Suspected China-linked hackers target Guyana government with new backdoor

A cyber espionage campaign has been targeting government agencies in Guyana with a previously undocumented backdoor used to harvest sensitive information, according to new research.

Researchers at the Slovakia-based cybersecurity firm ESET named the backdoor DinodasRAT after the hobbit Dinodas in the Lord of the Rings. Alongside DinodasRAT, the hackers used a version of the Korplug backdoor, a tool commonly associated with China-aligned groups like Mustang Panda.

ESET identified the malicious activity within Guyana's networks in February 2023, when its diplomatic relations with China were strained. During that same month, Guyana's authorities arrested three people in a money laundering investigation involving Chinese companies, which drew objections from the Chinese embassy.

According to the research, the attack was targeted, as the threat actor designed its malicious emails to lure the victim organizations. The majority of these identified emails revolved around Guyana's politics.

These emails had a link that, when clicked, downloaded a ZIP file from a compromised Vietnamese government website, which contained malware samples. Once the victim opened the ZIP file, their system was infected with DinodasRAT malware.

DinodasRAT is a remote access trojan developed in C++ programming language. It can exfiltrate files, manipulate Windows registry keys, and execute commands, the researchers said.

ESET didn't disclose how successful the campaign was or what, if any, information the hackers were able to steal.