Image: iStockphoto/Gangis_Khan

The McAfee Advanced Threat Research Strategic Intelligence team has identified an espionage campaign that is specifically targeting telecommunication companies in an attack dubbed “Operation Diànxùn.” McAfee researchers Thomas Roccia, Thibault Seret and John Fokker said in a blog post that the malware is using tactics similar to those seen from groups like RedDelta and Mustang Panda.

Roccia, Seret and Fokker wrote that they believe the campaign’s goal is to steal or gain access to covert information related to 5G technology using malware masquerading as Flash applications.

SEE: Future of 5G: Projections, rollouts, use cases, and more (free PDF) (TechRepublic)

Cybersecurity companies Intsights and Positive Technologies both identified Mustang Panda last year as an advanced persistent threat group behind a number of COVID-19-themed attacks on people in Vietnam and Mongolia. The attacks involved COVID-19-related phishing emails loaded with malicious .rar files that, when unzipped, installed a backdoor trojan on the victim’s machine.

RedDelta is also well known by security researchers for its work attacking the Vatican, the former civilian government of Myanmar and two Hong Kong universities last year. According to McAfee, the attacks used “the PlugX backdoor using DLL side loading with legitimate software, such as Word or Acrobat, to compromise targets.”

Now, the group–which is believed to be based in China–is going after the telecom sector, and McAfee researchers wrote that they believe the attack is related to the ban of Chinese technology in the global 5G rollout.

“While the initial vector for the infection is not entirely clear, we believe with a medium level of confidence that victims were lured to a domain under control of the threat actor, from which they were infected with malware which the threat actor leveraged to perform additional discovery and data collection,” the McAfee report said.

“We believe with a medium level of confidence that the attackers used a phishing website masquerading as the Huawei company career page to target people working in the telecommunications industry. We discovered malware that masqueraded as Flash applications, often connecting to the domain “hxxp://” that was under control of the threat actor. The malicious domain was crafted to look like the legitimate career site for Huawei, which has the domain: hxxp:// In December, we also observed a new domain name used in this campaign: hxxp://”

According to McAfee’s research, the targets for the attacks are based in the United States, Europe and Southeast Asia, with a specific focus on German and Vietnamese telecommunication companies.

A map of where the attacks were targeted.
Image: McAfee

“McAfee ATR’s research into Operation Diànxùn reveals a capable threat actor that continuously updates tactics in an effort to extract data for their own purposes,” Raj Samani, a McAfee fellow and chief scientist, told TechRepublic.

“Whilst the focus will be on the threat actor, the recommendation is to focus on the available IoCs and TTPs to not only hunt for the threat but implement controls that prevent such adversaries from being successful.”

While there was initial interest from dozens of governments in allowing Chinese companies like Huawei and ZTE to build out 5G networks, the United States and some European countries have in recent months pressed countries to stop rollout efforts over concerns that the Chinese government would have some level of access or control over the systems, according to Foreign Policy and Reuters.

Former President Donald Trump and his administration pressed other countries through a series of bilateral declarations to avoid hiring Chinese companies for 5G systems, sparking outrage from the Chinese government, who accused the US and Europe of rigging the free market in favor of companies based in their own countries.

“In this report we have brought to light a recent espionage operation allegedly attributed to a Chinese APT group. Regarding the targeted sector (telecoms), we believe that this campaign was used to access sensitive data and to spy on companies related to 5G technology. Additionally, the use of a fake Huawei website gives more clues about the telecom targets,” the report said.

“The announcement of the ban on Huawei in several countries could have motivated the operation. The operating methods were previously assigned to the Chinese groups RedDelta and Mustang Panda. While we believe that the two actors could be the same, based on similar techniques, tactics and procedures, we currently have no further evidence. Interestingly, the RedDelta group has previously targeted Catholic organizations, while this campaign is primarily focused on telecommunications.”