Firefly

Firefly, also known as Naikon, is a Chinese espionage threat actor. Reporting cited in the source material notes the group has been described as an APT possibly associated with PLA Unit 78020 and operating in the Southern Theater Command area of responsibility. Firefly has been linked to long-running espionage activity in Asia, including attacks against a military organization in Southeast Asia and use of the Rainyday backdoor in a campaign targeting multiple telecom operators in a single Asian country, as well as a telecom-sector services company and a university in another Asian country. In the telecom campaign, Rainyday variants were executed via DLL sideloading, including fspmapi.dll loaded by a legitimate F-Secure executable (fsstm.exe), and security.dll sideloaded by msproxy.exe, with encrypted shellcode read from files such as dataresz, iReports, and nod193100 and decrypted with single-byte XOR keys. The broader campaign also involved credential theft, keylogging, port scanning, Responder-based LLMNR/NBT-NS/mDNS poisoning, and enabling RDP. Separately, Firefly was linked to a previously unseen exfiltration tool wrapped in Python around a public Google Drive client. That tool searched for .jpg files in the System32 directory and uploaded them to Google Drive using a hardcoded refresh token; many of the .jpg files were actually encrypted RAR archives, and exfiltrated data reportedly included documents, meeting notes, call transcripts, building plans, email folders, and accounting data.