Chinese ‘Crimson Palace’ Espionage Campaign Targets Southeast Asian Governments

A persistent cyber espionage campaign, dubbed ‘Crimson Palace’ by researchers, continues to plague government organisations across Southeast Asia. Sophos released a new report on Tuesday detailing ongoing attacks by three sophisticated Chinese cyberespionage groups.

The report, which builds on June’s findings, reveals that despite attempts to thwart their operations, the hackers—referred to as Cluster Alpha, Cluster Bravo, and Cluster Charlie—have ramped up their activities. These groups, linked to Chinese state-backed entities like APT15 and APT41, have targeted a range of government agencies in the region.

“We’ve been engaged in a continuous chess match with these adversaries,” said Paul Jaramillo, Sophos’ director of threat hunting and threat intelligence. The groups, which have previously shared infrastructure and tools, are expanding their reach, posing threats to new organisations.

Following a period of dormancy, Cluster Charlie resumed attacks on a high-level government entity in early 2024, demonstrating the groups’ resilience and adaptability. The hackers are using advanced tactics, including a novel malware called “Tattletale,” designed to impersonate users and extract sensitive information such as passwords and security settings.

The Crimson Palace campaign has led to significant data breaches, with the attackers exfiltrating sensitive documents, cloud infrastructure keys, and IT configuration data. The groups have also employed compromised organisations as staging points for further attacks.

“The threat actors have been strategic in leveraging compromised environments to deliver malware,” Jaramillo noted. The attacks, which have targeted at least 11 organisations including public service entities, highlight a broader pattern of Chinese cyberespionage amid rising geopolitical tensions in the South China Sea.