Chinese hackers abuse VLC Media Player to launch malware loader (long-running campaign)


Level 37
Thread author
Top Poster
Feb 4, 2016
Security researchers have uncovered a long-running malicious campaign from hackers associated with the Chinese government who are using VLC Media Player to launch a custom malware loader.
The campaign appears to serve espionage purposes and has targeted various entities involved in government, legal, and religious activities, as well as non-governmental organizations (NGOs) on at least three continents.

This activity has been attributed to a threat actor tracked as Cicada (a.k.a. menuPass, Stone Panda, Potassium, APT10, Red Apollo) that has been active for more than 15 years, since at least 2006.

Using VLC to deploy custom malware loader​

The start of Cicada’s current campaign has been tracked to mid-2021 and was still active in February 2022. Researchers say that this activity may continue today.
There is evidence that some initial access to some of the breached networks was through a Microsoft Exchange server, indicating that the actor exploited a known vulnerability on unpatched machines.

Researchers at Symantec, a division of Broadcom, found that after gaining access to the target machine the attacker deployed a custom loader on compromised systems with the help of the popular VLC media player.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.