analyst @ nohacky :~/threat-actors $
cat / threat-actors / naikon
analyst@nohacky:~/naikon.html
active threat profile
type nation-state
threat_level critical
status active
origin China — PLA Unit 78020
last_updated 2025-03-27
NK
naikon

Naikon

also known as: Override Panda PLA Unit 78020 G0019

One of the first PLA units to have a specific officer publicly identified and named by researchers. ThreatConnect and Defense Group Inc.'s 2015 Project CameraShy report traced Naikon's C2 infrastructure to PLA officer Ge Xing in Kunming — using social media cross-referencing, pattern-of-life analysis, and Chinese language research to connect hundreds of infrastructure indicators to a named individual in a military compound. Active since at least 2010, Naikon conducts high-tempo South China Sea intelligence collection against the governments, military forces, and diplomatic services of all nations with territorial claims in the region — and has continued evolving its toolset through documented campaigns as recently as 2022 and 2023.

attributed origin China — Kunming, Yunnan Province
suspected sponsor PLA Chengdu Military Region Second Technical Reconnaissance Bureau (Unit 78020)
first observed 2010 (publicly disclosed 2015)
primary motivation Geopolitical and military intelligence — South China Sea territorial disputes and ASEAN regional dynamics
primary targets Southeast Asian governments, military organizations, foreign affairs ministries, ASEAN, UNDP
known campaigns 5+ confirmed
mitre att&ck group G0019
target regions Cambodia, Indonesia, Laos, Malaysia, Myanmar, Nepal, Philippines, Singapore, Thailand, Vietnam, Australia; Central and South Asia (2022–2023)
threat level CRITICAL

Overview

Naikon was first documented by Kaspersky Lab in May 2015, which described five years of high-volume, geopolitically motivated attacks against top-level government agencies in countries bordering the South China Sea. The group's primary mandate is intelligence collection in support of China's increasingly assertive territorial claims in the region — a body of water through which trillions of dollars in global trade pass annually, and which sits at the center of competing claims between China, the Philippines, Vietnam, Malaysia, Brunei, and Taiwan.

The September 2015 Project CameraShy report by ThreatConnect and Defense Group Inc. elevated Naikon's public profile by achieving something rare in threat intelligence: naming an individual. Through application of the Diamond Model for Intrusion Analysis, the researchers traced C2 infrastructure to the domain greensky27.vicp.net, then cross-referenced the GreenSky27 handle across Chinese social media platforms, identifying Ge Xing — a PLA officer in Kunming whose pattern-of-life activities matched the infrastructure's operational patterns across eight separate cases spanning five years. When a Wall Street Journal reporter reached Ge Xing by phone, he confirmed several of the report's details before hanging up and threatening to report the journalist to police. The infrastructure was taken offline shortly afterward.

Following the 2015 disclosures, Naikon appeared to go quiet — but had in fact continued operating covertly. Check Point's May 2020 report revealed a five-year undisrupted campaign using a new backdoor, Aria-Body, against APAC government networks. Bitdefender subsequently documented a June 2019 to March 2021 campaign targeting Southeast Asian military organizations using Aria-Body, Nebulae, and RainyDay — demonstrating continuous capability development despite public exposure. Cisco Talos further identified an ongoing campaign from 2022 targeting telecommunications and manufacturing sectors in Central and South Asia using a new PlugX variant, extending Naikon's geographic and sectoral reach beyond its traditional Southeast Asian focus.

attribution note

Project CameraShy represents one of the most methodologically detailed public attributions of a Chinese military unit to a specific cyber espionage campaign. Naikon's continued operation following the disclosure — with only a temporary infrastructure pause — illustrates that public naming of PLA officers has not served as a significant operational deterrent for the group.

Target Profile

Naikon's targeting is geographically and sectorally specific, driven directly by China's strategic interests in the South China Sea and surrounding region.

  • Southeast Asian governments: All ten ASEAN member nations targeted, with primary concentration on those with active South China Sea territorial disputes with China — the Philippines, Vietnam, Malaysia, and Brunei — and key regional swing states including Indonesia, Thailand, and Myanmar. Ministries of foreign affairs, science and technology, and defense are primary targets within each country.
  • Military organizations: The June 2019–March 2021 Bitdefender campaign specifically targeted military organizations across Southeast Asia. Military intelligence, operational planning data, and personnel information constitute the highest-value collection targets consistent with Unit 78020's mandate.
  • Diplomatic infrastructure: Foreign affairs ministries and diplomatic communications targeted across the region. The 2013 Permanent Court of Arbitration case between China and the Philippines was a documented collection priority — intelligence on the Philippine legal strategy constituting direct state interest.
  • ASEAN and international organizations: The Association of Southeast Asian Nations and the UN Development Programme were documented targets — giving Naikon insight into multilateral regional deliberations that Beijing seeks to shape.
  • Government-owned companies: State-owned enterprises in target countries targeted for economic intelligence alongside military and diplomatic sectors.
  • Telecommunications and manufacturing (expanding): Cisco Talos's 2022–2023 campaign documentation shows Naikon targeting telecommunications and manufacturing sectors in Kazakhstan and neighboring Central and South Asian countries — a geographic expansion consistent with broader Belt and Road intelligence requirements.

Tactics, Techniques & Procedures

Documented TTPs from Kaspersky (2015), ThreatConnect/DGI (2015), Check Point (2020), Bitdefender (2021), and Cisco Talos (2022–2023) reporting.

mitre id technique description
T1566.001 Spearphishing Attachment Primary initial access vector across all documented campaigns. Malicious Office documents exploiting CVE-2012-0158 sent as targeted attachments. Lures are tailored to each target's professional context — gas and energy themes, diplomatic and regional affairs content matching each target country's current political priorities.
T1574.002 DLL Side-Loading Naikon's most consistent and durable evasion technique across all documented campaign periods. Legitimate signed executables are paired with malicious DLL files — including McAfee VirusScan components, Sandboxie, Microsoft Outlook Item Finder, and Quick Heal products. Malicious code executes under a trusted process name, bypassing application allowlisting and reducing alert fidelity.
T1090.003 Proxy — Multi-hop Proxy Unit 78020 used an array of global midpoint infrastructure to proxy C2 communications, creating multiple network hops between operator and victim to complicate attribution. This midpoint infrastructure strategy was documented extensively in Project CameraShy and remained consistent across later campaign periods.
T1567.002 Exfiltration to Cloud Storage Sbiedll.dll — an exfiltration tool deployed in the 2019–2021 military campaign — automatically collected recently changed files with specific extensions and uploaded them to Dropbox, masquerading as a Chrome process. Cloud storage exfiltration blends with legitimate employee usage and bypasses controls focused on known malicious destinations.
T1003.001 OS Credential Dumping — LSASS Memory Password dump tools deployed via RainyDay backdoor post-compromise. Admin domain credentials subsequently used for lateral movement via WMIC.exe and schtasks.exe. Credential theft enabling domain-level lateral movement was confirmed in the 2019–2021 military campaign as the primary network traversal mechanism.
T1021.006 Remote Services — WMI WMIC.exe and schtasks.exe used with stolen admin domain credentials for lateral movement across compromised military networks. Use of built-in Windows management tools rather than external frameworks reduces detection likelihood in environments without robust LOLBin behavioral monitoring.
T1036.005 Masquerading — Match Legitimate Name Nebulae backdoor masquerades as legitimate Windows applications on compromised hosts. Sbiedll.dll masquerades as Chrome during Dropbox exfiltration. Consistent name-matching masquerading across multiple tool families confirms a deliberate operational security practice maintained across the group's toolset generations.
T1547.001 Boot or Logon Autostart — Registry Run Keys Persistence typically installed manually by operators rather than automatically by malware — reducing automated detection of persistence artifacts. RainyDay mimicked legitimate applications for persistence; Nebulae served as a redundant backup persistence mechanism in case primary access was detected and removed.
T1560.001 Archive Collected Data Sbiedll.dll selectively collects recently changed files with specific extensions before exfiltration — indicating targeted collection against high-value document types rather than wholesale filesystem copying. Files are staged and compressed before upload to Dropbox C2.

Known Campaigns

Confirmed or highly attributed operations linked to Naikon across its documented operational history.

South China Sea Espionage — Initial Campaign 2010–2015

Naikon's founding documented campaign, publicly disclosed by Kaspersky Lab in May 2015 after five years of continuous activity. Targeted top-level government agencies in Cambodia, Indonesia, Laos, Malaysia, Myanmar, Nepal, Philippines, Singapore, Thailand, Vietnam, ASEAN, and the UNDP. Spearphishing with CVE-2012-0158 exploits used for initial access. The 2013 Philippines-China Permanent Court of Arbitration case was a confirmed collection priority. ThreatConnect's Project CameraShy subsequently attributed the infrastructure to PLA Unit 78020 and named officer Ge Xing (alias GreenSky27) via pattern-of-life analysis across eight corroborating data points over five years. The Wall Street Journal contacted Ge Xing, who confirmed details before hanging up. Infrastructure was taken offline within hours of publication.

Aria-Body APAC Government Campaign 2017–2020

Documented by Check Point in May 2020 after Naikon appeared to go silent post-2015. The group had in fact spent five years developing the Aria-Body backdoor — a fileless in-memory loader with constantly changing variants and new server infrastructure. The campaign accelerated in 2019 and Q1 2020, targeting government ministries of foreign affairs, science and technology, and government-owned companies in Australia, Indonesia, Philippines, Vietnam, Thailand, Myanmar, and Brunei. Check Point discovered the campaign after Naikon attempted to compromise a customer by impersonating a foreign government entity in a spearphishing lure.

Southeast Asian Military Organizations — Nebulae and RainyDay 2019–2021

Bitdefender's April 2021 report documented a campaign targeting military organizations in Southeast Asia. Initial access via Aria-Body and Nebulae backdoor, with RainyDay introduced in September 2020 as the primary post-compromise tool. RainyDay provided full post-exploitation: reconnaissance, reverse proxy deployment, password dumping, lateral movement, and persistence. Sbiedll.dll collected targeted files and uploaded them to Dropbox, masquerading as Chrome. Nebulae served as a redundant backup persistence mechanism. Attribution confirmed via C2 addresses matching Naikon's Aria-Body infrastructure from prior campaigns.

Telecom and Manufacturing — PlugX Variant Campaign 2022–2023

Cisco Talos documented an ongoing campaign active since 2022 targeting telecommunications and manufacturing sectors in Central and South Asia, including Kazakhstan. A new PlugX variant was deployed, sharing the same DLL sideloading technique, identical XOR-RC4-RtlDecompressBuffer decryption algorithm, and matching RC4 keys as RainyDay — confirming shared developer infrastructure. Talos also identified significant overlaps with BackdoorDiplomacy's Turian backdoor, raising the possibility of shared infrastructure or developer resources between the two groups, consistent with known Chinese APT tool-sharing practices.

Tools & Malware

Naikon's toolset has evolved continuously, with each major campaign period introducing new or updated tools while maintaining consistent DLL sideloading tradecraft.

  • Aria-Body: Custom backdoor loader used as the primary initial compromise tool in the 2017–2020 APAC campaign and early stages of the 2019–2021 military campaign. Operates in-memory (fileless) to evade disk-based detection. Uses DLL sideloading for execution. Variants change frequently to defeat signature detection. Provides the initial beachhead from which additional tools are deployed.
  • RainyDay (also linked as FoundCore): Primary post-compromise backdoor introduced in September 2020. Provides comprehensive attacker capability: reconnaissance, reverse proxy deployment, network scanning, password dumping, lateral movement, and persistence. Executes entirely via DLL sideloading against vulnerable legitimate applications including McAfee and security software components.
  • Nebulae: Secondary backdoor deployed as a redundant persistence mechanism alongside primary tools. Designed to maintain access if primary implants are detected. Capabilities include drive information harvesting, file manipulation, process management, and C2 communication. Masquerades as legitimate Windows applications on host systems.
  • PlugX variant (2022–2023): A new PlugX variant deployed in the Central and South Asia telecom campaign. Shares DLL sideloading execution technique, identical encryption algorithms, and RC4 keys with RainyDay — confirming shared developer infrastructure. Also exhibits overlaps with BackdoorDiplomacy's Turian backdoor.
  • Sbiedll.dll (exfiltration tool): Custom exfiltration tool that automatically identifies recently changed files with specified extensions and uploads them to Dropbox while masquerading as Chrome. Selective collection by file modification date and extension indicates targeted intelligence gathering rather than bulk exfiltration.
  • Early custom backdoor (2010–2015): Full-featured backdoor used in the founding South China Sea campaign, embedded in CVE-2012-0158 malicious Office document attachments. C2 proxied through global midpoint infrastructure.

Indicators of Compromise

Behavioral indicators from documented Naikon campaigns. Specific infrastructure IOCs are available in the Kaspersky (2015), Check Point (2020), Bitdefender (2021), and Cisco Talos (2022–2023) reports linked in sources.

warning

Naikon takes down infrastructure rapidly following public disclosure — as demonstrated within hours of Project CameraShy's publication. Historical IP and domain IOCs should be treated as burned. The behavioral indicators below — particularly DLL sideloading patterns and Dropbox exfiltration masquerading as Chrome — are more durable detection signals that persist across tool generations.

behavioral indicators of compromise
process Legitimate signed executable (McAfee, Sandboxie, Outlook Item Finder, Quick Heal) loading an unexpected DLL from the same directory — DLL sideloading execution chain
file rdmin.src present alongside legitimate vulnerable executable and DLL file — consistent RainyDay deployment artifact across all documented variants
network Process named chrome.exe or masquerading as Chrome making outbound connections to Dropbox API endpoints — sbiedll.dll exfiltration masquerade pattern
lateral WMIC.exe and schtasks.exe executed with domain admin credentials from non-administrative workstations — lateral movement via stolen credentials post-compromise
crypto XOR-RC4-RtlDecompressBuffer decryption algorithm with consistent RC4 keys — present in RainyDay, 2022 PlugX variant, and BackdoorDiplomacy's Turian (shared developer indicator)
network Multi-hop proxy C2 traffic — connections routed through multiple international midpoint servers before reaching operator infrastructure, consistent with Unit 78020 attribution obfuscation methodology

Mitigation & Defense

Recommended defensive measures for organizations in Naikon's target profile — primarily Southeast and Central Asian government, military, foreign affairs, and telecommunications organizations.

  • Harden DLL search order and implement application allowlisting: DLL sideloading against legitimate signed executables is Naikon's most consistent and durable technique across all campaign periods. Implementing allowlisting that restricts which DLLs specific processes can load — and monitoring for DLL loads from unexpected directories — directly targets this core tradecraft. Windows Defender Application Control (WDAC) policies can enforce DLL load restrictions.
  • Patch Office vulnerabilities aggressively: CVE-2012-0158 was the documented initial access vector in early campaigns. Confirm that Office installations are fully patched and legacy versions are not present on any networked endpoint. Disable macros by default for externally received documents and enforce Protected View for email attachments.
  • Monitor and restrict cloud storage exfiltration: Sbiedll.dll uploads to Dropbox while masquerading as Chrome. Implement data loss prevention rules alerting on large outbound transfers to cloud storage services from processes not expected to use those services. Network proxies should enforce application identification rather than relying on process names for cloud storage access decisions.
  • Alert on WMIC and schtasks lateral movement: WMIC.exe and schtasks.exe used with domain admin credentials from unexpected source hosts are a reliable post-compromise lateral movement indicator. Baseline normal administrative tool usage and alert on execution from workstations not designated for administration, particularly with domain admin credentials.
  • Hunt for redundant persistence: Naikon deploys Nebulae as a backup persistence mechanism specifically to survive primary implant removal. Persistence hunting must cover all Run keys, scheduled tasks, and service installations simultaneously rather than addressing only the identified primary implant — incomplete remediation leaves the organization re-compromised.
  • Segment cloud storage access: Block Dropbox and similar cloud storage access from servers, military network segments, and classified systems entirely. Restrict access to designated endpoints where required by business function, preventing sbiedll.dll-style cloud exfiltration from sensitive network zones.
  • Correlate Naikon and BackdoorDiplomacy indicators: Cisco Talos identified matching encryption algorithms and RC4 keys between Naikon's 2022 PlugX variant and BackdoorDiplomacy's Turian backdoor. Organizations detecting indicators of either group should investigate for potential presence of the other, and hunt for the shared decryption routine as a cross-group detection signal.
note

Naikon's pattern of going apparently silent after public exposure — then re-emerging years later with new tools and infrastructure — means absence of evidence is not evidence of absence. Organizations that were targeted in pre-2015 campaigns should assume potential long-term persistent access and conduct thorough historical threat hunting even if no current indicators are present.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile