Naikon (G0019) Threat Profile: Persistent Chinese Cyber Espionage
- Suspected Origin
- China
- Motivation
- Espionage, Geopolitical Intelligence
- Aliases
- None documented
- Target Sectors
- Government, Military, Civil Organizations, Diplomatic Missions, Telecommunications, Energy, Law Enforcement, Media, Government-owned Companies, Science and Technology, Civil Aviation
- Associated Malware
- Aria-body, Nebulae, RainyDay, XsFunction, MsnMM, RARSTONE, Vyper, ARL, EnrollLogger, PlugX
Overview
Naikon (G0019) is a highly persistent and adaptive state-sponsored cyber espionage group, widely attributed to the Chinese People’s Liberation Army (PLA). Specifically, intelligence links the group to the Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020), with more recent analysis suggesting ties to the Southern Theatre Command. Active since at least 2010, and possibly as early as 2009, Naikon’s primary motivation is geopolitical intelligence gathering and information theft.
This actor is particularly focused on Southeast Asia and the South China Sea region, reflecting clear strategic interests. Their typical targets include top-level government agencies, military organizations, diplomatic missions, and civil aviation authorities across countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, Nepal, Thailand, Laos, Brunei, and Australia. International bodies like the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN) are also within their scope. Beyond these, Naikon has also targeted government-owned companies, ministries of foreign affairs, science, and technology, as well as the telecommunications industry. The group has been observed using various aliases over time, including Lotus Panda, Hellsing, Override Panda, BRONZE GENEVA, and Camerashy. While sharing some characteristics with APT30, Naikon is generally considered a distinct entity.
Tactics & Techniques
Naikon’s operational methodology typically commences with spear-phishing campaigns, which serve as their primary initial access vector. These emails are meticulously crafted, often carrying attachments disguised as legitimate documents (e.g., Word files) but are, in fact, executable files with double extensions or weaponized Office documents. The RoyalRoad exploit builder has been a notable tool in their arsenal for creating these malicious RTF documents.
Upon successful initial compromise, Naikon demonstrates a sophisticated approach to execution and persistence. They are known to employ DLL side-loading to inject malicious DLLs into legitimate executables, thereby bypassing security controls and gaining higher privileges. To further evade detection, Naikon often masquerades malicious programs by renaming them to appear as benign system components or popular applications like Google Chrome, Adobe, VMware, or even the Windows Task Manager. Persistence is also achieved by modifying the Windows Run registry.
For internal network reconnaissance and lateral movement, the group leverages a combination of native Windows tools and custom or open-source utilities. They have been observed using schtasks.exe and WMIC.exe for lateral movement, alongside exploiting administrator credentials. Network discovery often involves the LadonGo scanner, Netbios scanners, and netsh commands to identify firewall and network interface settings. More recently, Naikon has incorporated open-source penetration testing tools such as Vyper, a powerful intranet penetration testing framework, and Asset Reconnaissance Lighthouse (ARL) for discovering new attack vectors and weaknesses.
Defense evasion is a hallmark of Naikon’s operations, characterized by their stealthy nature and ability to remain undetected for extended periods. Besides masquerading and DLL side-loading, they abuse legitimate software to avoid detection and use advanced obfuscation techniques. Their command and control (C2) infrastructure is often established by compromising legitimate government servers within the target countries, allowing for real-time connections and efficient data exfiltration, while making detection more challenging due to the trusted nature of the C2 nodes. Data exfiltration encompasses a wide range of sensitive information, including emails, contacts, and other classified documents.
Notable Campaigns
Naikon’s operational history is marked by periods of intense activity interspersed with phases where they “go dark” to refine their Tactics, Techniques, and Procedures (TTPs). Initial campaigns were documented from 2010 to 2015, targeting various ASEAN government, military, and civil organizations. A notable incident occurred in March 2014, when Naikon focused on nations involved in the search for Malaysia Airlines Flight MH370, seeking information related to the investigation. This period also included the “CameraShy” operation.
Following a lull in public reporting after 2015, the group resurfaced around 2019, demonstrating new TTPs. Check Point Research, in 2020, uncovered an ongoing cyber espionage operation against national government entities in the Asia Pacific (APAC) region, which they attributed to Naikon, noting the use of a new backdoor named Aria-body. Bitdefender also observed significant activity between June 2019 and March 2021, detailing their use of the Nebulae and RainyDay backdoors in campaigns primarily aimed at military organizations in South Asia. Cybereason further reported activity linked to Naikon between late 2020 and early 2021, specifically targeting telecommunications providers in ASEAN countries, employing the Nebulae backdoor and a previously undocumented keylogger called EnrollLogger. The group was once again observed to be on the prowl in 2022, leveraging advanced open-source pen-testing tools and potentially conducting surveillance operations.
Associated Malware & Tools
Naikon maintains a dynamic and evolving toolset, often incorporating custom backdoors alongside publicly available and open-source utilities.
Key custom backdoors and Remote Access Trojans (RATs) associated with Naikon include:
- Aria-body: A newer backdoor identified in operations from 2020 onwards, used to gain control over victim networks.
- Nebulae: A backdoor discovered around 2019/2021, often serving as a secondary persistence mechanism to ensure continued access.
- RainyDay: Another backdoor, typically used for secondary persistence, integrated into their toolkit around September 2020.
- XsFunction: An older RAT, noted for its extensive capabilities, supporting up to 48 distinct commands.
- MsnMM: A family of backdoors including variants like WinMM and SslMM, known for spoofing legitimate MSN applications.
- RARSTONE (BKDR_RARSTONE.A): A RAT with techniques similar to PlugX, notably loading backdoors directly into memory.
- Earlier backdoors identified include Sys10 and exe_exchange.
- Other backdoors and malware reported include HDoor, JadeRAT, Spaceship, Sisfader, FoundCore, Gemcutter, BackBend, Milkmaid, Orangeade, and Shipshape. Naikon has also shown some association with, or similarities to, PlugX.
Beyond their custom implants, Naikon extensively utilizes legitimate system utilities and penetration testing tools:
- RoyalRoad exploit builder: Frequently used to create weaponized RTF documents for initial access.
- LadonGo: A network scanner for reconnaissance.
- Vyper: An obscure open-source framework used for intranet penetration testing.
- ARL (Asset Reconnaissance Lighthouse): A multi-purpose open-source tool for reconnaissance and identifying attack vectors.
- Living off the Land (LotL) tools: Including
schtasks.exe,WMIC.exe, andnetshcommands for lateral movement, execution, and discovery. - Other utilities such as nbtscan, NetEagle, Quarks PwDump, Sandboxie, and TeamViewer have also been observed.
- EnrollLogger: A keylogger discovered in late 2020/early 2021 campaigns.
Current Status
Naikon has demonstrated consistent activity over the past decade, despite periods of apparent silence or shifts in methodology. After its activities were initially disclosed in 2015, the group was observed to be “active” by Kaspersky. Subsequent research revealed that Naikon had remained operational, merely evolving its tactics during what appeared to be a hiatus.
Evidence of their resurgence with new TTPs was prominent between 2019 and 2021, with various cybersecurity firms reporting new campaigns and malware. Activity was specifically noted in the fourth quarter of 2020 through the first quarter of 2021. Furthermore, Naikon resurfaced again in 2022, suggesting ongoing surveillance operations. As of more recent reporting, such as in August 2021 by Tidal Cyber and June 2022 by IntelliOS, Naikon continues to be listed as an active threat actor. A July 2023 analysis further underscores their continued relevance by linking Naikon to the PLA’s Southern Theatre Command. These consistent observations confirm that Naikon remains an active and evolving cyber espionage threat, continuously refining its capabilities to target geopolitical intelligence in the Asia-Pacific region.
Related content
Axiom (G0001): Profile of a Sophisticated Chinese Cyber Espionage Group
Adversary ProfileDeep Panda (G0009) Threat Actor Profile: A Persistent Chinese Espionage Group
Adversary ProfilePittyTiger: Persistent Espionage from the Far East
Adversary ProfileAPT30: Persistent Chinese Cyber Espionage in Southeast Asia and Beyond
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call