Always Another Secret: Lifting the Haze on China-nexus Espionage in Southeast Asia
Following initial infection via USB devices, the threat actor leveraged legitimately signed binaries to side-load malware, including three new families we refer to as MISTCLOAK, DARKDEW, and BLUEHAZE. ... DARKDEW will then copy the renamed USB Network Gate binary (e.g., Removable Drive.exe) to C:\ProgramData\udisk\disk\_watch.exe and create persistence with a registry key value named udisk under HKCU\Software\Microsoft\Windows\CurrentVersion\Run (T1547.001). Malware: MISTCLOAK, BLUEHAZE, DARKDEW [View Article](https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia)