According to an ESET report published on January 24, 2024, a China-linked threat actor, dubbed "Blackwood," has been targeting individuals in Japan, China, and the United Kingdom, as well as a China-based subsidiary of a Japanese manufacturing company with a backdoor in an espionage campaign.
ESET's research suggests that the backdoor, originally named "DCM" by its developers, has undergone development since 2005 and may be correlated with a trojan mentioned in a 2011 SANS white paper, which was delivered to a high-profile individual in Hong Kong via spear-phishing.
The primary attack vector appears to be network compromise, potentially through a man-in-the-middle condition. The attacker may obtain initial foothold on the target's network by compromising network appliances—a tactic historically associated with various China-linked actors and recently observed in Volt Typhoon-attributed operations. ESET's hypothesis suggests that HTTP traffic directed to fetch legitimate updates for Chinese software such as Tencent QQ, Sogou Pinyin, and WPS Office may be intercepted and poisoned with malicious shellcode, thereby loading the backdoor. However, there is no definitive clarity on the delivery mechanism.