Cyber Threat Report: 'Unveiling TeleBoyi: Chinese APT Group Targeting Critical Infrastructure Worldwide'

This presentation from TeamT5 describes the intrusion set they refer to as TeleBoyi and was presented at JPCERT's JSAC2024 conference on January 25. The presentation provides an in-depth look at TeleBoyi's operations, including their interest in critical infrastructure, malware delivery mechanisms, and their arsenal of tools and malware. TeamT5 attributes TeleBoyi as a China-nexus APT group active since 2014, targeting critical infrastructure worldwide, especially in the APAC region. The presentation details malware used by the group, including ShadowPad, Winnti, PlugX, LibreCoin, DoubleShell, and others. TeleBoyi normally gain initial access through one of three ways: fake applications, malicious documents or exploitation of public-facing applications. TeamT5 assess that the group shares tools and has potential collaboration with other APT groups, including APT41, Earth Berberoka, and SLIME40 (FamousSparrow/GroundPeony).