ScanBox Framework Used By Chinese Hackers in Recent Cyber Espionage Attacks

Chinese nation-state groups conducted a months-long cyber espionage campaign using reconnaissance malware to gain information about its targets and accomplish its objectives. 

According to a Tuesday report by Proofpoint’s Threat Research Team and PwC’s Threat Intelligence team, cyber-espionage campaigns are believed to have begun April 2022 through mid-June 2022. 

The targets include local and federal Australian government agencies, Australian news media companies, and global heavy industry manufacturers that maintain wind turbine fleets in the South China Sea.

“The targets of this recent campaign spanned Australia, Malaysia, and Europe, as well as entities that operate in the South China Sea,”  highlighted Proofpoint in their report.

Proofpoint and PwC attributed the intrusions with moderate confidence to a threat actor known as TA423 and Red Ladon, respectively, which is also known as APT40 and Leviathan.

APT40(Advanced Persistent Threat 40) is a China-based, espionage-motivated threat actor that has been active since 2013 and has a trend of striking organizations in the Asia-Pacific region, with a main focus on the South China Sea. The US government and its allies linked the attacker’s collective to China’s Ministry of State Security in July 2021. (MSS).

Between April 12 and June 15, attacks took the form of several phishing campaign waves that used URLs posing as Australian media firms to deliver the ScanBox reconnaissance framework. The subject lines of the phishing emails included phrases like “Sick Leave,” “User Research,” and “Request Cooperation.”


Unlike watering holes or strategic web compromises, in which a legitimate website visited by the targets is infected with malicious JavaScript code, the APT40 activity uses an actor-controlled domain to deliver the malware.

“The threat actor would frequently pose as an employee of the fictional media publication ‘Australian Morning News,’ providing a URL to the malicious domain and soliciting targets to view its website or share research content that the website would publish,” the researchers said.

ScanBox is a JavaScript-based malware that has been used in attacks since 2014. It allows threat actors to profile their victims as well as deliver next-stage payloads to targets of interest. It’s also known to be privately shared by a number of China-based hacking groups, including HUI Loader, PlugX, and ShadowPad.

APT10 (aka Red Apollo or Stone Panda), APT27 (aka Emissary Panda, Lucky Mouse, or Red Phoenix), and TA413 are some of the notable threat actors who have previously been observed using ScanBox (aka Lucky Cat).

A number of plugins are also retrieved and executed by the malware in the victim’s web browser, allowing it to log keystrokes, fingerprint the browser, collect a list of browser add-ons installed, communicate with infected machines, and check for the presence of Kaspersky Internet Security (KIS) software.

This is not the first time APT40 has used fake news websites to distribute ScanBox. Mandiant discovered a 2018 phishing campaign that used news article URLs hosted on a rogue domain as lures to trick recipients into downloading malware.

Interestingly, the April-June attacks are part of a long-term phishing campaign linked to the same threat actor that targets Malaysian and Australian organizations, as well as global companies potentially involved in offshore energy projects in the South China Sea from March 2021 to March 2022.

Malicious RTF documents were used in these attacks to deliver a first-stage downloader, which then served as a conduit to retrieve encoded versions of the Meterpreter shellcode. In March 2022, one of the victims of this campaign was a European manufacturer of heavy equipment used in offshore wind farms in the Taiwan Strait.

That isn’t all. APT40 has also been linked to the Copy-Paste Compromises revealed by the Australian Cyber Security Centre (ACSC) in June 2020, which targeted government agencies.

“This threat actor has demonstrated a consistent focus on entities involved in South China Sea energy exploration, in tandem with domestic Australian targets such as defense and healthcare,” the researchers said.

9 thoughts on “ScanBox Framework Used By Chinese Hackers in Recent Cyber Espionage Attacks”

  1. Thank you very much for sharing. Your article was very helpful for me to build a paper on gate.io. After reading your article, I think the idea is very good and the creative techniques are also very innovative. However, I have some different opinions, and I will continue to follow your reply.

  2. Your article gave me a lot of inspiration, I hope you can explain your point of view in more detail, because I have some doubts, thank you.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top