Chinese Hackers Caught Exploiting the Most Popular Antivirus Software Products | Ron Benvenisti

A Chinese-aligned cyberespionage group, Moshen Dragon, has been observed infiltrating legitimate antivirus software belonging to BitDefender, Kaspersky, McAfee, Symantec, and Trend Micro.

Chinese threat actors usually focus on espionage activity,” SentinelOne’s Joey Chen said. “Those tools have flexible, modular functionality and are compiled via shellcode to easily bypass traditional endpoint protection products.”

This is a “masterpiece of privately sold malware in Chinese espionage,” associated with several Chinese malicious actors.

A National Security Threat

The Chinese government-sponsored hacking group, Bronze Atlas (aka APT41, Barium, or Winnti), has been around since as early as 2017. Several other China-linked threat actors have increasingly joined up with their threat profiles along the way.

Secureworks said that Chinese nation-state groups operate in conjunction ​​with the Ministry of State Security (MSS) civilian intelligence agency and the People’s Liberation Army (PLA).

Moshen Dragon attacks commercial antivirus software from BitDefender, Kaspersky, McAfee, Symantec, and Trend Micro to sideload malware known as ShadowPad and Talisman via compromised systems by means of a technique called DLL search order hijacking.

The hijacked DLL is dropped into the system by an executable program, that “self disappears” to decrypt and load the final payload that resides in the same folder as that of the antivirus executable. The threat is persistent by creating a running scheduled task or a service at the operating system services level.

Stealing Credentials and Private Information

Other tactics by the group include deploying otherwise known hacking tools and red team scripts to facilitate credential theft, lateral movement, and data exfiltration. The initial access vector remains unclear.

“Once the attackers have established a foothold in an organization, they proceed with lateral movement by within a network, placing a passive backdoor into the victim’s environment, harvesting as many credentials as possible to ensure unlimited access, and focusing on data exfiltration,” Chen said.

This content, and any other content on TLS, may not be republished or reproduced without prior permission from TLS. Copying or reproducing our content is both against the law and against Halacha. To inquire about using our content, including videos or photos, email us at [email protected].

Stay up to date with our news alerts by following us on Twitter, Instagram and Facebook.

**Click here to join over 15,000 receiving our Whatsapp Status updates!**

**Click here to join the official TLS WhatsApp Community!**

Got a news tip? Email us at [email protected], Text 415-857-2667, or WhatsApp 609-661-8668.


  1. Now I understand what my friend meant when, upon using his anti virus software, he tried unsuccessfully to understand the results of his virus scan, and exclaimed in frustration, “It’s Chinese to me!”

  2. Our President could put an end to this.
    His son has many high level connections in China, and perhaps even knows the communist Chairman Chinkpink (a.k.a Eleven) personally.
    One phone call, or a gift of his latest grand artwork, could achieve serious results.

Comments are closed.