Telecom Attacks Linked to China-Nexus VELETRIX Loader Exploit

Security researchers have uncovered a sophisticated cyber espionage campaign targeting China’s telecommunications infrastructure through a previously unknown malware loader called VELETRIX.

The campaign, dubbed “DragonClone,” specifically targeted China Mobile Tietong Co., Ltd., a subsidiary of one of China’s largest telecommunications companies, potentially providing attackers with access to massive amounts of network traffic for intelligence-gathering purposes.

Advanced Spearphishing and DLL Side-Loading Techniques

The attack begins with carefully crafted spearphishing emails containing ZIP files disguised as internal training materials for China Mobile employees.

The malicious archive includes a file named “2025年中国移动有限公司内部培训计划即将启动，请尽快报名.exe” (China Mobile Limited’s internal training program for 2025 is about to start, please sign up as soon as possible), demonstrating sophisticated social engineering targeting specific organizational personnel.

The threat actors employed DLL side-loading techniques, replacing legitimate Wondershare Recoverit software dependencies with malicious DLLs.

When executed, the legitimate software inadvertently loads the VELETRIX loader through its dependency on “drstat.dll,” which the attackers replaced with their custom malware.

Technical Analysis Reveals Novel Obfuscation Methods

VELETRIX implements several advanced evasion techniques, including an anti-sandbox routine that utilizes the GetTickCount and Sleep APIs, along with sound system checks via Beep calls.

The loader employs an unusual obfuscation method, storing encrypted shellcodes as IPv4 addresses within the binary.

Each byte of the shellcode corresponds to an octet of an IPv4 address, requiring the RtlIpv4StringToAddressA API to convert addresses back to executable code.

After deobfuscation, the shellcode undergoes XOR decryption with a key of 0x6f and then executes through an unconventional injection method using the EnumCalendarInfoA API.

This technique allocates memory with PAGE_EXECUTE_READWRITE permissions and passes the shellcode address as a callback function parameter, potentially evading traditional detection methods.

Command and Control Infrastructure Points to State-Sponsored Operations

The malware establishes communication with command and control servers located in China, specifically IP address 62.234.24.38 on TCP port 9999.

Analysis reveals the server belongs to Tencent Cloud Computing (Beijing) and runs the Ubuntu operating system with multiple open network service ports.

The shellcode can receive encrypted payloads from the C&C server, decrypt them using XOR operations with key 0x99, and execute them in memory.

Traffic analysis revealed that the server transmitted nearly 5MB of encrypted data, which contained what appears to be a second-stage Golang DLL payload designed for persistent access.

This campaign represents a significant example of state-sponsored cyber warfare capabilities, where telecommunications infrastructure becomes a strategic target for mass surveillance and intelligence-gathering operations.