The attacks are related to Earth Wendigo, a threat agent who does not seem to be aligned with established hacking organisations, according to an advisory from Trend Micro.
Earth Wendigo has attacked numerous organisations, including government agencies, academic centres, and universities in Taiwan, beginning in May 2019, Trend Micro said.
The attacks include the use of spear-phishing emails to numerous targets, including Tibet, the Uyghur region, or Hong Kong-related politicians and activists.
In January 2020, Trend Micro announced that the XSS flaw was patched, ensuring only organisations that have not upgraded to the new version of the webmail server are now exposed.
On the computer, the backdoor reads emails and transfers their content and attachments to the WebSocket server of the intruder.
Earth Wendigo also uses Python ransomware compiled as Windows executables, which were discovered to be shellcode loaders for code presumably from Cobalt Attack, in addition to attacking webmail servers.
Backdoors demanding additional Python code from the command and control (C&C) server are some of the Python examples. Trend Micro could not, however, decide the intent of the code fetched.