Skip to main content

Chinese Hackers Targeting Foreign Governments Across The World.


Phishing is still one of the widely used strategies by cybercriminals and espionage groups to gain an initial foothold on the targeted systems.

Though hacking someone with phishing attacks was easy a decade ago, the evolution of threat detection technologies and cyber awareness among people has slowed down the success of phishing and social engineering attacks over the years.

Since phishing is more sort of a one-time opportunity for hackers before their victims suspect it and likely won't fall for the same trick again, sophisticated hacking groups have started putting a lot of effort, time and research to design well-crafted phishing campaigns.

In one such latest campaign discovered by cybersecurity researchers at Check Point, a Chinese hacking group, known as Rancor, has been found conducting very targeted and extensive attacks against Southeast Asian government entities from December 2018 to June 2019.


What's interesting about this ongoing 7-month long campaign is that over this period, the Rancor group has continuously updated tactics, tools, and procedures (TTP) based on its targets in an effort to come up with phishing email contents and lure documents appear being as convincing as possible.

"The observed attacks started with emails sent on behalf of employees from different government departments, embassies, or government-related entities in a Southeast Asian country," reads a report published by CheckPoint and privately shared with The Hacker News prior to its release.

"The attackers appeared determined to reach certain targets, as tens of emails were sent to employees under the same ministries. Furthermore, the emails' origin was likely spoofed to make them seem more reliable."

Continuously Evolving Tactics, Tools, and Procedures

Researchers discovered different combinations of TTP based on their timeline, delivery, persistence, and payloads, and then combined them into 8 major variants, as listed below in this article.

Each attack variant started with a classic spear-phishing email containing a malicious document designed to run macros and exploit known vulnerabilities to install a backdoor on the victims' machines and gain full access to the systems.

hacking-tools

Most of the delivery documents in this campaign contained legitimate government-related topics, like instructions for governmental employees, official letters, press releases, surveys, and more, appeared to be sent from other government officials.

Interestingly, as part of the infection chain, in most campaigns, attackers also bring their own legitimate, signed and trusted executables of major antivirus products to side-load malicious DLLs (dynamic link library) files to evade detection, especially from behavioral monitoring products.

hacking

As shown in the illustrations above, the abused legitimate executables belong to antivirus products including a component of Avast antivirus, BitDefender agent and Windows defender.

Web Application Firewall

Though the attack chains involve fileless activities like usage of VBA macros, PowerShell code, and legitimate Windows built-in tools, this campaign is not designed to achieve a fileless approach as the researchers told The Hacker News that other parts of the campaign expose malicious activities to the file system.

"To date, we have not seen such a persistent attack on a government; the same attacks were targeted for 7 months. We believe that the US Government should take note," researchers warned as the US elections are near.

"To attack the US Government, these Chinese hackers wouldn't need to change much, except making their lure documents all in English, and include themes that would trigger the interest of the victim so that the victim would open the file."

Rancor hacking group has previously been found attacking Cambodia and Singapore and continued its operations against entities within the Southeast Asia region, and this time the group has put 7 months of its effort on targeting the Southeast Asian government sector.

"We expect the group to continue to evolve, constantly changing their TTPs in the same manner as we observed throughout the campaign, as well as pushing their efforts to bypass security products and avoid attribution," the researchers conclude.

To learn more about the Rancor group and its latest campaign, you can head on to the CheckPoint report titled, "Rancor: The Year of the Phish".











Comments

Post a Comment

Popular posts from this blog

Ambassador Angualia Richard Perished in a Fatal Accident.

Story by Osuta Yusuf. Arua City. 29-7-2025. 📸: Portrait of Ambassador Angualia Richard. Courtesy Photo. Former Uganda's Ambassador to Egypt, Ambassador Angualia Louis Richard has been reported dead this evening 5pm 28-7-2025 after he was involved in a head-on collision accident with another motorcycle rider near Abi Farm, Ayivu East Constituency in Arua City. 📸: Photos from the scene of the Accident. Courtesy Photos. He met his death this evening while riding on a Bajaj Motorcycle. Amb. Angualia, who contested in 2011 for Maracha County but lost to Hon Alex Onzima Adrooa. In 2016 when two Constituencies were created in Maracha District, carving Maracha Constituency and Maracha East constituency, Ambassador Angualia contested for Maracha Constituency MP position in 2016 but lost to Hon Oguzu Lee Denis. Ambassador Angualia later shifted to contest in Maracha East Constituency but again lost to Hon Ruth Lematia Molly Ondoru during the 4-September-2020...
1 comment
Read more

Lab Student Drowned, Body Missing in Rokoze Lake in Nyadri Sub-county, Maracha District.

Maracha District.  5-December-2025. 📸: Residents gathered around the lake as they searched the missing body of the student. Photo by #Information_is_Power's news reporter.  This afternoon Friday 5-December-2025, a student from St Joseph Laboratory Training School in Maracha hospital, a one  Araku Denis drowned in Rokoze water body in Nyadri Sub-county and the  body has not been retrieved upto this night as the police and residents searched for it and in vain but they are expected to resume retrieving it tomorrow Saturday 6-December-2025. 📸: Photo of the deceased which we captured on his phone screen this night. Araku and his fellow students had  reportedly gone to pass time at water point after completing exams papers of today. Him and callagues got attracted to swimming at water body where he perished.  By press time, efforts to retrieve his body proved futile as the body remains invisible on water surface.  Rokoze water body...
Post a Comment
Read more

Famous Arua City TikToker Arrested on Allegations of Lesbianism Act.

Arua City. 20-2-2026. A famous TikToker from Arua City, WestNile region, in the names of Torrero Bae was arrested on Wednesday 18-2-2026 and taken to Onduparaka Police Station on Allegations of engaging in Lesbianism acts with another girl. Story excerpts from the Facebook account of Kawawa Michael.  📸: Part of the screenshot  📸: Screenshot from Facebook.  I have spoken to a reliable source from Onduparaka Div police HQS  As concerns the case of these girls  It's true they have confessed to being lesbians and the whole of their dancing group is involved  She comes from a good family and the mother is a teacher by profession I will hide her names  It's alleged that she started her lesbiansim from school that is why she ran away from the mother that is according to her mother who was present at Onduparaka today  Police is trying to apprehend the whole group then make a decision on the file at the moment other...
Post a Comment
Read more