- 퀄컴, 베트남 빈AI의 생성형 AI 부문 ‘모비안AI’ 인수··· AI 솔루션 고도화 박차
- 블로그 | 정치적 격동기에 IT 리더가 할 수 있는 역할
- 완전 자율 주행 자동차가 관광 산업에도 영향··· 웨이모, ‘2025 관광 영향 보고서’ 발간
- European cloud group invests to create what it dubs “Trump-proof cloud services”
- The OnePlus 12 is still a powerhouse in 2025 - and it's on sale for a limited time
Camaro Dragon APT Group Exploits TP-Link Routers With Custom Implant

A Chinese state-sponsored APT group known as Camaro Dragon has been observed exploiting TP-Link routers via a malicious firmware implant.
The findings come from security experts at Check Point Research (CPR) and were described in an advisory published by the company earlier today.
“The implant features several malicious components, including a custom backdoor named ‘Horse Shell’ that enables the attackers to maintain persistent access, build anonymous infrastructure and enable lateral movement into compromised networks,” wrote Itay Cohen, Radoslaw Madej and the CPR Threat Intelligence Team.
Further, the implant’s components are designed to be compatible with different firmware from various vendors.
“The implanted components were discovered in modified TP-Link firmware images. However, they were written in a firmware-agnostic manner and are not specific to any particular product or vendor. As a result, they could be included in different firmware by various vendors,” wrote CPR.
“While we have no concrete evidence of this, previous incidents have demonstrated that similar implants and backdoors have been deployed on diverse routers and devices from a range of vendors.”
Still, CPR clarified that it is still uncertain how the firmware images are being installed on the infected routers, as well as how they are being used in real intrusions.
“It is likely that they gained access to these devices by either scanning them for known vulnerabilities or targeting devices that used default or weak and easily guessable passwords for authentication,” reads the technical write-up.
“The goal of the attackers appears to be the creation of a chain of nodes between main infections and real command and control, and if so, they would likely be installing the implant on arbitrary devices with no particular interest.”
According to the researchers, the discovery is another instance of a recurring pattern among Chinese hackers to take advantage of network devices that are publicly accessible on the internet and manipulating the software or firmware within.
Read more on similar attacks: Cisco Warns of Critical Vulnerability in End-of-Life Routers
To defend against similar attacks, CPR recommended system defenders implement network protections, keep systems updated and change default credentials.
A complete list of recommendations, as well as additional technical details about Horse Shell, is available in the advisory.
Editorial image credit: rafastockbr / Shutterstock.com