Chinese state-backed cyber spies developed a Linux variant of a Windows backdoor to target a Hong Kong university in the months after Beijing squashed pro-democracy protests in the city.
The threat group, called SparklingGoblin by security researchers at Eset, deployed the custom-built implant in February 2021. It had targeted the same university during May of the previous year, while protestors still filled the streets.
“The group continuously targeted this organization over a long period of time, successfully compromising multiple key servers, including a print server, an email server, and a server used to manage student schedules and course registrations,” Eset says.
Eset calls the backdoor SideWalk in both its Windows and Linux variants. The malicious code is a multipurpose backdoor that loads modules sent from a command-and-control server by using Google Docs as a dead-drop resolver and Cloudflare Workers as its command-and-control servers.
