
| Domain | Usage |
|---|---|
contextlayerrun[.]com |
Router implant C2 |
specialclouds[.]com |
CS Beacon C2 |
specialclouds[.]top |
CS Beacon C2 |
namefilecode[.]com |
CS Beacon C2 |
valuecode[.]top |
Associated C2 |
windowsweatherkb[.]top |
Associated C2 |
function.windowsoftmessages[.]com |
Associated C2 |
perfectgo[.]top |
Associated C2 |
safelyhome[.]top |
Associated C2 |
discovercoded[.]com |
Associated C2 |
File Indicators
| Filename | MD5 / SHA256 | Description |
|---|---|---|
| router.elf | 6401cdc783b4afcbcc294954b4cc5dd2 |
Linux router RAT (Primary) |
| router.elf | 6a43de021fa79dc3eb5f6ed509b605ef617f56af7de8b136698e5dd86c7775ae |
SHA256 hash |
| client_rc_start | 92ED4D259940D4294190E60ADD5CC587 |
Secondary router backdoor |
| version.dll | 20C196FD5CF9A4845D048006321A52B8 |
CS Beacon DLL sideload payload |
Note: Analysts are advised to re-fang these indicators only within secure environments.