In November 2025, the ThreatBook Research Team captured a cluster of cyber espionage activity operating within Kyrgyzstan and China, using complaint letter lures as a delivery mechanism. Our in-depth analysis of this incident yielded the following findings.
The current campaign has been active from early November 2025 to the present; historical activity can be traced back to at least before March 2025. Targets include entities within Kyrgyzstan and China. The threat actor behind this campaign is assessed to have a Chinese-speaking background.
The attack is delivered via spear-phishing emails. The payloads use MacroVBA or LNK-format documents to progressively decrypt and execute an embedded implant. The final stage is an in-memory backdoor named load_http_plasrv64.dll — a custom, lightweight backdoor. Correlation analysis also revealed the group's use of additional penetration tools including CobaltStrike and Meterpreter.
Through source analysis of related samples, IPs, and domains, the ThreatBook Research Team has extracted multiple IOCs that can be used for threat intelligence detection. ThreatBook TDP, TIP, Threat Intelligence Cloud API, Cloud Sandbox S, OneSandBox, OneDNS, OneSIG, and OneSEC all support detection and protection against this attack campaign.
During threat hunting, the ThreatBook Research Team discovered a malicious complaint letter concerning the inability to use MEGA SIM cards within Kazakhstan (Жалоба на услуги связи.doc). This attack sample was uploaded to VirusTotal from Kyrgyzstan on November 19, 2025. Based on the content described in the complaint letter and the geographic origin of the upload, we assess that this spear-phishing sample was targeted at entities within Kyrgyzstan.
By correlating the load_http_plasrv64 in-memory backdoor executed by this complaint letter, we identified two additional spear-phishing campaigns launched on November 10, 2025, targeting entities within China. These campaigns also used complaint letters as the delivery vehicle, with content describing issues related to water meter installations and water bill price increases at water treatment plants.
We performed pivot analysis on the C2 infrastructure used by this campaign's samples and found that all associated assets contain CobaltStrike or Metasploit Framework (MSF) implants commonly used by attackers. This threat actor's activity can be traced back to at least before March 2025.
The following is a brief analysis using "Жалоба на услуги связи.doc" as an example. Sample details are as follows.
| Sample Hash | b3f91970f6b25f0f24da2b4ca488e8a484847b0eb0e13ffde982f1740de5f19c |
| Sample Name | Жалоба на услуги связи.doc |
| Sample Size | 223.15 KB |
| Sample Type | Docx |
| Sample Timestamp | 2025-11-19 08:20:00 UTC |
| Description | MacroVBA document; drops a trojan component for persistence. C2: 93.157.106.75:80 |
1. The decoy document opens as shown below.
2. Using oletools to extract and analyze the embedded VBA macro code: the macro decrypts and drops the trojan PE file to C:\Users\[username]\AppData\local\Microsoft\PlayReady\pdh.dll, then moves the print spooler binary plsrv.exe from the system directory to the trojan's working directory, forming a DLL side-loading execution chain. The AutoClose function sets plsrv.exe to auto-start via the registry, achieving persistence.
3. Further analysis of the dropped trojan pdh.dll — original filename load_http_plasrv64.dll, compiled on 2025-11-06 12:17:07. Upon execution, the trojan initializes the RC4 key "qio1239djk123sd.a;13," to decrypt and execute a built-in payload.
4. The payload further decrypts and executes an in-memory PE.
5. Further analysis of the in-memory backdoor reveals a compilation timestamp of 2025-11-06 12:17:02. Upon execution, the backdoor first decrypts the C2 address (93.157.106.75:80), then collects basic host information including hostname, username, host UUID, OS version, and network adapter details.
6. The backdoor performs its initial C2 check-in, using the timestamp parameter t. It XORs the static strings "rYB1oDHVMViTRnaGsFw1TbHJ1z1aZ" and "dsalsjd89w21dcx9cwad@" to expand an AES key, which is then sent to the C2 to complete a session key negotiation. All subsequent communication data is encrypted with this negotiated key. After key exchange, the backdoor transmits the collected host information to the C2.
7. The backdoor receives data from the C2 and uses the fourth byte as a command index to execute core remote control functions including: cmd shell, file read/write, directory listing, disk structure enumeration, and shellcode execution.
Based on the C2 communication URL pattern observed in the samples above — http://[ipv4]:[port]/eg.js?t=[timestamp] — and the characteristics of the load_http_plasrv64.dll in-memory backdoor, we identified two additional sample clusters: "投诉重庆自来水厂翻倍涨价水费并强制要求安水表.rar" and "投诉成都自来水厂翻倍涨价水费并强制要求安水表1112.rar". Unlike the MacroVBA samples analyzed above, these two clusters use LNK files as the entry point to execute malicious scripts, which in turn load and execute the load_http_plasrv64.dll backdoor.
Using the Machine ID metadata leaked by the LNK files for further pivot analysis, we identified multiple additional attack samples targeting entities in China, Thailand, the Philippines, and Vietnam. The payloads in these correlated samples include Python backdoors and CobaltStrike variants. However, since these correlated samples do not use the custom load_http_plasrv64 backdoor and are linked solely via the Machine ID metadata, there is a risk of misattribution if relying on this pivot alone.
The load_http_plasrv64 backdoor communicates with two C2 addresses: 93.157.106.75:80 and 81.70.28.71:8000, both using HTTP. The AES session key negotiation is performed in plaintext immediately upon first connection. 81.70.28.71 is geolocated to Beijing, China, and is hosting a SoftEther VPN service.
Analysis of 81.70.28.71 found that internet scanning systems recorded a TLS certificate issued by DigiCert Inc for *.automall365.com on port 8008.
This SSL certificate has multiple associated assets.
After deduplication, there are 5 IP assets in total, geolocated across China, Japan, and Singapore.
These pivot assets all have associated CobaltStrike or MSF samples that communicate with them in the ThreatBook sandbox. The CobaltStrike samples communicating with 166.88.100.85 and 166.88.14.137 are shown below.
The MSF samples communicating with 3.1.16.19 and 54.169.93.143 are shown below.
Based on the sample analysis and correlation pivot analysis above, and considering that the majority of samples originate from within China and that many of the Chinese-language attack documents are of high production quality, we assess that the threat actor behind this campaign has a Chinese-speaking background.