The findings underline the expansion of the Chinese malware ecosystem, an increase in activity by Chinese speaking cybercrime operators, and the open access they now have to China-specific resources and targets. All this places a serious challenge to the current dominance of Russian-speaking cybercrime market in the threat landscape.

Here is a quick overview of the evidence :
• In 2023, Proofpoint observed over 30 campaigns leveraging Chinese-language malware, such as the newly discovered ValleyRAT and the older Sainbox RA (a variant of Gh0stRAT) and Purple Fox.

• Nearly all lures are in Chinese, although Proofpoint has also observed messages in Japanese targeting organizations in that country.

• After years of this malware not appearing in Proofpoint threat data, their appearance in multiple campaigns over the last six months is notable.

• Multiple threat actors instead of one are driving the spike. These attacks appear to be financially motivated with no indication of state-backed aims.