A cyber-espionage campaign is targeting telecom companies around the world with attacks using malicious downloads in an effort to steal sensitive data – including information about 5G technology – from compromised victims.

Andrea Rossini is one of the researchers that discovered the campaign targeted at telecommunications providers in Southeast Asia, Europe and the United States. 

The operation was named Operation Diànxùn. The researchers think the attacks could be the work of a hacking group working from outside of China.

Researchers have connected Operation Diànxùn to previous hacking operations performed by Chinese groups due to the similar tactics, techniques and procedures (TTPs) used in the malware deployment.

The group is also known as Mustang Panda and RedDelta and has a large history of running hacking campaigns that were aimed at organizations all around the world, now being as it seems focused on compromising telecom providers.

 23 telecommunication providers could have been targeted as part of the campaign, that was live since August 2020, but it hasn’t been communicated how many of these targets were successfully compromised by hackers.

The initial means of the infection was not identified yes, but we know that victims are directed towards a malicious phishing domain under the control of the attackers that are used to deliver malware to victims.

This malicious web page pretends to be a Huawei careers site, and it looks exactly like the real thing. 

When the user enters this fake website, gets delivered a malicious Flash application, through this application the attackers drop the Cobalt Strike backdoor onto the visiting machine, thus gaining visibility on the machine and the ability to collect and steal sensitive information. The attacks seem to be designed specifically towards victims that have 5G knowledge in order to steal sensitive or secret information, and it looks like the campaign is still actively attempting to compromise targets in the telecom sector.

We believe the campaign is still ongoing. We spotted new activity last week with the same TTPs, meaning the actor and the campaign are still running.


One of the most important ways in which you can stay safe is to train staff so they’ll be able to recognize if they are being sent towards a fake or malicious website.

Heimdal Official Logo
Your perimeter network is vulnerable to sophisticated attacks.

Heimdal® Network DNS Security

Is the next-generation network protection and response solution that will keep your systems safe.
  • No need to deploy it on your endpoints;
  • Protects any entry point into the organization, including BYODs;
  • Stops even hidden threats using AI and your network traffic log;
  • Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

Alongside having a cyber educated staff, you should make sure you have a robust and scalable cybersecurity strategy that can help your company protect its networks from cyberattacks. 

5G Dangers: What are the Cybersecurity Implications?

15 Warning Signs that Your Computer is Malware-Infected

Practical Online Protection: Where Malware Hides

Leave a Reply

Your email address will not be published. Required fields are marked *