Ransom note example left by NailaoLocker | Image: Orange Cyberdefense
Experts at Orange Cyberdefense have uncovered a new cyber campaign dubbed Green Nailao, which targeted multiple European healthcare institutions in the latter half of 2024. The attacks involved the deployment of ShadowPad and PlugX backdoors, along with the introduction of a previously unidentified ransomware strain, NailaoLocker.
The attackers exploited CVE-2024-24919 (CVSS score: 8.6), a vulnerability in Check Point VPN, which allowed them to extract password hashes and gain access to user accounts. Following initial access, they conducted network reconnaissance and lateral movement via RDP. The operation incorporated DLL Sideloading and Windows Registry-based code injection, ultimately leading to the deployment of a modified ShadowPad variant on victim systems.
The command-and-control (C2) infrastructure was distinguished by the use of forged digital certificates impersonating Intel and Dell. The servers were hosted on the VULTR platform, while the attackers leveraged compromised IoT devices and Proton VPN nodes for anonymization.
In the final phase of the attack, the hackers attempted to exfiltrate critical files, including the Active Directory database (ntds.dit), which contains user credentials and authentication data. Subsequently, they deployed NailaoLocker, which encrypted files using the AES-256-CTR algorithm, appending the “.locked” extension. The ransom demand specified payment in Bitcoin and required victims to establish contact via a one-time ProtonMail address.
A technical analysis of NailaoLocker revealed that the ransomware lacked sophistication—it failed to scan network drives, terminate processes interfering with encryption, or incorporate debugging evasion mechanisms. This led researchers to speculate that NailaoLocker may have served as a diversionary tactic, concealing the true objective of the campaign: cyber-espionage.
While no direct attribution to a specific APT group has been established, security experts note that the tools and tactics employed align closely with hallmarks of Chinese cyber operations. ShadowPad has long been associated with state-sponsored espionage, and the three-stage malware deployment strategy mirrors techniques previously observed in BRONZE UNIVERSITY operations. Moreover, Chinese cyber groups have been known to target healthcare institutions in the past, further reinforcing the likelihood of nation-state involvement.
