China-Linked Hackers Target Southeast Asian Edge Routers With Custom Linux Implant

A China-linked advanced persistent threat is actively targeting edge routers across Southeast Asia by installing a custom Linux implant (router.elf) that establishes encrypted C2 via HTTPS and DNS-over-HTTPS, adds iptables and ipset rules to redirect DNS traffic, and deploys a secondary backdoor (client_rc_start). The same actor uses DLL sideloading to drop a Cobalt Strike Beacon (version.dll) on Windows endpoints; both toolsets share identical C2 infrastructure, timing, and metadata. The report includes detailed IoCs (hashes, domains, IPs, URI patterns, cookie markers) and urgent remediation guidance to audit routers for unauthorized firewall/DNS rules, scan for the listed artifacts, and enforce firmware integrity and MFA for device management.