A sophisticated China-linked hacking group has been caught targeting edge routers across Southeast Asia, deploying a custom-built Linux implant that gives them deep control over network traffic.
The campaign has been rated critical in severity, and its reach extends well beyond the initial devices it compromises. The attackers install a malicious file called router.elf directly onto border routers, turning them into silent surveillance posts.
Once inside, the implant quietly connects back to attacker-controlled servers using an encrypted channel, making it very difficult for standard security tools to detect the activity. The campaign is designed to fly entirely under the radar of endpoint defenses.
Analysts at Qiita identified the intrusion and noted that the campaign reflects a clear strategic decision to target network infrastructure rather than individual computers.
By owning the router, the attackers position themselves to monitor and manipulate every device that connects through it. That makes this threat far more dangerous than a typical malware infection.
What makes this operation especially alarming is its dual focus. The same group that compromised the routers also deployed a separate hacking tool onto Windows computers within the same networks, using a technique known as DLL sideloading.
Both attack streams share the same command infrastructure, confirming that a single, well-coordinated threat actor is running this entire operation.
Qiita said in a report shared with Cyber Security News (CSN) that multiple clues point strongly to a China-based origin.
These include Mandarin language strings buried inside the implant’s code, a hardcoded language setting of zh-CN in its communication profile, and the use of a cracked hacking tool with a license ID consistently tied to China-linked operations.
How the Implant Takes Over Edge Routers
Once router.elf is installed and running, it establishes a persistent connection to attacker servers over encrypted HTTPS traffic on port 443.
To avoid being caught by DNS monitoring tools, it routes its domain lookups through Cloudflare’s DNS over HTTPS service, which wraps the requests inside normal-looking web traffic. This is a deliberate evasion technique that helps the implant stay hidden for long periods.
The malware also plants firewall rules directly on the router using a built-in Linux tool called iptables. These rules silently redirect all DNS queries from every device behind the router to servers the attackers control.
That means the hackers can manipulate what websites people think they are visiting, intercept software updates, and target specific destinations using a dynamic list called evil_fix.
A secondary backdoor named client_rc_start is installed alongside the main implant to ensure continued access even if the primary payload is removed.
Windows Endpoints Caught in the Crossfire
The campaign does not stop at the router level. The threat group extended its reach to Windows computers inside the same networks by planting a Cobalt Strike Beacon, a well-known hacking framework, through DLL sideloading.
A malicious file called version.dll is dropped into a folder under CrashReport.exe, and when the legitimate process runs, it unknowingly loads the attacker’s payload alongside it.
The Beacon connects back to the same command-and-control domains as the router implant, using identical web traffic patterns, cookie markers, and the same sleep timing of fifty seconds between check-ins.
This tight alignment between both attack tools confirms that neither was deployed in isolation. The same attacker controls both, working together as part of one coordinated espionage effort.
Security teams are urged to immediately audit all edge routers for unauthorized firewall rules, especially any that redirect DNS traffic to unfamiliar IP addresses.
All the listed domains and IP addresses should be blocked at the perimeter firewall without delay. Linux-based network devices should be scanned for router.elf and client_rc_start, while Windows machines should be checked for the malicious version.dll and any CrashReport.exe processes running from the AllUsers profile folder.
Longer term, organizations should enforce firmware integrity monitoring on network devices, restrict management access using multi-factor authentication, and set up alerts for any changes to firewall rules on routers and gateways.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| File Name | router.elf | Primary Linux router RAT (custom implant) |
| MD5 Hash | 6401cdc783b4afcbcc294954b4cc5dd2 | router.elf MD5 hash |
| SHA-256 Hash | 6a43de021fa79dc3eb5f6ed509b605ef617f56af7de8b136698e5dd86c7775ae | router.elf SHA-256 hash |
| File Name | client_rc_start | Secondary router backdoor for redundant persistence |
| MD5 Hash | 92ED4D259940D4294190E60ADD5CC587 | client_rc_start MD5 hash |
| File Name | version.dll | Cobalt Strike Beacon DLL sideload payload |
| MD5 Hash | 20C196FD5CF9A4845D048006321A52B8 | version.dll MD5 hash |
| Domain | contextlayerrun.com | Router implant C2 domain |
| Domain | specialclouds.com | Cobalt Strike Beacon C2 domain |
| Domain | specialclouds.top | Cobalt Strike Beacon C2 domain |
| Domain | namefilecode.com | Cobalt Strike Beacon C2 domain |
| Domain | valuecode.top | Associated C2 domain |
| Domain | windowsweatherkb.top | Associated C2 domain |
| Domain | function.windowsoftmessages.com | Associated C2 domain |
| Domain | perfectgo.top | Associated C2 domain |
| Domain | safelyhome.top | Associated C2 domain |
| Domain | discovercoded.com | Associated C2 domain |
| IP Address | 8.211.130.16 | C2 server (port 443) |
| IP Address | 8.213.217.130 | Rogue DNS resolver, primary (port 8090) |
| IP Address | 47.81.37.109 | Rogue DNS resolver, failover (port 8090) |
| IP Address | 23.254.129.112 | Traffic redirection node (ipset target) |
| URI Pattern | /api/v1/get | C2 polling URI used by both implant and Beacon |
| URI Pattern | /api/v1/post | C2 exfiltration URI used by both implant and Beacon |
| ipset Name | evil_fix | Malicious ipset name on compromised routers for targeted traffic hijacking |
| Cookie Marker | UK= | GET request metadata cookie used in C2 profile |
| Cookie Marker | ZF= | POST request session cookie used in C2 profile |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
