Chinese Spyder Loader Malware

Operation CuckooBees is still active and has been detected by Symantec recently. While this time it has been found that the operators of CuckooBees, APT41 (aka Winnti, Barium, Bronze Atlas, and Wicked Panda) are targeting Hong Kong-based companies and organizations.

Cyberespionage group APT41 is active since 2007, and it’s one of the most active and oldest groups on the Internet. On the other hand, since at least 2019, Operation CuckooBees has been operating under the radar in a highly classified manner.

Multiple attacks have been conducted by threat actors in order to steal intellectual property and other sensitive information from the victims’ computers.


In this ongoing campaign, threat actors targeted government organizations. On some of the networks, the attackers remained active for more than a year, showing how persistent the attackers are.

Operation CuckooBees

The operators APT41 have used Spyder Loader (Trojan.Spyload) malware in Operation CuckooBees, and they have also used this malware in previous attacks as well. 

The version of the Spyder Loader malware that was used in the CuckooBees campaign retained all the old features of the previous versions of the malware, including:-

  • A modified copy of sqlite3.dll
  • rundll32.exe
  • CryptoPP C++ library

A similar pattern of infection has also been observed at the beginning of the infection process. 

Technical Analysis

In today’s world of complex modular backdoors, Spyder Loader has emerged as a very powerful tool with continuous updates and improvements. 

A 64-bit PE DLL is used as a component of the loader sample that Symantec researchers analyzed, and it is a modified version of sqlite3.dll that is being used in this file.

On the victim’s device, during the download process, Spyder Loader downloads the blobs with AES encryption. The Spyder Loader also makes use of Mimikatz and a trojanized zlib DLL module.

Upon the creation of these objects, a payload is created, which is named “wbsctrl.dll”. The attackers stole secure data from the victims, which could potentially be used against them in future cyberattacks. 

Here below, we have mentioned the type of data involves:-

  • Credentials
  • Customer data
  • Information about network architecture

Moreover, this variant uses the ChaCha20 algorithm encryption to obfuscate strings that were used in recent attacks against Hong Kong.

Aside from deleting the dropped wlbsctrl.dll file, the malware also cleans up artifacts created by the malware to prevent the analysis.

Currently, there is no information is available regarding the final payload since the security researchers at Symantec were not able to retrieve the final payload yet.

For now, what’s clear is that the recent attacks appear to be part of a cyberespionage campaign that APT41 has been conducting for a considerable period of time.

Also Read: Download Secure Web Filtering – Free E-book

Posted by Charlie