BlackTech: The cyber-espionage group BlackTech has been associated with the Waterbear malware for many years, targeting countries in East Asia. In the previous campaigns carried out by the group, they primarily used Waterbear for lateral movement across networks and decrypting and triggering payloads with its loader component. In the most recent campaign, Waterbear has been using API hooking as its newest technique to aid in evading detection by traditional security products, including anti-virus. The report from Trend Micro outlining this newest feature stated that the security vendor is APAC-based, which aligns with previously targeted companies of the group. BlackTech knows which API to hook in this campaign which makes it possible that they have knowledge of how certain security products gather information on their client’s networks and endpoints. The code that is used in Waterbear for API hooking takes a generic approach, making it easier for the group to customize the Waterbear API hooking feature based on their target.