EXECUTIVE SUMMARY:
A new operational pattern has emerged in the cyber espionage landscape, characterized by advanced coordination between China-aligned APT groups. one group functions as an upstream access broker while another conducts downstream exploitation, effectively creating a premium access service model that complicates both detection and attribution efforts. Termed the Premier Pass-as-a-Service model, this trend involves the sharing of access or infrastructure such that one actor provides a fast pass into critical assets for another actor.
The operation demonstrates collaboration between two intrusion sets: one that broadly targets government and telecommunications sectors across the Asia-Pacific region and another that focuses on high-value entities, including government agencies, defense contractors, telecom providers, and media organizations in Taiwan and NATO-aligned countries. In one documented case, the upstream actor initially compromised a vulnerable internal web server and deployed the CrowDoor backdoor, after which access was granted to a downstream actor who deployed ShadowPad using DLL side-loading techniques. The infection chain leveraged tools such as Draculoader, Cobalt Strike, CrowDoor, and ShadowPad. For instance, CrowDoor followed the execution path LogServer.exe, VERSION.dll, and LogServer payload, while ShadowPad used Bdreinit.exe, wer.dll, and an encrypted payload within a temporary directory. The actors also employed additional post-exploitation utilities, including AnyDesk for remote control, the EarthWorm SOCKS5 tunneling tool, and custom LSASS dumping utilities. A four-tier classification model was introduced to describe varying levels of inter-actor cooperation, with the Premier Pass arrangement aligning with the higher end where one intrusion set deploys payloads or provides operational infrastructure for another.
This evolving model of threat actor cooperation represents a major shift in the cyber-espionage threat landscape. The emergence of an access-broker-to-operator relationship means that defenders can no longer assume a single group is responsible for an intrusion chain. Instead, organizations must recognize the likelihood of multi-actor, layered operations in which one group hands off a foothold to another, obscuring attribution and complicating incident response. To counter this trend, enterprises should implement layered detection strategies that monitor suspicious file deployments, unauthorized remote-administration tools, anomalous edge-device activity, and lateral movement behaviors indicative of shared operational environments.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1190 | Exploit Public-Facing Application | - |
| T1195.002 | Supply Chain Compromise | Compromise Software Supply Chain | |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | - |
| Credential Access | T1003.001 | OS Credential Dumping | LSASS Memory |
| Discovery | T1083 | File and Directory Discovery | - |
| Lateral Movement | T1021.003 | Remote Services | Distributed Component Object Model |
| Collection | T1113 | Screen Capture | - |
| Command and Control | T1090.002 | Proxy | External Proxy |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
REFERENCES:
The following reports contain further technical details: