An unknown threat cluster has been targeting at least between June and October 2024 European organizations, notably in the healthcare sector.
Tracked as Green Nailao by Orange Cyberdefense CERT, the campaign relied on DLL search-order hijacking to deploy ShadowPad and PlugX – two implants often associated with China-nexus targeted intrusions.
The ShadowPad variant our reverse-engineering team analyzed is highly obfuscated and uses Windows services and registry keys to persist on the system in the event of a reboot.
In several Incident Response engagements, we observed the consecutive deployment of a previously undocumented ransomware payload.
The campaign was enabled by the exploitation of CVE-2024-24919 (link for our World Watch and Vulnerability Intelligence customers) on vulnerable Check Point Security Gateways.
IoCs and Yara rules can be found on our dedicated GitHub page here.
