For decades, Russian and eastern European hackers have dominated the cybercrime underworld. These days they may face a challenge from a new contender: China.
Researchers at cybersecurity firm Proofpoint say they have detected an increase in the spread of Chinese language malware through email campaigns since early 2023, signaling a surge in Chinese cybercrime activity and a new trend in the global threat landscape.
“We basically went from drought to flood here,” said Selena Larson, senior threat intelligence analyst at Proofpoint and one of the authors of a new Proofpoint report on Chinese malware.
The increase, Larson said, could be due to several factors.
“There might be increased availability, there might be an ease of access to some of this malware, (and there might be) just increased activity by Chinese-speaking cybercrime threat actors as a whole,” Larson said in an interview.
While Russian-speaking actors continue to dominate cybercrime networks, the Proofpoint report says the recent surge in Chinese language malware “may challenge the dominance that the Russian-speaking cybercrime market has on the threat landscape.”
Malware delivered via email
The hackers behind the Chinese campaigns use a type of malicious software known as a Remote Access Trojan, or RAT. This malware is delivered via email and allows the cybercriminals to access a computer from a remote location and steal data or perform other malicious actions.
The Chinese language malware, contained in fake invoices sent to unsuspecting businesses and other targets, is linked to suspected Chinese cybercrime operations, according to Proofpoint.
The cybercriminals have used several types of malware to carry out hacking operations.
One of them, called Sainbox, targeted dozens of companies, mostly in the manufacturing and technology sectors, in May. Other recently identified malware, dubbed ValleyRAT, was deployed in at least six hacking campaigns in 2023.
“Campaigns are generally low-volume and are typically sent to global organizations with operations in China,” the report says.
The email subjects and content are usually written in Chinese, and are typically related to invoices, payments, and new products, according to the report.
The targeted users have Chinese names spelled with Chinese characters, or corporate email addresses linked to businesses operating in China, the report says.
Larson said the proliferation of Chinese-language malware suggests cybercrime remains lucrative and attractive to actors beyond eastern Europe.
“It may indicate Chinese speakers who conduct cybercrime operations might want to maybe take a larger slice of the financial gain,” Larson said.
Cybercrime hurts economy
Cybercrime is a booming industry that poses a grave threat to the global economy. The FBI estimates cybercriminals inflicted potential losses of more than $10 billion in 2022, a 43% increase from the previous year.
While China is accused of carrying out state-sponsored cyberattacks against the United States, most of the ransomware attacks and other cybercrime in recent years have been chalked up to eastern European groups.
Proofpoint is not the only cybersecurity firm reporting on Chinese-language malware in recent months.
In February, digital security firm ESET said it had identified a malware campaign that targeted Chinese speakers in Southeast and East Asia by buying misleading ads that appeared in Google search results.
The campaign used the malware known as Sainbox or FatalRAT, the type that Proofpoint said it had detected in 20 campaigns this year.