A recent cyber threat activity cluster has been uncovered, with European organizations, especially those in the healthcare sector, being targeted in a sophisticated attack. The attackers deployed two notorious malware implants, PlugX and ShadowPad, which in some cases led to the deployment of a ransomware known as NailaoLocker.
The campaign, known as Green Nailao, was investigated by Orange Cyberdefense CERT and was found to exploit a newly patched security vulnerability in Check Point network gateway security products (CVE-2024-24919, CVSS score: 7.5). The attacks took place between June and October 2024.
According to a technical report shared by the company, the attackers used DLL search-order hijacking to deploy ShadowPad and PlugX, which are implants commonly associated with targeted intrusions linked to China. This method allowed the threat actors to gain initial access by exploiting vulnerable Check Point instances, retrieve user credentials, and connect to VPN using legitimate accounts.
Subsequently, the attackers conducted network reconnaissance and lateral movement through remote desktop protocol (RDP) to obtain elevated privileges. They then executed a legitimate binary (“logger.exe”) to sideload a rogue DLL (“logexts.dll”), which acted as a loader for a new version of the ShadowPad malware. Previous attacks in August 2024 utilized similar tactics to deliver PlugX, which also employed DLL side-loading using a McAfee executable (“mcoemcpy.exe”) to sideload “McUtil.dll.”
ShadowPad, like PlugX, is a privately sold malware exclusively used by Chinese espionage actors since at least 2015. The version identified by Orange Cyberdefense CERT includes advanced obfuscation and anti-debug measures, establishing communication with a remote server to ensure persistent remote access to compromised systems.
There are indications that the threat actors attempted to exfiltrate data by accessing the file system and creating ZIP archives. The attacks concluded with the use of Windows Management Instrumentation (WMI) to transmit three files: a legitimate executable signed by Beijing Huorong Network Technology Co., Ltd (“usysdiag.exe”), a loader named NailaoLoader (“sensapi.dll”), and NailaoLocker (“usysdiag.exe.dat”).
NailaoLocker, the ransomware deployed in these attacks, is described as relatively unsophisticated and poorly designed. It encrypts files, adds the “.locked” extension, and displays a ransom note demanding payment in bitcoin or contact via a Proton Mail address.
The activity has been tentatively attributed to a Chinese-aligned threat actor by Orange Cyberdefense CERT due to the use of ShadowPad, DLL side-loading techniques, and similarities to ransomware campaigns linked to another Chinese threat group known as Bronze Starlight.
The use of “usysdiag.exe” to sideload payloads has been observed in attacks associated with a China-linked intrusion set tracked by Sophos under the name Cluster Alpha.
While the exact motives behind the espionage-cum-ransomware campaign remain unclear, it is speculated that the threat actors are seeking financial gain. The researchers noted the contrast in sophistication between ShadowPad and NailaoLocker, suggesting that such campaigns may provide threat groups with access to valuable information systems for future offensive operations.