>samit_hota
Back to adversary profiles
G0054HighUnknown

Sowbug (G0054) Threat Profile: Cyber Espionage in South America & Southeast Asia

Samit Hota·
Suspected Origin
Unknown
Motivation
Espionage, Information Theft
Aliases
None documented
Target Sectors
Government, Diplomatic, Foreign Policy
Associated Malware
Felismus, Starloader, Credential Dumpers, Keyloggers
#threat-actor#g0054

Overview

Sowbug, tracked by MITRE ATT&CK as G0054, is a highly sophisticated cyber espionage group that has been actively conducting targeted attacks against government and diplomatic organizations in South America and Southeast Asia since at least 2015. Identified primarily through analysis by Symantec in late 2017, Sowbug demonstrates the characteristics of a well-resourced, potentially nation-state-backed actor with a clear objective: information theft, particularly foreign policy and diplomatic intelligence.

The group has focused its operations on countries including Argentina, Brazil, Ecuador, and Peru in South America, and Brunei and Malaysia in Southeast Asia. Their operational security is notable; they often operate outside the typical working hours of their targets to maintain a low profile and prolong their presence on compromised networks, sometimes remaining undetected for up to six months. Sowbug is capable of infiltrating multiple targets simultaneously, indicating a significant level of coordination and resources.

Tactics & Techniques

Sowbug employs a range of tactics and techniques designed for stealthy intrusion, persistence, and data exfiltration. While their initial access vector is not always definitively identified, evidence suggests they may utilize fake software updates for legitimate programs like Windows or Adobe Reader to compromise systems.

Once a foothold is established, Sowbug deploys custom malware, notably a backdoor called Felismus and a dropper known as Starloader. These tools are often disguised to evade detection, masquerading as legitimate software components with filenames such as AdobeUpdate.exe, AcrobatUpdate.exe, and INTELUPDATE.exe. They have also been observed naming tools like adobecms.exe and placing them in seemingly innocuous directories such as CSIDL_APPDATA\microsoft\security to blend in with normal system files.

For lateral movement and privilege escalation, Sowbug has incorporated standard offensive security tools, including credential dumpers and keyloggers, to harvest sensitive authentication material and monitor user activity. Their reconnaissance efforts within a compromised network include identifying remote shared drives, installed software, and gathering system information like OS versions and hardware configurations. When collecting data, the group specifically targets documents, often looking for file types like *.doc and *.docx, sometimes within specific date ranges on file servers, and bundles the extracted information into RAR archives for exfiltration. Command and control (C2) communications are facilitated by their Felismus backdoor, allowing remote management of infected systems. However, Symantec observed some C2 servers being shut down following detection, suggesting the group adapts its infrastructure in response to exposure.

Notable Campaigns

Sowbug’s activities first came to public light through Symantec’s research in late 2017, which detailed a campaign where the group utilized a previously unknown backdoor, Felismus, against a target in Southeast Asia in March 2017. Further investigation linked this activity to earlier, distinct campaigns, establishing that Sowbug had been operational since at least early 2015.

A particularly illustrative incident involved a May 2015 attack against the foreign affairs ministry of a South American nation. In this case, Sowbug meticulously targeted and extracted Word documents from a specific division of the ministry responsible for foreign relations with an Asia-Pacific country. The attackers demonstrated exceptional stealth and persistence, remaining undetected on the victim’s network for an extended period of four months. This incident underscores Sowbug’s strategic focus on diplomatic and foreign policy intelligence.

Associated Malware & Tools

Sowbug relies on a small but effective arsenal of custom and commonly available tools:

  • Felismus: This is Sowbug’s primary custom backdoor. It grants the attackers comprehensive remote control over a compromised system, enabling them to upload and download files, execute commands, and maintain persistence within the target environment.
  • Starloader: Identified as a dropper, Starloader is responsible for the initial deployment of Felismus and other auxiliary malicious components. It has been observed being distributed under deceptive filenames such as AdobeUpdate.exe and INTELUPDATE.exe, mimicking legitimate software updates.
  • Credential Dumpers and Keyloggers: To facilitate lateral movement and access to sensitive information, Sowbug incorporates tools for extracting user credentials and recording keystrokes. These are standard, off-the-shelf or slightly modified tools used to enhance their espionage capabilities.

Current Status

Publicly available threat intelligence on Sowbug (G0054) largely stems from the comprehensive reporting by Symantec in late 2017, which detailed the group’s operations up to that point, specifically active between 2015 and 2017. Since then, there has been a notable absence of new, specific open-source reporting directly attributing ongoing or recent campaigns to the Sowbug threat group. While advanced persistent threat (APT) groups are known to adjust their tactics, change their tools, or go dormant for periods before re-emerging, without updated analysis from security researchers, Sowbug’s current operational status and activities remain unconfirmed in the public domain. It is plausible they have ceased operations, rebranded, or evolved in a way that makes their activities harder to publicly attribute.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call