Marine Pichon and Alexis Bonnefoi of Orange Cyberdefense report:
Last year, Orange Cyberdefense’s CERT investigated a series of incidents from an unknown threat actor leveraging both ShadowPad and PlugX. Tracked as Green Nailao (“Nailao” meaning “cheese” in Chinese – a topic our World Watch CTI team holds in high regard), the campaign impacted several European organizations, including in the healthcare vertical, during the second half of 2024. We believe this campaign has targeted a larger panel of organizations across the world throughout multiple sectors.
Somewhat similar TTPs and payloads have been publicly mentioned in a write-up from HackersEye’s DFIR team.
In at least two cases, the intrusion ended up with the execution on victims’ systems of a custom, previously undocumented ransomware payload we dubbed NailaoLocker.
Our World Watch CTI team does not associate this campaign with a known threat group. Nevertheless, we assess with medium confidence that the threat actors do align with typical Chinese intrusion sets.
Read more at Cyberdefense.