Select Page

A highly targeted cyber attack against an East Asian IT company involved the deployment of a custom malware written in Golang called RDStealer.

“The operation was active for more than a year with the end goal of compromising credentials and data exfiltration,” Bitdefender security researcher Victor Vrabie said in a technical report shared with The Hacker News.

Evidence gathered by the Romanian cybersecurity firm shows that the campaign – dubbed RedClouds – started in early 2022. The targeting aligns with the interest of China-based threat actors.

In the early phases, the operation relied on readily available remote access and post-exploitation tools like AsyncRAT and Cobalt Strike, before transitioning to bespoke malware in late 2021 or early 2022 in a bid to thwart detection.

A primary evasion tactic concerns the use of Microsoft Windows folders that are likely to be excluded from scanning by security software (e.g., System32 and Program Files) to store the backdoor payloads.

images from Hacker News