Chinese Spy Group Lures Energy Workers With Fake Australian News Site — Then Steals Everything They Type
A state-linked hacking group spent two months tricking employees at offshore energy companies into visiting a bogus news website that silently recorded their every keystroke.

Key points
- Chinese hacking group TA423, also known as Red Ladon, ran a cyber-espionage campaign from April through mid-June 2022 targeting Australian organisations and offshore energy firms in the South China Sea.
- Attackers used fake emails posing as staff from a fictional outlet called "Australian Morning News" to lure victims to a malicious website.
- The site secretly ran a surveillance tool called ScanBox, which recorded everything visitors typed without installing any software on their computers.
- A July 2021 US Department of Justice indictment linked TA423 to China's civilian intelligence agency, the Ministry of State Security.
- Researchers from Proofpoint and PwC jointly published the findings and say the group shows no signs of slowing down.
A China-linked espionage group spent roughly two months this year building a fake Australian news website for one purpose: get energy-sector workers to visit it, then quietly harvest their information.
The campaign, detailed jointly by security firms Proofpoint and PwC, targeted employees at offshore energy companies operating in the South China Sea, alongside organisations inside Australia itself.
How did the hackers get in?
It started with a phishing email — a fake message designed to look trustworthy. Targets received notes with subject lines like "Sick Leave," "User Research," or "Request Cooperation," apparently sent by a journalist at something called the "Australian Morning News." The sender asked recipients to visit their website. That website was not real.
Clicking the link took victims to australianmorningnews[.]com. The page looked plausible — its articles were copied word-for-word from the BBC and Sky News. While visitors read, the site was already running ScanBox in the background.
ScanBox is a surveillance toolkit written in JavaScript, the same programming language that makes ordinary websites interactive in your browser. What makes it particularly nasty is that it leaves nothing on your computer. No file gets downloaded. No antivirus alarm goes off. The code simply runs inside your browser tab and records everything you type — passwords, search terms, messages — then sends that data back to the attackers.
Beyond keylogging, ScanBox quietly profiled each visitor: their operating system, browser version, installed plugins, and — through a web technology called WebRTC — their real IP address, even if they were behind a corporate network gateway designed to hide it. Think of it as a silent intake form that visitors never agreed to fill out.
The group behind this is TA423, also tracked as Red Ladon, believed to operate from Hainan Island, China. The 2021 DoJ indictment assessed that TA423 works in support of China's Ministry of State Security — the country's civilian spy agency. Past victims span twelve countries and industries including aviation, defence, healthcare, and maritime.
Proofpoint's Sherrod DeGrippo said the group "specifically wants to know who is active in the region," with a sustained focus on naval and energy matters near Malaysia, Singapore, Taiwan, and Australia.
Despite the indictment, researchers say TA423 has not meaningfully slowed its operations.
What should employees at energy or government organisations watch for? Emails asking you to visit an unfamiliar news site — especially ones that feel oddly personal or use vague subject lines — are a serious warning sign. If a link takes you somewhere you didn't intend to go, close the tab immediately. MFA — multi-factor authentication, where a login requires a code from your phone as well as a password — would not have stopped ScanBox from running in a browser, but it limits the damage attackers can do with any credentials they collect.



