So What Else is New?

12368649054?profile=RESIZE_400xA Chinese cyber espionage group targeting organizations and individuals in China and Japan has remained under the radar for roughly five years, cybersecurity firm ESET reports.  Researchers have tracked it as Blackwood and active since at least 2018, the Advanced Persistent Threat (APT) actor has been using Adversary-in-the-Middle (AitM) attacks to deploy a sophisticated implant via the update mechanisms of legitimate software such as Sogou Pinyin, Tencent QQ, and WPS Office.[1]

Blackwood attacks are characterized by the deployment of NSPX30, a sophisticated implant that includes a backdoor, a dropper, installers, loaders, and an orchestrator, and which can hide its Command-and-Control (C&C) communication through packet interception.  NSPX30 has been used against a small number of victims, including individuals in China and Japan, a Chinese-speaking individual linked to a British research university, a manufacturing and trading business in China, and a Japanese engineering and manufacturing firm.  The NSPX30 appears to be the successor of a 2005 backdoor named Project Wood that has served as a code base for various implants, including the 2008 DCM (aka Dark Specter), from which NSPX30 is derived.

Public reporting shows that Project Wood was used in several attacks in the past, including a 2011 incident targeting a political figure from Hong Kong via spearphishing. The malware featured a loader and a backdoor that could collect system and network details, log keystrokes, and take screenshots.  Malware derived from the backdoor and featuring capabilities seen in DCM was also used in a 2014 cyberespionage campaign dubbed TooHash, which investigators attribute to the Gelsemium APT.  The same as DCM, NSPX30 relies on AitM attacks for delivery and can also allow itself in several Chinese antimalware solutions.  However, it has a different component configuration, with operations divided into two stages and DCM’s code split into smaller components.


Blackwood likely deploys an implant on the victims’ networks, possibly on vulnerable routers and gateways, and then uses it to intercept unencrypted HTTP traffic related to updates and deliver NSPX30’s dropper instead.  When launched, the backdoor creates a passive UDP listening socket with a port the operating system assigns.  The same port is likely used for listening for commands and data exfiltration, with the network implant responsible for forwarding the packets.

Researchers have observed victims located outside of China in Japan and the United Kingdom against whom the actor was able to deploy the backdoor.  The attackers then sent commands to the backdoor to download plugins; for example, the victim from the UK received two plugins designed to collect information and chats from Tencent QQ, showing that the AitM system was in place and working and that the exfiltration application was working too.


This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  Call for assistance.  For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225 or   




Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings



E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!