Matthieu Faou

DigitalRecyclers: Yet another member of the APT15 galaxy

DigitalRecyclers is a China-aligned cyberespionage group discovered by ESET researchers in 2021. The group has been active since at least 2018 and regularly conducts espionage operations against governmental organizations in Europe. We believe that DigitalRecyclers is linked to Ke3chang and BackdoorDiplomacy, and all are part of the APT15 galaxy.

DigitalRecyclers’ operations are characterized by the deployment of the RClient implant, which is a variant of the Project KMA stealer that was developed by an unrelated Pakistani threat actor around 2010. In September 2023, the group started to develop a new backdoor that we named HydroRShell. It uses Google’s serialization library Protobuf and the open-source Mbed TLS library for C&C communications.

The group also runs its own operational relay box (ORB) network, which we named KMA VPN, to anonymize its network traffic. For example, we have observed exploitation attempts from this network against servers running Microsoft SharePoint and CrushFTP.

In this presentation, we will provide CTI analysts and defenders with a better understanding of common TTPs used by DigitalRecyclers and the group’s relationships with other APT15-related threat actors, and be better equipped to defend against the group.

Matthieu Faou is a senior malware researcher at ESET where he specializes in researching targeted attacks. His main duties include threat hunting and reverse engineering of APTs. He finished his Master’s degree in computer science at École Polytechnique de Montréal and at École des Mines de Nancy in 2016. In the past, he has spoken at multiple conferences including Black Hat USA, BlueHat, Botconf, CYBERWARCON and Virus Bulletin.