Unveiling Blackwood: A Chinese Cyberespionage Group’s Stealthy Operations

For approximately five years, a covert Chinese cyberespionage group has quietly targeted organizations and individuals in China and Japan, remaining undetected by cybersecurity experts and law enforcement agencies. This article sheds light on the sophisticated tactics employed by this group, including their utilization of adversary-in-the-middle (AitM) attacks to deploy a powerful implant through legitimate software update mechanisms.

Adversary-in-the-Middle Attacks and Deployment Method

This Chinese cyberespionage group, known as Blackwood, has distinguished itself by employing AitM attacks as the primary method for launching their operations. By exploiting vulnerabilities in the update mechanisms of legitimate software, they infiltrate networks and silently deploy their sophisticated implant, called NSPX30.

Blackwood Attacks and NSPX30 Implant

At the heart of Blackwood’s operations is the deployment of their powerful implant, NSPX30. This complex implant consists of a backdoor, dropper, installer, loader, and an orchestrator. Each component works in tandem to provide the cybercriminals with extensive control and capabilities within the compromised systems.

Previous Victims of NSPX30

Blackwood has selectively targeted a small number of victims thus far, focusing on individuals in China and Japan. Notable victims include a Chinese-speaking individual connected to a prestigious British research university and a Japanese engineering and manufacturing firm. These targets suggest the group’s interest in acquiring sensitive information related to academia and advanced technology.

NSPX30 as the Successor of Project Wood

NSPX30, the sophisticated implant utilized by Blackwood, is believed to be an evolution of a notorious 2005 backdoor known as Project Wood. Over the years, Project Wood has served as an essential code base for various implants, making it a foundational element of the Blackwood group’s malware arsenal.

Past incidents involving Project Wood

Public reports indicate that Project Wood has been used in several significant cyber espionage attacks. Notably, in 2011, it was employed to target a prominent political figure from Hong Kong using a spear phishing technique. This incident underscores the group’s expertise in orchestrating targeted attacks.

Connection to the Gelsemium APT and the TooHash Campaign

Furthermore, malware derived from Project Wood, featuring similar capabilities found in the NSPX30 implant, was used in the infamous 2014 cyberespionage campaign known as TooHash. Renowned cybersecurity company ESET attributes the TooHash campaign to the Gelsemium APT, potentially suggesting overlaps or collaboration between Blackwood and Gelsemium.

The Blackwood group employs a cunning deployment mechanism for their implant. By targeting vulnerable routers and gateways, they gain initial access to victims’ networks and subsequently install the NSPX30 implant. This method allows them to intercept unencrypted HTTP traffic related to software updates and surreptitiously deliver the NSPX30 dropper, evading detection.

Functionality of the NSPX30 Backdoor

The backdoor of the NSPX30 implant is a critical element that enables Blackwood’s extensive control over compromised systems. It utilizes a passive UDP listening socket, allowing it to wait for commands from the group’s operators and facilitate the exfiltration of valuable data. The use of this covert communication channel enhances the implant’s stealthy nature.

The successful deployment and exfiltration mechanism exhibited by Blackwood’s AitM system demonstrates its operational effectiveness. The attackers skillfully deploy the NSPX30 backdoor on victim networks, enabling them to send commands and download additional plugins. This seamless process facilitates ongoing surveillance and the extraction of sensitive information for prolonged periods.

Blackwood’s ability to operate stealthily for such an extended period highlights the group’s sophistication and determination. Their utilization of APT attacks and the deployment of the powerful NSPX30 implant demonstrates their advanced capabilities and understanding of complex cyber operations. As cybersecurity professionals continue to investigate and address these threats, organizations must remain vigilant, invest in robust security measures, and stay updated on evolving attack methods to mitigate the risks posed by such cyber espionage groups.

Explore more

Compliance Drives Regulated B2B Influencer Marketing in 2026

The shifting landscape of digital authority has fundamentally transformed how enterprise-level organizations engage with industry experts and thought leaders across global markets. As the professional world moves deeper into this period of technological saturation, the superficial tactics of the past have been replaced by a rigorous commitment to transparency and legal precision. In earlier years, the simple inclusion of a

Transforming Voice of the Customer Into Predictive Action

Corporate boardrooms often overflow with real-time dashboards and complex analytics, yet many organizations still find themselves blindsided by sudden shifts in customer loyalty and market demand. While the technology to capture feedback has become ubiquitous, the structural ability to interpret and act upon that data in a meaningful timeframe remains remarkably rare for the average enterprise. Most traditional systems are

How Will Databricks CustomerLake Redefine Agentic Marketing?

The ongoing evolution of the digital landscape has forced a radical reconsideration of how enterprises capture, process, and ultimately utilize the vast oceans of consumer data generated every second of the day. Modern marketing departments have long struggled with the paradox of having too much information but not enough actionable insight to drive meaningful consumer interactions in real time. The

How Can Small Banks Compete With Global Financial Giants?

Nikolai Braiden has seen the evolution of financial architecture from its early blockchain roots to the current wave of institutional modernization, and today he joins us to dissect a pivotal shift in venture capital. With BankTech Ventures recently deploying $15 million into AI and stablecoin solutions, the landscape for regional banking is undergoing a profound transformation. Braiden’s perspective as an

Bullski Presale Tops the List of Best Meme Coins for 2026

The current cryptocurrency market in 2026 has transitioned into a highly sophisticated arena where institutional standards and community-driven viral momentum converge to create unique financial opportunities. Investors are no longer satisfied with speculative assets lacking fundamental safeguards, leading to a significant shift toward projects that prioritize technical transparency and structured growth. In this evolving landscape, the Bullski presale has emerged