Newly Uncovered Cyber Threat Cluster Carderbee Raises Alarms in Asian Supply Chains

  • 18 September 2023
  • 3 replies
Newly Uncovered Cyber Threat Cluster Carderbee Raises Alarms in Asian Supply Chains
Userlevel 7

The issue here is a previously undocumented threat cluster (tracked as Carderbee) that has been conducting software supply chain attacks primarily targeting organizations in Hong Kong and other Asian regions. These attacks leverage a trojanized version of a legitimate software called EsafeNet Cobra DocGuard Client to deliver a backdoor known as PlugX. The attackers have also used malware signed with a legitimate Microsoft certificate, making attribution challenging


Supply chain vulnerabilities

The attackers are exploiting vulnerabilities in the software supply chain, compromising legitimate software to distribute malicious payloads. This highlights a significant problem in software supply chain security, where even trusted software can be compromised.

Attribution challenges

Attribution in cyberattacks can be challenging, as multiple threat actors may share tools and techniques. In this case, the use of PlugX, which is associated with various China-linked hacking groups, makes it difficult to attribute the attacks to a specific actor.

Data exfiltration

Once the backdoor is deployed, attackers can potentially steal sensitive data, compromise systems, and maintain persistence on infected platforms. This poses a serious threat to the confidentiality and integrity of the targeted organizations' data

Post-exploitation activities

The attackers use the compromised systems as a platform for further attacks, including deploying additional payloads, executing commands, capturing keystrokes, and more. This highlights the risks associated with post-exploitation activities.

Evasion tactics

The attackers are using signed malware and deploying their payload selectively on a few computers, indicating a high level of sophistication and planning to evade detection.


Lack of information

The limited information available about the Carderbee group, its motivations, and ultimate goals raises concerns about the potential impact of future attacks and the need to better understand this threat actor.

Legal and compliance implications

Organizations impacted by these attacks may face legal and compliance challenges, especially if they handle sensitive customer data. Data breach notification requirements and regulatory fines can be significant.


How Threat Modeling Can Solve the Problem

Identifying supply chain vulnerabilities

Threat modeling can help organizations assess their software supply chain for vulnerabilities, identify potential points of compromise, and develop mitigation strategies to secure the supply chain.

Attribution clarification

While threat modeling cannot directly attribute attacks, it can help organizations understand the tactics, techniques, and procedures (TTP) used by threat actors. This information can assist in building a better understanding of potential threat actors and their motivations.

Data protection

Threat modeling can help organizations prioritize data protection measures and encryption strategies to safeguard sensitive data from exfiltration during and after a breach.

Post-exploitation defense

Threat modeling can guide the development of incident response plans, including strategies to detect and mitigate post-exploitation activities and minimize the impact of these activities.


Security awareness

Threat modeling can improve security awareness within organizations, emphasizing the importance of vigilance in supply chain security, patch management, and security best practices.

Compliance support

Threat modeling can assist organizations in identifying the security controls and measures necessary to comply with data protection and privacy regulations, ensuring timely breach reporting and adherence to legal requirements.


Integrating threat modeling into security practices not only enhances technical defenses against threats like supply chain attacks, but also plays a pivotal role in meeting legal and compliance obligations. It helps organizations proactively address security and privacy requirements, reducing legal risks and ensuring a more robust and legally sound security posture in the supply chain and development environments.


Discover how ThreatModeler protects your organization! Read now.


3 replies

Userlevel 6
Badge +2

Carderbee's discovery underscores the evolving nature of cyber threats, much like the ransomware attack on Colonial Pipeline, which disrupted fuel distribution. A proactive, collaborative approach is crucial to protect Asian supply chains from potential disruptions and financial losses caused by cyberattacks.

Threat modeling helps by identifying vulnerabilities, prioritizing risks, and developing tailored countermeasures to address Carderbee threat in Asian supply chains. It also fosters collaboration and adaptability as the threat evolves, the outcomes include improved security, targeted risk management, tailored defenses against Carderbee, enhanced collaboration, and adaptability to evolving threats.



Userlevel 4
Badge +2

If these companies were properly threat modeling, would they have been able to identify this risk? How do you go about protecting your organization against threats that may not have been created yet?

Userlevel 1

There are a number of reasons why organizations are targeted by malware groups like Carderbee. One reason is that organizations often have valuable data that attackers can steal or sell. Another reason is that organizations are often vulnerable to cyberattacks due to poor security practices.

In the case of the Carderbee attacks, threat modeling could have helped organizations to identify the risk of malicious software updates. Organizations could then have implemented security controls to mitigate this risk, such as only installing software updates from trusted sources and using a software update management tool to scan updates for malicious code.