A newly identified Chinese cyberespionage group has been deploying signed malware against IT service providers and telecommunications companies.
It is unclear whether this is a new iteration of Operation Shadow Force or the work of a different, more experienced adversary using new malware and techniques. SentinelOne tracks this advanced persistent threat (APT) as WIP19. Its activities show overlaps with Operation Shadow Force. WIP19 employs a number of malicious components that are signed by stolen certificates, primarily targeting organizations in the Middle East and Asia.
The group has so far been seen employing malware families like ScreenCap, SQLMaggie, and a credential dumper.