China-Linked Hackers Target Southeast Asian Edge Routers

Security researchers report a large-scale China-nexus campaign targeting border routers in Southeast Asia that installs a statically linked Linux implant (router.self/router.elf) and a secondary backdoor (client_rc_start). The router implant uses advanced anti-analysis techniques, encrypted configuration and DNS-over-HTTPS for C2, and installs persistent NAT/DNS redirection to attacker-controlled resolvers, enabling hijacking of updates and credential harvesting. The adversary extends control to Windows endpoints via a cracked Cobalt Strike Beacon delivered through DLL sideloading (version.dll); analysts observed shared C2 infrastructure and provided file hashes as indicators of compromise.