French version: 🇫🇷


This technical document aims at warning about a cyber threat targeting service providers and design offices, as well as their clients. Attackers are compromising these enterprise networks in order to access data and eventually the networks of their clients.

Information provided in this report is based on ANSSI’s investigations following incident response activities.

At this point, analysis suggests two waves of attacks separated in time and without technical evidence of a link between them. The first wave uses mainly the PlugX malware. The second wave relies on legitimate tools and credentials theft.

This document focuses on the second and most recent wave and the intrusion set involved in it: initial compromise, privilege escalation, tools and malwares, lateral movement and operational objectives.

It also presents best practices for service providers, design offices and their clients, in order to prevent as much as possible these incidents.