Naikon gang returns for another wave of cyber espionage campaigns

Naikon Threat Gang Cyber Espionage Campaigns

A China-sponsored malicious threat group called Naikon has reemerged with new phishing mechanics that target organisations, especially government sectors, to steal confidential data. The group, known for the names Lotus Panda/Override Panda, was tracked by researchers in 2020. Another research group then detected its infrastructure in 2015. However, the group is back from the dead, and this time it makes its presence felt again by conducting cyberespionage attacks.

The advanced persistent threat group has deployed several spear-phishing emails to spread a Red framework beacon called Viper. Although the group’s targets are still unidentified, the researchers believe it could be a government sector located in South Asia countries.

The spear-phishing attempts contained a malicious document that spoofs a caller for tender. Moreover, a couple of payloads are obscured in the malicious file as document properties.

Researchers also noted that Viper is a graphical intranet penetration tool that enhances and modulates the techniques used during intranet breaches. It sports about 80 modules to speed up initial access, escalation of privileges, credential access, establishing persistence, command execution, and lateral movement across the targeted network.

The group’s command-and-control server also contained ARL dashboards and the Viper framework.


The Naikon group has joined other China-based threat actors currently attacking different entities.


The first Chinese-cyberespionage group that targets Asian countries this year, aside from Naikon, is the Moshen Dragon group. It targets telecommunication firms in Central Asia and attempts to sideload compromised DLL files into AV solutions to move laterally, gather credentials, and steal information.

Last month, another advanced persistent threat group called Mustang Panda was discovered by researchers to utilise a new variant of PlugX remote access trojan (RAT). The trojan is named Hodur and is capable of numerous functions, such as executing commands, writing arbitrary files, and gathering system details.

Nikon’s tricks, techniques and procedures imply that it is currently operating a long-term espionage campaign and intelligence operations. The group is notorious for targeting governments and foreign officials. Therefore, government sectors situated in the South Asian region should be on their toes to avoid getting impacted by this reemerging group.

About the author

Leave a Reply