Security researchers have uncovered a long-running malicious campaign from hackers associated with the Chinese government who are using VLC Media Player to launch a custom malware loader.
The campaign appears to serve espionage purposes and has targeted various entities involved in government, legal, and religious activities, as well as non-governmental organizations (NGOs) on at least three continents.
This activity has been attributed to a threat actor tracked as Cicada (a.k.a. menuPass, Stone Panda, Potassium, APT10, Red Apollo) that has been active for more than 15 years, since at least 2006.
Using VLC to deploy custom malware loader
The start of Cicada’s current campaign has been tracked to mid-2021 and was still active in February 2022. Researchers say that this activity may continue today.
There is evidence that some initial access to some of the breached networks was through a Microsoft Exchange server, indicating that the actor exploited a known vulnerability on unpatched machines.
Researchers at Symantec, a division of Broadcom, found that after gaining access to the target machine the attacker deployed a custom loader on compromised systems with the help of the popular VLC media player.