A cyberespionage group known as Sneakychef has targeted at least 9 countries worldwide, according to experts at Cisco Talos. They believe the attacks are being carried out by hackers from China who are gathering information on various geopolitical tensions across the globe.
Sneakychef lures victims with fake government documents. This recent campaign has a broader scope compared to previous attacks, impacting countries in Europe, the Middle East, Africa, and Asia. Previous attacks were primarily focused on South Korea and Uzbekistan.
The attackers used a method of spreading infected files through RAR SFX archives. When the victim opened these files, a malicious VB script would launch and install harmful software on the victim’s system.
The core of Sneakychef’s operations is the remote access tool Sugargh0st, which was first identified by Talos in November of last year. This tool is a modified version of the well-known GH0ST RAT, which has been utilized by various groups since 2008 and has been linked to operations connected to China.
Additionally, the new Talos report discusses a new trojan called Spicrat that is being distributed to Sneakychef’s targets from the same email address. These findings underscore the extensive and intense activities of hackers targeting key geopolitical entities.
At this point, Sneakychef is being tracked as a distinct campaign, with no definitive evidence linking them to any specific state entity or established group. However, a May report from Palo Alto Networks Unit 42 suggests some related activities may be attributed to a Chinese APT group, typically associated with government backing.