Operation SalmonSlalom

Description

(Kaspersky) A Kaspersky ICS CERT investigation uncovered a cyberthreat specifically targeting various industrial organizations in the Asia-Pacific region. The threat was orchestrated by attackers using legitimate Chinese cloud content delivery network (CDN) myqcloud and the Youdao Cloud Notes service as part of their attack infrastructure. The attackers employed a sophisticated multi-stage payload delivery framework to ensure evasion of detection. Their techniques included the use of a native file hosting CDN, publicly available packers for sample encryption, dynamic changes in command and control (C2) addresses, a CDN hosting the payload, and the use of DLL sideloading.

Names

Name	Name-Giver
Operation SalmonSlalom	Kaspersky

Country

• China

Motivation

• Information theft and espionage

First Seen

2025

Observed Sectors

• Construction
• Financial
• Government
• Healthcare
• IT
• Manufacturing
• Telecommunications

Observed Countries

• China
• Hong Kong
• Japan
• Malaysia
• Philippines
• Singapore
• South Korea
• Taiwan
• Thailand
• Vietnam

Tools

• FatalRAT

Information

• https://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/

Other Information

Uuid

98b23cd0-b341-47a8-85cb-5aeb9df8b974

Last Card Change

2025-03-02