Beloved VLC Media Player Exploited By Chinese Hackers In Long Running Malware Campaign

hero china vlc
There is a strong possibility that if you're reading this website, you are familiar with VLC Media Player. The popular application, which bundles important codecs along with the player rather than relying on the OS to provide them, is the video player of choice for millions of people who became tired of fussing with "codec packs" and older versions of Windows' poor video playback support.

Like every application that wasn't specifically designed otherwise, VLC draws extensively on support libraries. On Windows, these come in the form of .DLL files. It's quite trivial to modify or replace one of these .DLL files to alter the functionality of the program; this is the basis for a great many PC game mods such as ReShade, 3DMigoto, SpecialK, and others.

However, this technique can also be exploited by bad actors. DLL side-loading, as it's called, can be used to turn an otherwise-innocuous application into a malware delivery device. That's exactly what state-sponsored Chinese hackers from the "Cicada" group have been doing to poor old VLC Media Player since the middle of last year.

VLC did nothing wrong!

Cicada is just one name for this long-lived hacker group in China. It's also been called Stone Panda, APT10, Red Apollo, and other names. There's no question that the group is backed by the Chinese government; its targets in the current attack are mostly other governments and infrastructure, but in the past it has successfully stolen foreign trade secrets, particularly in the technology sector.

This particular attack was documented by security researchers working for Symantec, who say that the attackers had access to some of the victimized networks for as long as nine months. Cicada has traditionally been focused primarily on Japan, but it seems that with this attack the group struck targets in the US, Canada, Hong Kong, Turkey, Israel, India, Montenegro, and Italy.

Don't worry—application download and update servers weren't compromised, so you're not at risk unless you work for a government or NGO targeted by the hackers. Even then, it's not actually VLC that's at fault; BleepingComputer says that when deploying the exploit, the hackers used security holes in other software, like unpatched versions of Microsoft Exchange. It makes for a grim reminder to keep your software updated.