Attackers use legitimate cloud services to manage malware and deploy complex, multi-stage attacks to bypass intrusion detection systems. This allows them to spread malware on victims’ networks, install remote control tools, take control of devices, and steal and delete confidential information.

The campaign targeted government agencies and heavy industry organizations in multiple countries and territories in the Asia-Pacific (APAC) region, including Taiwan, Malaysia, China, Japan, Thailand, Hong Kong, South Korea, Singapore, the Philippines, and Vietnam. Hackers used a compressed file containing the malware, disguised as a tax-related document, and spread it through phishing campaigns on emails and messaging apps such as WeChat and Telegram. After a complex multi-layered malware installation process on the system, cybercriminals would install a backdoor called FatalRAT.

While the campaign shares some similarities with previous attacks using open-source remote access malware (RATs) such as Gh0st RAT, SimayRAT, Zegost, and FatalRAT, experts have noticed a significant shift in tactics, techniques, and modus operandi, all of which have been tailored to target Chinese-speaking organizations and agencies.

The attack was carried out through the content delivery network (CDN) myqcloud and the Youdao Cloud Notes storage service - two legitimate cloud computing platforms in China. To avoid detection and prevention, hackers used many techniques such as: constantly changing the control server and malware payload to reduce the possibility of being traced, storing malware on legitimate websites to "bypass" the security system, exploiting vulnerabilities in legitimate software to deploy attacks, taking advantage of legitimate functions of the software to activate malware, encrypting files and network traffic to hide abnormal activities.

Kaspersky dubbed the campaign SalmonSlalom to describe how cybercriminals skillfully evaded network defenses with sophisticated tactics and constantly changing methods, similar to salmon swimming through a rapid, arduous journey that requires endurance and ingenuity to overcome obstacles.

“Cybercriminals use relatively simple techniques to achieve their goals, even in operational technology (OT) environments,” said Evgeny Goncharov, Head of Kaspersky ICS CERT. “This campaign is a warning to heavy industry organizations in the APAC region that malicious actors are capable of remotely penetrating OT systems. Organizations need to raise awareness of these threats, strengthen their defenses, and proactively respond to protect assets and data from cyberattacks.”