Nick-Named “Operation PZChao”, the attack campaign discovered by the security researchers at the firm Bitdefender have been targeting organizations in the government, tech, and telecomm industries in Asia and the U.S.A.

Researchers now believe that infrastructure and payloads – apparently including variants of the Gh0stRAT trojan, which was used in the PZChao attacks  – are similar to that of the notorious Chinese hacker group—The Iron Tiger.

Similar to the PZChao campaign this group also carried out reported attacks against entities in the Philippines, China, and Tibet, not to mention attacking targets in the U.S.

The PZChao campaign is attacking targets across Asia and the U.S. by using similar attack methods as that of The Iron Tiger, which some argue could signal the “possible return” of the notoriously known China-based Advanced Persistent Threat group of yesteryear.

Since at least July 2017 the “PZChao” campaign has been targeting organizations with a malicious VBS file attachments that deliver via targeted phish emails.

The perps behind this attack campaign have control over at least 5 malicious subdomains of the “” URL, and each is used to serve specific tasks, such as download, upload, R.A.T related tasks, and malware DLL delivery.

PZChaos final pay-load includes a modified version of the Gh0st remote access trojan (aka RAT) which is designed to act as a backdoor implant and acts very similar to the versions detected in cyber attacks associated with the Iron Tiger A.P.T group.

The Gh0st RAT is equipped with extensive cyber-espionage capabilities including:

  • Allowing for the remote shutdown & reboot of the system.
  • Downloading binaries from the Web to the remote host.
  • Modifying & stealing files.
  • Real-time as well as offline remote key-logging.
  • Listing of all active processes & open windows.
  • Listening in on conversations via the mic.
  • Eavesdropping on webcam live video feeds.
All of the capabilities mentioned above allows a remote attacker to take full control of the compromised system, then go on to spy on the victims and export confidential data. Tread carefully.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.