Your cursor hovers over the link. “Sick Leave update from HR,” it says, signed by some nobody at Australian Morning News. One click, and you’re on a page mimicking BBC headlines—except it’s laced with ScanBox, the JavaScript keylogger that’s been lurking since 2013.
Zoom out: this isn’t random phishing. Proofpoint and PwC tracked a China-based APT—likely TA423, aka Red Ladon—hitting Australian orgs and offshore energy players in the South China Sea from April to June 2022. Watering hole attacks, they call ‘em. Compromise legit-looking sites, wait for targets to drink.
But here’s the twist no one’s yelling about yet: Red Ladon isn’t just recycling old code. They’re architecturally upgrading ScanBox with WebRTC and STUN for NAT traversal—turning browsers into backdoors that punch through firewalls like they’re paper. It’s espionage evolving from blunt malware drops to surgical recon, mirroring how Cold War spies shifted from dead drops to embedded assets in enemy lines.
“ScanBox is particularly dangerous as it doesn’t require malware to be successfully deployed to disk in order to steal information – the keylogging functionality simply requires the JavaScript code to be executed by a web browser.”
PwC nailed it. No disk writes, no AV screams. Just pure browser exploitation.
Fake News, Real Keylogs
Emails bait with urgency—“User Research,” “Request Cooperation.” Sender? Faux journo from australianmorningnews[.]com, a clone of real outlets. Victims land on pilfered Sky News copy, but the payload’s ScanBox: fingerprinting OS, plugins, even Flash relics (yeah, still).
It grabs keystrokes mid-type. Passwords. Searches. All exfiltrated sans malware. Then the real smarts: WebRTC module pings pre-set C2s, using STUN for ICE handshakes. NAT? Firewalls? No problem—peer-to-peer chatter bypasses ‘em.
Researchers break it down: STUN discovers your real IP:port behind NAT, ICE sets direct lines. Victim’s machine phones home, even corporate.
Red Ladon? Hainan Island ops, per US DOJ indictment. They back MSS—the PRC’s spy arm for counterintel, foreign ops, industrial theft. South China Sea energy firms? Prime targets amid territorial beefs.
One short para: This ain’t hype. Indictments confirm MSS ties.
Campaign’s multi-stage. ScanBox scouts: who’s worth hitting next? Browser prints tailor follow-ups—custom malware, zero-days. It’s why watering holes thrive: low noise, high intel yield.
Why Dust Off ScanBox in 2022?
Ten years old, yet perfect for now. Browsers fatter with APIs—WebRTC’s everywhere. No need reinvent; tweak for modern nets. Red Ladon saves dev cycles, focuses on ops.
Architectural shift? From implant-or-bust to recon-first. Why? Defenses hardened—EDRs everywhere—but browsers? Still wild west. Users click news links daily; orgs whitelist media domains.
Bold call: expect ScanBox 2.0 hybrids soon, blending with Cobalt Strike loaders. Or worse—chaining to supply-chain hits on Aussie media.
China’s PR spin? “Routine cyber drills.” Please. This screams South China Sea escalation—cyber probes before physical moves.
And the Aussies? Domestic orgs snared too. Watering holes hit shared interests: energy, policy.
How ScanBox Evades the Usual Traps
No exe drops. JS executes in sandbox—sorta. Keylogs via DOM hooks, inputs captured live.
Checks extensions (uBlock? Adblock?), plugins. WebRTC leaks local IPs sans permission. STUN servers? Legit, public—blends in.
Defenses? Script blockers like NoScript kill it. But normies? Doomed. Enterprises: train on watering holes, block rogue JS on media.
Unique angle: this predicts a boom in JS-only espionage. Why code C2 when browsers RTC for free? MSS economies of scale—train once, deploy forever.
Proofpoint pegs moderate confidence on TA423. But Hainan base, MSS links? Fits like glove.
What Happens Post-ScanBox?
Data fuels phase two: tailored phish, exploits. Energy firms? Tech secrets. Australians? Policy intel.
Broader why: China’s gray-zone playbook. Cyber softens targets sans war declaration.
My prediction? 2023 sees ScanBox in Europe—Ukraine distractions pull eyes east.
Skepticism check: reports cut off mid-threat actor desc. But dots connect.
Patch your browser. Scrub media links. And watch Hainan.
🧬 Related Insights
- Read more: Prompt Fuzzing Tears Through LLM Guardrails — Evasion Hits Highs Across Open and Closed Models
- Read more: Cisco’s Exposed APIs: Root Access via One Bad Request in SSM On-Prem
Frequently Asked Questions
What is a watering hole attack?
Attackers compromise sites victims frequent—like news portals—then serve malware to specific visitors.
Who is Red Ladon APT?
China-based TA423, tied to Hainan MSS, indicted by US for cyber-espionage supporting state intel.
How does ScanBox keylogger work without malware?
JavaScript runs in-browser, hooks keystrokes, uses WebRTC/STUN to exfil data past NAT/firewalls.
