ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > Operation Poisoned News, TwoSail Junk

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Operation Poisoned News, TwoSail Junk

NamesOperation Poisoned News (Trend Micro)
TwoSail Junk (Kaspersky)
CountryChina China
MotivationInformation theft and espionage
First seen2020
Description(Kaspersky) A watering hole was discovered on January 10, 2020 utilizing a full remote iOS exploit chain to deploy a feature-rich implant named LightSpy. The site appears to have been designed to target users in Hong Kong based on the content of the landing page. Since the initial activity, we released two private reports exhaustively detailing spread, exploits, infrastructure and LightSpy implants.

We are temporarily calling this APT group “TwoSail Junk”. Currently, we have hints from known backdoor callbacks to infrastructure about clustering this campaign with previous activity. And we are working with colleagues to tie LightSpy with prior activity from a long running Chinese-speaking APT group, previously reported on as Lotus Blossom, Spring Dragon, Thrip, known for their Lotus Elise and Evora backdoor malware. Considering that this LightSpy activity has been disclosed publicly by our colleagues from TrendMicro, we would like to further contribute missing information to the story without duplicating content. And, in our quest to secure technologies for a better future, we reported the malware and activity to Apple and other relevant companies.
ObservedCountries: Hong Kong.
Tools useddmsSpy, lightSpy.

Last change to this card: 01 May 2020

Download this actor card in PDF or JSON format

Previous: Operation Parliament
Next: Operation Poison Needles

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]