SecureList

JULY 21, 2025

This is a Chinese-speaking cyberespionage group known for targeting organizations across multiple sectors, including telecom and energy providers, educational institutions, healthcare organizations and IT energy companies in at least 42 countries. cmd.exe /c reg save HKLM\SAM C:\Windows emp emp_3.log We detail these tools below.

Energy and Utilities 99

Energy and Utilities Accountability Data collection Encryption 99

SecureList

DECEMBER 1, 2023

DroxiDat, a lean variant of SystemBC that acts as a system profiler and simple SOCKS5-capable bot, was detected at an electric utility company. The C2 (command and control) infrastructure for the incident involved an energy-related domain, ‘powersupportplan[.]com’, com’, that resolved to an already suspicious IP host.

Malware 136

Malware Ransomware Encryption Energy and Utilities 136

Security Boulevard

MAY 13, 2025

CL-STA-0048 Activity: Interactive Reverse Shell and DNS Beaconing on SAP Environments On April 28, 2025, EclecticIQ analysts observed command-and-control (C2) traffic originating from compromised SAP NetWeaver systems. Resolved IPs via DNS: Figure 7 - Resolved IP address in DNS A record. 53 at 08:49:00 AM. 54.77.139[.]23

DNS 52

DNS Energy and Utilities Malware Encryption 52