Operation Crimson Palace Expands Targets, as Sophos Tracks the Chinese Cyber Threats

Sophos, a global cybersecurity firm, has released a report detailing a nearly two-year-long Chinese cyberespionage campaign in Southeast Asia. The operation, named “Crimson Palace,” was first identified by Sophos X-Ops in June and involves three clusters of Chinese state-sponsored activity—Cluster Alpha, Bravo, and Charlie—targeting a high-profile government organization.

After a pause in August 2023, Sophos X-Ops observed renewed cyber activity from Cluster Bravo and Cluster Charlie, which had expanded to include more organizations in the region. During this investigation, a new keylogger named “Tattletale” was discovered, designed to impersonate users and collect sensitive information like passwords and security settings.

Cluster Charlie has shifted from using custom malware to open-source tools, a move reflecting the attackers’ adaptability, according to Paul Jaramillo, Director of Threat Intelligence at Sophos. “We’ve been in a chess match with these adversaries, and their switch to open-source tools shows how quickly they can pivot to remain persistent,” Jaramillo said.

Originally active from March to August 2023, Cluster Charlie re-emerged in September and continued its activities into 2024, targeting deeper network penetration and intelligence gathering. Cluster Bravo, which had only been active for three weeks in early 2023, also resumed in 2024, attacking at least 11 additional organizations.

Sophos warns that the campaign is expanding, with the potential to reach new targets in the region. “We will continue to monitor this evolving operation closely,” Jaramillo added.