Operation Aria-body Backdoor
The Naikon threat actor targeted the government sector in the Asia Pacific region with the Aria-body backdoor. The APT used several infection chains during the operation which included weaponized RTF files, legitimate executables, malicious DLLs, and executable files as loaders. The group hosted their infrastructure on Alibaba, used GoDaddy as the registrar, and reused IP addresses across multiple domains. The operation used multiple techniques for persistence and defense evasion via the Startup folder or the Run registry key, process injection, and encryption.