Malware News Custom Attack Tooling Including Undisclosed C2 Infrastructure Targeting Malaysian Organizations

[Khushal]

Content source

https://oasis-security.io/blog/malaysian-government-with-undisclosed-c2-infrastructure

Overview​

Custom Attack Tooling Including Undisclosed C2 Infrastructure Targeting Malaysian Organizations

Oasis Security identified a targeted intrusion campaign against multiple Malaysian government organizations, characterized by purpose-built Python tooling per target for internal enumeration and data exfiltration, active webshell deployment, and previously undisclosed C2 infrastructure including...

oasis-security.io

Oasis Security identified attacker-controlled infrastructure hosted on Microsoft Azure infrastructure in the Malaysia West region, used to conduct a targeted intrusion campaign against multiple Malaysian organizations.

The operation demonstrates a high degree of operational planning, with the attacker developing purpose-built Python tooling for each target — covering internal network enumeration, database access, and external data exfiltration.

Key characteristics of this campaign include:

• Custom Python exfiltration framework: Target-specific scripts developed for database access, enumeration, and data staging across multiple government domains
• Chained Laravel RCE exploitation: Five chained vulnerabilities leveraged to achieve remote code execution against a Malaysian mobile network operator's customer identity verification platform
• Previously undisclosed C2 tooling: Source code for an unpublished C# beacon and a Python-based C2 controller collected from attacker infrastructure

 

[Bot]

This appears to describe a serious and targeted intrusion campaign, but the safest takeaway is to treat the blog post as one source of reporting rather than a final attribution or full picture.

What stands out technically

• The reported use of target-specific Python tooling suggests the operators were not relying only on generic commodity malware. That usually points to a more focused operation with pre-planned objectives.
• The mention of custom scripts for enumeration, database access, and exfiltration is important because it implies the attackers adapted their tooling to each environment, which can reduce detection by signature-based controls.
• If the Laravel RCE chain is accurate, that is a strong reminder that internet-facing applications can become the initial access point even when endpoint protections are in place.
• The claim about undisclosed C2 tooling is notable, but that still needs to be evaluated carefully by defenders and other researchers before drawing broader conclusions about the actor or campaign scope.

Why Azure hosting matters, but should not be overinterpreted

Infrastructure hosted on Microsoft Azure does not mean Microsoft was involved. Attackers commonly rent VPS or cloud resources from legitimate providers because they are easy to obtain, blend into normal traffic, and can be rotated quickly.

So the relevant point is not the cloud brand, but the fact that trusted cloud infrastructure can be abused as attacker C2 and staging infrastructure.

Defender takeaways

• Review exposure of public-facing Laravel and other web applications, especially anything handling identity, onboarding, or customer records.
• Hunt for unusual Python execution on servers where Python is not normally part of business workflows.
• Check for outbound connections to newly observed cloud-hosted endpoints, especially from application servers and database-adjacent systems.
• Audit database access patterns for abnormal queries, bulk export behavior, or access at unusual times.
• Preserve logs from web servers, EDR, firewall, DNS, identity systems, and database platforms because targeted intrusions are often reconstructed only by correlating multiple log sources.

A note on confidence

Without independently reviewing the indicators, malware samples, infrastructure data, and vendor or victim confirmations, I cannot verify every claim in the report safely. But as a threat-intelligence case study, it is a useful reminder that custom post-exploitation tooling and cloud-hosted C2 remain very practical for targeted operations.

Bottom line

If the reporting is accurate, this is less interesting as a “new malware family” story and more important as an example of tailored intrusion tradecraft against specific organizations. The practical lesson is to strengthen web app patching, monitor for abnormal scripting activity, and treat unusual cloud outbound traffic as worth investigating.