In August 2023, government agencies and telecommunications companies in the Middle East and Asia were targeted by a sophisticated cyber threat actor known as Budworm, which has links to China. This threat actor deployed an updated set of malicious tools, including the SysUpdate toolkit, in these intrusions, according to a report by the Symantec Threat Hunter Team, part of Broadcom.
Budworm, also known by various aliases like APT27, Bronze Union, Emissary Panda, Iron Tiger, Lucky Mouse, and Red Phoenix, has been active since at least 2013. Its primary objective is intelligence gathering across a wide range of industries. To achieve its goals, this nation-state group employs a toolkit comprising tools such as China Chopper web shell, Gh0st RAT, HyperBro, PlugX, SysUpdate, and ZXShell. These tools allow them to steal valuable information and maintain access to sensitive systems for extended periods.
A prior report by SecureWorks in 2017 highlighted Budworm’s focus on collecting defense, security, and political intelligence from organizations globally, underscoring the significant threat it poses.




Furthermore, Budworm has been observed exploiting vulnerabilities in internet-facing services as a means to infiltrate targeted networks. In a previous report from March, Trend Micro highlighted the Linux version of SysUpdate used by Budworm, which is designed to evade security software and resist reverse engineering efforts.
This backdoor is quite versatile, allowing it to capture screenshots, terminate specific processes, perform file operations, retrieve drive information, and execute commands on compromised systems.
Symantec noted that in addition to their custom malware, Budworm also employed a range of commonly available tools and techniques in these attacks. Interestingly, the group’s malicious activity seems to have been halted early in the attack process, with the primary observed activity being the harvesting of credentials.
This latest development places Budworm among the growing list of threat actors that have set their sights on the telecommunications sector in the Middle East. Notably, this includes previously undisclosed groups referred to as ShroudedSnooper and Sandman.
It’s worth noting that Budworm has been using SysUpdate since at least 2020, and the attackers continually enhance the tool to improve its capabilities and avoid detection.
The fact that Budworm continues to employ a known malware like SysUpdate, along with its familiar techniques such as DLL side-loading using applications it has used in the past, suggests that the group may not be overly concerned about being linked to these activities if they are discovered.