Worok A cyber gang is targeting governments and high-profile organizations


A newly identified cyber-espionage gang Worok has been targeting governments and famous organizations in Asia with a mix of malicious tools that are both custom-made and already available.

Worok, the threat group discovered by ESET security experts, has also attacked sites in Africa and the Middle East. Experts claims this gang might be connected to TA428, a comparable group that has been active since 2019 and is believed to be backed by China.

In 2020, the cybersecurity software vendor’s threat intelligence analysts saw activity from a number of APT organisations. Worok has so far been connected to cyberattacks on military, governmental, and public sector organisations, as well as financial, energy, marine, and telecommunications companies.

Worok targeted a bank in Central Asia, a maritime corporation in Southeast Asia, a Middle Eastern government agency, a private company in southern Africa, and an East Asian telecoms company.

No sightings have occurred prior to February 2022. ESET once more connected the group to further attacks on a public sector organisation in Southeast Asia and a Central Asian energy business.


Late in August, research conducted by PwC Threat Intelligence revealed a Chinese initiative to compile data on international heavy industry producers and other targets related to operations in the South China sea.


Attack map of Worok (Eset)

Chinese hackers have recently attacked Russian defence organisations too, particularly as a result of the Russian invasion of Ukraine.

Thibaut Passilly, a malware researcher with ESET, said:

We believe the malware operators are after information from their victims because they focus on high-profile entities in Asia and Africa, targeting various sectors, both private and public, but with a specific emphasis on government entities.

Worok Attack Technique

The original access vector for the majority of the group’s breaches is still unclear. However, it was undoubtedly ProxyShell vulnerabilities that the organisation used to obtain access to the networks of its victims.

According to ESET:

In such situations, the vulnerabilities have often been exploited and then webshells uploaded to the victim’s network to offer persistence. Then the operators used various implants to gain further capabilities.

Two loaders from Worok’s malicious toolkit, the CLRLoad loader for C++ and the PNGLoad loader for C#, are used by the attackers to steganographically hide malware packages in PNG image files.

Although there were certain incidents in 2021 and 2022 where the ProxyShell vulnerabilities were exploited. It is generally unknown how the espionage organisation initially gained entry into victims’ networks. To guarantee persistence in the affected networks, webshells were uploaded in such instances once the vulnerabilities were exploited.

ESET discovered a new PowerShell backdoor called PowHeartBeat, which has replaced CLRLoad in instances recorded from February 2022 as the tool meant to launch PNGLoad on infected computers. However, it has not yet been able to recover one of the final payloads sent in the company’s attacks.

Share to your friends

Leave a Reply

Your email address will not be published. Required fields are marked *

Continue Reading