Operation DRAGONCLONE: Chinese Telecommunication industry targeted via VELETRIX & VShell malware
In June 2025, Seqrite Labs uncovered Operation DRAGONCLONE, a sophisticated cyber- espionage campaign targeting China Mobile Tietong, a major telecom provider in mainland China. The attack chain began with a ZIP archive ( 附 件 .zip) containing a trojanized executable mimicking internal training tools. This executable sideloaded a malicious DLL via a legitimate Wondershare Repairit binary, resulting in-memory execution of a stealthy 64-bit loader named VELETRIX. The loader exhibited advanced evasion through Sleep–Beep anti- sandbox timing, API hashing, and “IPFuscation” technique—embedding encrypted shellcode as IPv4 string patterns, decoding and executing it via the EnumCalendarInfoA callback mechanism.
The decoded payload instantiated the VShell backdoor, a Golang-based, cross-platform remote shell delivered as tcp_windows_amd64.dll. This implant communicated over WinSock APIs with command-and-control (C2) servers across Hong Kong, the U.S., and Singapore. Forensic analysis identified 44 variants sharing a hardcoded configuration salt (qwe123qwe), with some binaries digitally signed, potentially via compromised certificates—one linked to Shenzhen Thunder Networking Technologies Ltd. The infrastructure bore strong overlaps with known Chinese APTs such as UNC5174 (Uteus) and Earth Lamia, previously observed exploiting vulnerabilities like CVE-2024-1709 (ScreenConnect) and CVE- 2025-31324 (SAP NetWeaver).
Additional servers hosted tools like Cobalt Strike, SuperShell, and reconnaissance dashboards (e.g., Asset Lighthouse System), indicating a well-resourced and modular campaign infrastructure. Operation DRAGONCLONE exemplifies an evolution in China-nexus cyber operations—combining DLL sideloading, cross-platform loaders, certificate abuse, and obfuscation via shellcode-IP encoding. The campaign underscores the growing complexity of APT tooling targeting critical national infrastructure, demanding deeper memory inspection, behavioral analytics, and cross-platform visibility.
Sathwik Ram Prakki – Quick Heal
Sathwik Ram Prakki works as Senior Security Researcher at Seqrite Labs, Quick Heal. His areas of research are threat intelligence, APT hunting, delving into dark web and malware analysis. With a background in offensive security and knowledge of OS internals, he is keen on enhancing detections and infrastructure for threat hunting and CTI. Starting his cybersecurity career at C-DAC, under the Ministry of Electronics & IT in India, Sathwik has shared insights on APTs, ransomware and malware ecosystems at conferences such as AVAR, BlueHat, Botconf, c0c0n, FIRSTCON and Virus Bulletin.
Subhajeet Singha – Quick Heal
Subhajeet Singha is a security researcher at Quick Heal’s Seqrite Labs, specializing in threat intelligence, malware research, and reverse engineering. His work focuses on analysing emerging cyber threats, uncovering sophisticated attack campaigns, and enhancing detection mechanisms to strengthen cybersecurity defences. With a deep understanding of malware behaviour and threat actor tactics, Subhajeet actively investigates advanced persistent threats (APTs), reverse-engineers complex malware strains, and contributes to research initiatives that improve industry-wide threat detection. His expertise spans multiple domains, including cyber threat hunting, and the development of proactive defence strategies.