Chinese Hackers Launch Sophisticated FatalRAT Attack on Industrial Organizations

A recent investigation by Kaspersky ICS CERT has uncovered a sophisticated cyberattack targeting industrial organizations across the Asia-Pacific (APAC) region.

The attack, attributed to Chinese-speaking threat actors, employs the FatalRAT malware, a backdoor delivered through an elaborate, multi-stage infection chain.

The campaign leverages legitimate Chinese cloud services such as myqcloud and Youdao Cloud Notes to host and distribute malicious payloads, making detection and attribution particularly challenging.

The attack begins with phishing campaigns targeting government agencies and industrial enterprises in countries including Taiwan, Malaysia, China, Japan, Thailand, South Korea, and others.

Malicious zip archives disguised as invoices or tax-related files are distributed via email, WeChat, and Telegram.

These archives contain the first-stage loader of FatalRAT, packed with encryption tools like AsProtect and UPX to evade detection.

Once executed, the first-stage loader downloads additional components from Youdao Cloud Notes.

These include configurators (Before.dll) and second-stage loaders (Fangao.dll), which dynamically update their command-and-control (C2) server addresses to maintain operational stealth.

The malware also uses DLL sideloading techniques to execute malicious code within legitimate processes, further complicating detection.

Advanced Payload Delivery

The final payload, FatalRAT, is deployed after multiple stages of decryption and execution.

According to Kaspersky ICS CERT Report, this malware exhibits advanced capabilities such as keylogging, system reconnaissance, data exfiltration, and remote command execution.

It also includes mechanisms to evade virtual machine environments and sandbox analysis by performing over 17 system checks before activation.

Notably, FatalRAT can manipulate system settings, disable workstation locking features, and even corrupt the Master Boot Record (MBR) under specific commands.

Targeted Industries

The attackers have primarily targeted industrial sectors such as manufacturing, telecommunications, healthcare, energy, and logistics.

Many of the compromised systems were identified as engineering workstations or automation control systems critical to operational technology (OT).

While no definitive attribution has been made to a known group, the use of Chinese-language tools and services strongly suggests a Chinese-speaking actor is behind the campaign.

This attack underscores the growing sophistication of cyber threats targeting industrial control systems (ICS).

By exploiting legitimate cloud services and employing multi-layered evasion techniques, the attackers have demonstrated their ability to bypass traditional security measures.

Organizations in the APAC region are urged to enhance their cybersecurity defenses by deploying updated security solutions, implementing multi-factor authentication, and conducting regular employee training on phishing awareness.

As cyberattacks on critical infrastructure continue to rise globally, this incident serves as a stark reminder of the importance of proactive measures to safeguard industrial systems from advanced persistent threats like FatalRAT.

Also Read:

macOS Stealer Malware Threatens User Security

See more