This top Microsoft Office alternative has been hijacked by Chinese hackers — and their malware is coming for your devices

This group, which apparently is on the Chinese government’s payroll, delivers malware through software updates for legitimate tools such as WPS Office, Tencent QQ, and Sogou Pinyin.

Potent tool

This doesn’t seem to be a classic supply chain attack, as the software itself is not compromised, and neither are the updates. Instead, the hackers intercept the traffic between the server hosting the update and the target endpoint and work in the middle. It is unknown exactly how the attackers are able to intercept the traffic. ESET believes Blackwood might be using an implant in the victims’ networks, possibly in routers and similar devices.

The malware they look to install on target endpoints is called NSPX30. The researchers describe this malware as “sophisticated”, and say its built upon a simple backdoor from 2005 called Project Wood. 

NSPX30 has grown into a capable tool, however. Today, it can log keystrokes, grab screenshots, pull system information, and exfiltrate other data from the devices. It can also steal chat logs and contact lists from different communications apps, including Telegram, and Skype. Finally, it can terminate processes by PID, create a reverse shell, move files, and uninstall itself if necessary.

Most of the victims seem to be located in China. However, there are compromised devices in Japan, and the United Kingdom, too. Blackwood’s activities can be traced back to 2020.  

Those looking to stay protected from Blackwood and similar threats should read ESET’s in-depth report on the malware and its operations, here. This report, among other things, offers a list of indicators of compromise which IT teams can use to protect their infrastructure. 

More from TechRadar Pro

• Chinese hackers quietly exploited a VMware zero-day for two years
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now