According to an advisory from Trend Micro, the attacks are linked to Earth Wendigo, a threat actor that does not appear to be affiliated with known hacking groups.
Starting May 2019, Trend Micro said Earth Wendigo has been targeting multiple organizations, including government entities, research institutions, and universities in Taiwan.
The attacks include the use of spear-phishing emails to various targets, including politicians and activists linked to Tibet, the Uyghur region, or Hong Kong.
Trend Micro reported that the XSS vulnerability was fixed in January 2020, meaning that only organizations that haven’t updated to the latest version of the webmail server remain exposed.
The backdoor reads emails on the server and sends their content and attachments to the attacker’s WebSocket server.
In addition to targeting webmail servers, Earth Wendigo also uses Python malware compiled as Windows executables, which were found to be shellcode loaders for code likely from Cobalt Strike.
Some of the Python samples are backdoors that request additional Python code from the command and control (C&C) server. However Trend Micro couldn’t determine the purpose of the fetched code.