Threat Actor Blackwood Using NSPX30 Malware In Cyberespionage Campaigns

The elusive threat actor 'Blackwood' is employing the advanced NSPX30 malware in cyberespionage campaigns targeting entities in China, Japan, and the United Kingdom. Active since at least 2018, Blackwood utilizes the NSPX30 implant, a sophisticated malware with roots traced back to a 2005 backdoor. Researchers from ESET, a cybersecurity firm, uncovered Blackwood and NSPX30 in a 2020 campaign, linking the group's activities to Chinese state interests. Operating through the update mechanisms of legitimate software such as WPS Office, Tencent QQ, and Sogou Pinyin, Blackwood conceals its malicious activities. Employing adversary-in-the-middle (AitM) attacks, the threat actor intercepts NSPX30-generated traffic to obfuscate its command and control (C2) servers. ESET suggests that Blackwood may share access with other Chinese APT groups, evident in observed toolkits associated with multiple actors like Evasive Panda, LuoYu, and LittleBear. Read more...