Striking commonality found between Red Raindrop Team APT and Operation Monsoon

Today’s cyber world is aggressively moving towards more advanced surveillance techniques. Almost every day we are faced with new forms of cyber attacks which suggest that cyber spies and hackers are expanding both their targets and techniques.

Recently, Red Raindrop team (RRT) of the Qianxin Threat Intelligence Center captured the latest sample of operation Patchwork APT “BADNEWS” Trojan. What is intriguing to note is that “BADNEWS” has a lot of commonality with Operation Monsoon.

Commonality between Operation Monsoon and RRT

While investigating RRT report, we found that this report is purely focused on BADNEWS malware, which was first discovered in Operation Monsoon.

Operation Monsoon was first discovered in late 2015.This espionage group basically targeted China and Pakistan’s diplomatic and government agencies. They generally used spear phishing and custom attack tools. The most commonly used were MS Office exploits for initial foot holding, system discovery, defense evasion and finally some stage two malware execution most commonly use BADNEWS.

In our further investigation we found that TTP’s were also almost similar to previous BADNEWS malware which was seen in Operation Monsoon.

Studying the Red Raindrop team report, we were able to generate a matrix that depicts various commonalities of the said attack with Operation Monsoon.

MITRE Att&ck Matrix

Score 4 indicates that the given Mitre Att&ck Matrix point is the same in both the APTs (Operation Monsoon and Red Raindrop Team).

Moreover, all the Tactics, Techniques and Procedures (TTP) indicate similarity with Operation Monsoon where BADNEWS again emerged with new binaries but with the same behaviour.

Few similarities that caught our attention include:

(a) Kaspersky antivirus evasion technique was present in both the APTs.

(b) Information exfilteration using Command shell technique was common in both.

(c) Operation Monsoon used spear phishing attacks as an entrance to deliver documents. These documents are usually in RTF documents.

(d) The shell code used in this attack has not changed from the shell code used in previous attacks.

(e) Follow-up payload, the Monsoon group continued to use the BADNEWS Trojan to attack.

(f) Although it reduces some common functionality in both BADNEWS and keylogger for AV detection bypass and kept only useful functionality.

(g) Both use the same persistency method, i.e. registry.

IOCs found in Red Raindrop Team report:-






When we dug deeper into the RRT report we found a few more executables which was related to this group and the signatures make more concretize the fact that these artifacts belong to Monsoon since all contain same signature with the display name 5Y TECHNOLOGY LIMITED.

We found further IOCs also:

(a) DeviceSync.Ink

(b) 5Y technology limited

(c) 5dc86d29f26cb9792a285533fdff8835

(d) 4870de0cad3c841327990fd9b7513328

(e) 1f7f6928534ff002dbe843380d619e45

(f) 103f7c56772b5463a51c4992d1a1289f

Note: — Further investigation is still going on the above artifacts

Given the striking commonalities of the operations, it won’t be a surprise if both the operations are later attributed to a common threat actor.


Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store