China-Linked Hackers Hit SEA Edge Routers With Custom Linux Implant

Executive summary: A China-linked advanced actor is running a long-term espionage campaign across Southeast Asia by implanting Linux edge routers with a statically linked ELF RAT (router.elf) and a redundant backdoor (client_rc_start), while also deploying a cracked Cobalt Strike Beacon on Windows via DLL sideloading (version.dll). The operation uses DNS-over-HTTPS for stealthy C2, iptables DNAT rules and ipset-based redirection to mount DNS man-in-the-middle attacks and selectively hijack updates and services, enabling full visibility and manipulation of downstream traffic; the report includes shared infrastructure indicators (domains, filenames, and hashes) and behavioral details for detection and remediation.