A cyber espionage campaign targeting enterprise operations in Southeast Asia has been identified, involving a China-linked group deploying a custom Linux router implant on border routing devices. This implant circumvents traditional security measures, allowing attackers access to internal web traffic. The malware operates as a static binary, using DNS over HTTPS for stealthy communication and manipulating firewall rules to hijack DNS traffic.
Additionally, it can gain access to internal Windows hosts through DLL sideloading, highlighting the need for enhanced security measures against such sophisticated threats.