SLOW#TEMPEST is a covert cyber espionage group that emerged in 2024, specializing in stealthy infiltration and persistent access operations. The group employs sophisticated phishing tactics by distributing malicious ZIP files—often password-protected and featuring deceptive, Chinese-language lures—to target organizations primarily in Chinese-speaking regions. Once a victim is compromised, SLOW#TEMPEST uses advanced techniques such as DLL hijacking to inject Cobalt Strike implants into systems, enabling them to harvest credentials, escalate privileges, and move laterally across networks.
In this blog, we will analyze the tactics, techniques, and procedures (TTPs) of the SLOW#TEMPEST threat group, offering detailed insights into their operational evolution, methods of attack, and potential defense strategies that can help mitigate their impact.
This section provides a comprehensive analysis of these TTPs, offering insights into how SLOW#TEMPEST espionage campaign operates and the tools they employ.
SLOW#TEMPEST attackers are observed as distributing malicious ZIP files via phishing emails, with the emails containing the password (or instructions) needed to open the archive. Once opened, these ZIP files reveal a deceptive LNK file masquerading as a Microsoft Word document, which then triggers the malicious payload.
This delivery method—using tailored, unsolicited emails with malicious attachments—is a textbook example of T1566.001.
One of the threats added to the Picus Threat Library for SLOW#TEMPEST Cyber Espionage Group—as part of the Picus Security Control Validation product—involves executing a binary via masqueraded LNK file.
SLOW#TEMPEST add a guest account to local administrator privileges. This tactic enables the threat actors to bypass standard security monitoring and establish a persistent foothold within the system, thereby facilitating lateral movement and covert operations.
One of the threats added to the Picus Threat Library for SLOW#TEMPEST Cyber Espionage Group—as part of the Picus Security Control Validation product—adding a guest user account.
|
Process 1 |
SLOW#TEMPEST analysis shows that the threat actors enable the built-in Guest account—which is normally inactive—to create a hidden, persistent backdoor for maintaining access. This tactic bypasses typical monitoring of administrative accounts and provides attackers with an alternative means to move laterally across the network, thereby enhancing their ability to remain undetected.
One of the threats added to the Picus Threat Library for SLOW#TEMPEST Cyber Espionage Group—as part of the Picus Security Control Validation product—involves activating guest users using the “net user” command.
SLOW#TEMPEST creates and configures a new system service that is automatically initiated during system startup, ensuring their malicious payload is executed continuously.
By embedding their operations within the system’s standard service framework, they can evade detection and secure long-term access for further lateral movement and data exfiltration.
One of the threats added to the Picus Threat Library for SLOW#TEMPEST Cyber Espionage Group—as part of the Picus Security Control Validation product—creating a new service.
In this attack action, a service called "windowsinspectionupdate" is created using sc.exe
SLOW#TEMPEST employs DLL Side-Loading via Microsoft's LicensingUI application.
In the attack chain, the adversaries deliver a malicious LNK file that, when executed, launches a legitimate Microsoft-signed executable—LicensingUI.exe (renamed to UI.exe). Normally, LicensingUI.exe loads a trusted DLL (dui70.dll) from the system directory. However, SLOW#TEMPEST exploits a DLL path traversal vulnerability, placing a malicious version of dui70.dll in the same directory.
This allows the attacker’s DLL to be loaded instead of the legitimate one, effectively injecting a Cobalt Strike implant into the system.
One of the threats added to the Picus Threat Library for SLOW#TEMPEST Cyber Espionage Group—as part of the Picus Security Control Validation product—involves loading a DLL file using DLL Side-Loading technique.
This side-loading technique is a key component of the SLOW#TEMPEST campaign, as it enables persistent and covert control of the compromised system.
SLOW#TEMPEST dynamically injecting shellcode through a DLL into the runonce.exe process, effectively taking over its execution flow to covertly run the payload—in this instance, the Cobalt Strike implant. This tactic allows the attackers to mask their malicious actions within a legitimate system process, making detection much more challenging.
One of the threats added to the Picus Threat Library for SLOW#TEMPEST Cyber Espionage Group—as part of the Picus Security Control Validation product—involves injecting shellcode to the"runonce.exe" process via Early Bird APC Queue technique.
In one of the analysis done, SLOW#TEMPEST was observed using the wevtutil.exe utility to clear PowerShell logs. This tactic helps erase traces of their malicious activity and hampers forensic investigations by removing records of potentially suspicious PowerShell command executions.
One of the threats added to the Picus Threat Library for SLOW#TEMPEST Cyber Espionage Group—as part of the Picus Security Control Validation product—involves deleting Windows Powershell event logs via Wevtutil.
|
wevtutil.exe cl "windows powershell" |
SLOW#TEMPEST employs credential harvesting using Mimikatz.
In this stage, the attackers execute a known version of the tool to first elevate privileges—gaining access to debug-level rights—before dumping sensitive authentication data from system memory. This process extracts plaintext passwords, NTLM hashes, and Kerberos tickets from active logon sessions, providing the adversaries with the necessary credentials to move laterally and escalate their access across the network.
One of the threats added to the Picus Threat Library for SLOW#TEMPEST Cyber Espionage Group—as part of the Picus Security Control Validation product—involves gathering credentials using the Mimikatz Tool.
|
%TMP%\mimikatz22020220919x64.exe "privilege::debug" "sekurlsa::logonPasswords" exit |
SLOW#TEMPEST leverages a .NET loader to execute BloodHound domain enumeration tool for in-depth Active Directory reconnaissance.
In this phase of the attack, the threat actors deploy a .NET-based loader to dynamically load and execute BloodHound in memory, allowing them to stealthily collect extensive AD data without leaving obvious disk artifacts, thus enhancing their lateral movement and privilege escalation capabilities.
One of the threats added to the Picus Threat Library for SLOW#TEMPEST Cyber Espionage Group—as part of the Picus Security Control Validation product—involves executing BloodHound Ingestor by using a .NET Loader.
SLOW#TEMPEST utilizes built-in system commands like “net user /domain” to enumerate domain accounts, which aids in mapping out the Active Directory environment and identifying high-value targets for lateral movement and further exploitation.
This command reveals all domain users, providing the attackers with crucial intelligence on the network's structure and potential attack vectors, reinforcing their strategic approach to cyber espionage.
One of the threats added to the Picus Threat Library for SLOW#TEMPEST Cyber Espionage Group—as part of the Picus Security Control Validation product—involves listing domain accounts leveraging the net user tool.
|
net.exe user /domain |
Evidence shows that SLOW#TEMPEST leverages built-in Windows commands to perform comprehensive system network configuration discovery.
In this approach, the attackers execute a sequence of commands—namely, "ipconfig /all", "arp -a", "route PRINT", "systeminfo", and "tasklist /v /fo 'TABLE'"—each appending its output to a temporary file. This method gathers critical network, system, and process information that can be used to map the victim's environment and plan further lateral movement, all while blending in with legitimate system activity.
One of the threats added to the Picus Threat Library for SLOW#TEMPEST Cyber Espionage Group—as part of the Picus Security Control Validation product—involves leveraging built-in tools for system network configuration discovery.
|
cmd.exe /c ipconfig /all >> "%TMP%\exfil.txt" |
SLOW#TEMPEST exploits the Remote Desktop Protocol (RDP) for lateral movement by intentionally disabling security features designed to safeguard credential integrity during remote sessions.
In technical terms, the attackers modify specific registry settings that enforce Restricted Admin Mode—a Windows security feature that normally prevents the transmission of user credentials over RDP. By altering this setting, they effectively lower the system’s security posture, allowing for techniques such as pass-the-hash and unimpeded remote access. This change is then verified through subsequent registry queries, confirming that the modifications have taken effect and that the system no longer enforces the protections normally applied during RDP sessions.
Overall, this technical approach enables the threat actors to gain stealthy, persistent access to additional systems on the network, facilitating further lateral movement and expanding their foothold.
One of the threats added to the Picus Threat Library for SLOW#TEMPEST Cyber Espionage Group—as part of the Picus Security Control Validation product—involves enabling Restricted Admin Mode on Local Machine via Registry.
|
Process 1 |
Evidence that SLOW#TEMPEST employs T1056 – Input Capture is demonstrated by the observed execution of the SharpBlock tool.
This open-source utility is used by the threat actors to capture sensitive input data, such as keystrokes and credentials, enabling them to harvest information stealthily from compromised systems, thus reinforcing their cyber espionage capabilities.
One of the threats added to the Picus Threat Library for SLOW#TEMPEST Cyber Espionage Group—as part of the Picus Security Control Validation product—involves executing the SharpBlock Tool.
|
cmd.exe /c ""%TMP%\SharpBlock.exe" -e "%TMP%\loadlibrary-test.exe" -n ll-test.dll" |
We strongly suggest simulating ransomware groups to test the effectiveness of your security controls against their attacks using the Picus Security Validation Platform.
Picus Threat Library includes the following threats for SLOW#TEMPEST espionage campaign.
|
Threat ID |
Threat Name |
Attack Module |
|
27813 |
SLOW#TEMPEST Threat Group Campaign |
Windows Endpoint |
To mitigate the impact of SLOW#TEMPEST, organizations should adopt a layered defense approach:
SLOW#TEMPEST leverages advanced techniques—such as DLL side-loading, process injection, and credential harvesting with tools like Mimikatz—to achieve persistence and lateral movement. Deploying EDR solutions that can detect anomalous behavior (e.g., unusual process spawning, hidden account activations, or registry modifications) is crucial for identifying and stopping these sophisticated tactics before they can compromise critical systems.
Given the evolving tactics of SLOW#TEMPEST, organizations must regularly assess the effectiveness of their defenses. Use Breach and Attack Simulation (BAS) solutions, such as the Picus Security Control Validation (SCV) product, to emulate real-world attack scenarios—ranging from phishing and DLL injection to account manipulation and RDP exploitation. This proactive testing helps identify control gaps and provides actionable recommendations to strengthen your security posture.
SLOW#TEMPEST frequently exploits lateral movement via remote desktop protocols and credential theft. By enforcing a Zero Trust model and segmenting your network, you can restrict an attacker’s ability to move freely between systems. This minimizes the risk that a single compromised endpoint could lead to broader network access, effectively containing potential breaches.
Given the stealth and persistence of SLOW#TEMPEST’s techniques, it’s essential to assume that breaches might occur. Regularly maintain offline, immutable backups and develop a comprehensive incident response plan to ensure rapid recovery. This ensures that even if attackers manage to establish a foothold, your organization can restore critical systems without succumbing to prolonged disruption or data loss.