{"total":1181,"returned":198,"filters":{"country":"CN","sanctioned":false,"limit":500},"bySource":{"mitre":174,"misp":964,"ransomwatch":216,"sanctions":6},"byCountry":[{"country":"CN","count":198},{"country":"RU","count":75},{"country":"IR","count":52},{"country":"KP","count":25},{"country":"PS","count":9},{"country":"TR","count":7},{"country":"VN","count":6},{"country":"UA","count":6},{"country":"US","count":5},{"country":"IL","count":5},{"country":"IN","count":4},{"country":"PK","count":4},{"country":"Unknown","count":4},{"country":"BY","count":4},{"country":"LB","count":3},{"country":"BR","count":3},{"country":"NG","count":3},{"country":"ID","count":3},{"country":"KR","count":2},{"country":"AE","count":2},{"country":"RO","count":2},{"country":"MY","count":2},{"country":"ES","count":2},{"country":"TN","count":2},{"country":"SY","count":2}],"byMotive":[{"motive":"ransomware","count":215},{"motive":"Espionage","count":85},{"motive":"Hacktivists-Nationalists","count":5},{"motive":"Cybercrime","count":2},{"motive":"Sabotage","count":2},{"motive":["Espionage","Sabotage"],"count":1},{"motive":"Extortion","count":1},{"motive":["Denial of service"],"count":1},{"motive":"Denial of service","count":1},{"motive":"Business Email Compromise","count":1},{"motive":["Denial of service"],"count":1},{"motive":"mainly financially motivated, additional espionage objective.","count":1},{"motive":["Denial of service"],"count":1},{"motive":"state-sponsored espionage and financially motivated","count":1},{"motive":"Information Operations","count":1}],"groups":[{"name":"Mustang Panda","aliases":["RedDelta","MUSTANG PANDA","TA416","BRONZE PRESIDENT","STATELY TAURUS","FIREANT","HoneyMyte","Red Lich","TEMP.HEX","BASIN","Earth Preta","Stately Taurus"],"description":"[Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. [Mustang Panda](https://attack.mitre.org/groups/G0129) has been known to use tailo","targetSectors":["Civil society"],"suspectedVictims":["United States","Germany"],"refs":["https://www.cfr.org/interactive/cyber-operations/mustang-panda","https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/","https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf","https://www.secureworks.com/research/threat-profiles/bronze-president","https://www.darkreading.com/threat-intelligence/chinese-apt-bronze-president-spy-campaign-russian-military","https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf","https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf","https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf","https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html","https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader","https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european","https://unit42.paloaltonetworks.com/stately-taurus-targets-philippines-government-cyberespionage/","https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html","https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW1aFyW","https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_2_LT4.pdf","https://thecyberwire.com/podcasts/microsoft-threat-intelligence/4/notes","https://go.recordedfuture.com/hubfs/reports/cta-2022-1223.pdf"],"sources":["mitre","misp"],"cves":["CVE-2017-0199"],"leakSites":[],"mitreId":"G0129","attackUrl":"https://attack.mitre.org/groups/G0129","techniqueCount":85,"softwareCount":23,"country":"CN","suspectedStateSponsor":"China","motive":"Espionage"},{"name":"APT41","aliases":["Wicked Panda","Brass Typhoon","BARIUM","G0096","TA415","Blackfly","Grayfly","LEAD","WICKED SPIDER","WICKED PANDA","BRONZE ATLAS","BRONZE EXPORT"],"description":"[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://atta","targetSectors":["Automotive","Business","Services","Cryptocurrency","Education","Energy","Financial","Healthcare","High-Tech","Intergovernmental","Media and Entertainment","Pharmaceuticals","Private sector","Retail","Telecommunications"],"suspectedVictims":["China","France","Hong Kong","India","Italy","Japan","Myanmar","Netherlands","Singapore","South Korea","South Africa","Switzerland","Thailand","Turkey","United Kingdom","United States"],"refs":["https://securelist.com/winnti-faq-more-than-just-a-game/57585/","https://securelist.com/winnti-more-than-just-a-game/37029/","http://williamshowalter.com/a-universal-windows-bootkit/","https://www.microsoft.com/security/blog/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/","https://securelist.com/games-are-over/70991/","https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a","https://www.dw.com/en/thyssenkrupp-victim-of-cyber-attack/a-36695341","https://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/","https://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/","https://www.dw.com/en/bayer-points-finger-at-wicked-panda-in-cyberattack/a-48196004","https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/","https://401trg.com/burning-umbrella/","https://attack.mitre.org/groups/G0044/","https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-july-wicked-spider/","https://www.secureworks.com/research/threat-profiles/bronze-atlas","https://www.secureworks.com/research/threat-profiles/bronze-export","https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf","https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer","https://assets.documentcloud.org/documents/7210602/FLASH-AC-000133-TT-Published.pdf","https://www.cfr.org/cyber-operations/winnti-umbrella"],"sources":["mitre","misp"],"cves":["CVE-2021-26855","CVE-2020-10189","CVE-2019-3396","CVE-2019-19871","CVE-2019-19781"],"leakSites":[],"mitreId":"G0096","attackUrl":"https://attack.mitre.org/groups/G0096","techniqueCount":82,"softwareCount":32,"country":"CN","suspectedStateSponsor":"People's Republic of China"},{"name":"Volt Typhoon","aliases":["BRONZE SILHOUETTE","Vanguard Panda","DEV-0391","UNC3236","Voltzite","VANGUARD PANDA","Insidious Taurus","VOLTZITE","Dev-0391","Storm-0391"],"description":"[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021, primarily targeting critical infrastructure organizations in the US and its territor","targetSectors":[],"suspectedVictims":[],"refs":["https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations","https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/","https://unit42.paloaltonetworks.com/volt-typhoon-threat-brief/","https://www.dragos.com/threat/voltzite/"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G1017","attackUrl":"https://attack.mitre.org/groups/G1017","techniqueCount":81,"softwareCount":17,"country":"CN"},{"name":"Threat Group-3390","aliases":["APT27","Earth Smilodon","TG-3390","Emissary Panda","BRONZE UNION","GreedyTaotie","EMISSARY PANDA","TEMP.Hippo","Red Phoenix","Budworm","Group 35","ZipToken"],"description":"[Threat Group-3390](https://attack.mitre.org/groups/G0027) is a Chinese threat group that has extensively used strategic Web compromises to target victims. The group has been active since at least 2010 and has targeted organizations in the ","targetSectors":["Technology","Government, Administration","Defense","Government","Private sector"],"suspectedVictims":["United States","United Kingdom","France","Japan","Taiwan","India","Canada","China","Thailand","Israel","Australia","South Korea","Russia","Iran","Turkey"],"refs":["https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Li-To-Loot-Or-Not-To-Loot-That-Is-Not-a-Question.pdf","https://web.archive.org/web/20140129192702/https://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/","https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/","https://www.bitdefender.com/files/News/CaseStudies/study/185/Bitdefender-Business-2017-WhitePaper-PZCHAO-crea2452-en-EN-GenericUse.pdf","https://www.cfr.org/interactive/cyber-operations/iron-tiger","https://www.bleepingcomputer.com/news/security/chinese-cyber-espionage-group-hacked-government-data-center/","https://www.secureworks.com/research/bronze-union","http://newsroom.trendmicro.com/blog/operation-iron-tiger-attackers-shift-east-asia-united-states","https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage","https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/","https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/","https://securelist.com/luckymouse-ndisproxy-driver/87914/","https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/2015.09.17.Operation_Iron_Tiger/Operation%20Iron%20Tiger%20Appendix.pdf","https://arstechnica.com/information-technology/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/","https://securelist.com/luckymouse-hits-national-data-center/86083/","https://attack.mitre.org/groups/G0027/","https://www.secureworks.com/research/threat-profiles/bronze-union","https://unit42.paloaltonetworks.com/atoms/iron-taurus/","https://www.mandiant.com/resources/insights/apt-groups","https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf"],"sources":["mitre","misp"],"cves":["CVE-2021-27065","CVE-2021-26858","CVE-2021-26857","CVE-2021-26855","CVE-2019-0604"],"leakSites":[],"mitreId":"G0027","attackUrl":"https://attack.mitre.org/groups/G0027","techniqueCount":57,"softwareCount":24,"country":"CN","suspectedStateSponsor":"Unknown","motive":"Espionage"},{"name":"Leviathan","aliases":["APT40","MUDCARP","Kryptonite Panda","Gadolinium","BRONZE MOHAWK","TEMP.Jumper","TEMP.Periscope","GADOLINIUM","KRYPTONITE PANDA","G0065","ATK29","TA423"],"description":"[Leviathan](https://attack.mitre.org/groups/G0065) is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company. Activ","targetSectors":["Government","Private sector"],"suspectedVictims":["United States","Hong Kong","The Philippines","Asia Pacific Economic Cooperation","Cambodia","Belgium","Germany","Philippines","Malaysia","Norway","Saudi Arabia","Switzerland","United Kingdom"],"refs":["https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets","https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html","https://www.cfr.org/interactive/cyber-operations/apt-40","https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html","https://www.recordedfuture.com/chinese-threat-actor-tempperiscope/","https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html","https://attack.mitre.org/groups/G0065/","https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/","https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf","https://intrusiontruth.wordpress.com/2020/01/09/what-is-the-hainan-xiandun-technology-development-company","https://intrusiontruth.wordpress.com/2020/01/10/who-is-mr-gu","https://intrusiontruth.wordpress.com/2020/01/13/who-else-works-for-this-cover-company-network","https://intrusiontruth.wordpress.com/2020/01/14/who-is-mr-ding","https://intrusiontruth.wordpress.com/2020/01/15/hainan-xiandun-technology-company-is-apt40","https://www.secureworks.com/research/threat-profiles/bronze-mohawk","https://www.mycert.org.my/portal/advisory?id=MA-774.022020","https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign","https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/","https://www.justice.gov/opa/pr/four-chinese-nationals-working-ministry-state-security-charged-global-computer-intrusion","https://www.justice.gov/opa/press-release/file/1412916/download"],"sources":["mitre","misp"],"cves":["CVE-2017-8759","CVE-2017-11882","CVE-2017-0199"],"leakSites":[],"mitreId":"G0065","attackUrl":"https://attack.mitre.org/groups/G0065","techniqueCount":50,"softwareCount":17,"country":"CN","suspectedStateSponsor":"China","motive":"Espionage"},{"name":"UNC3886","aliases":[],"description":"[UNC3886](https://attack.mitre.org/groups/G1048) is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pa","targetSectors":[],"suspectedVictims":[],"refs":["https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem","https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence","https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass","https://www.mandiant.com/resources/blog/vmware-detection-containment-hardening"],"sources":["mitre","misp"],"cves":["CVE-2023-34048","CVE-2023-20867","CVE-2022-42475","CVE-2022-41328","CVE-2022-22948"],"leakSites":[],"mitreId":"G1048","attackUrl":"https://attack.mitre.org/groups/G1048","techniqueCount":49,"softwareCount":8,"country":"CN"},{"name":"Ke3chang","aliases":["GREF","APT15","Mirage","Vixen Panda","Playful Dragon","VIXEN PANDA","Ke3Chang","Metushy","Lurid","Social Network Team","Royal APT","BRONZE PALACE"],"description":"[Ke3chang](https://attack.mitre.org/groups/G0004) is a threat group attributed to actors operating out of China. [Ke3chang](https://attack.mitre.org/groups/G0004) has targeted oil, government, diplomatic, military, and NGOs in Central and S","targetSectors":["Government, Administration","Government"],"suspectedVictims":["European Union","India","United Kingdom","Germany"],"refs":["https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html","http://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang/","https://github.com/nccgroup/Royal_APT","https://www.cfr.org/interactive/cyber-operations/mirage","https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf","https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/","https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/","https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/","https://attack.mitre.org/groups/G0004/","https://www.secureworks.com/research/threat-profiles/bronze-palace","https://www.mandiant.com/resources/insights/apt-groups","https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf","https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi","https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html","https://www.welivesecurity.com/en/eset-research/badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps/"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G0004","attackUrl":"https://attack.mitre.org/groups/G0004","techniqueCount":46,"softwareCount":11,"country":"CN","suspectedStateSponsor":"China","motive":"Espionage"},{"name":"menuPass","aliases":["APT10","Cicada","POTASSIUM","Stone Panda","Red Apollo","STONE PANDA","Menupass Team","happyyongzi","CVNX","HOGFISH","Cloud Hopper","BRONZE RIVERSIDE"],"description":"[menuPass](https://attack.mitre.org/groups/G0045) is a threat group that has been active since at least 2006. Individual members of [menuPass](https://attack.mitre.org/groups/G0045) are known to have acted in association with the Chinese Mi","targetSectors":["Private sector","Government"],"suspectedVictims":["Japan","India","South Africa","South Korea","Sweden","United States","Canada","Australia","France","Finland","United Kingdom","Brazil","Thailand","Switzerland","Norway"],"refs":["https://unit42.paloaltonetworks.com/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/","https://www.cfr.org/interactive/cyber-operations/apt-10","https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf","https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf","https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html","https://www.eweek.com/security/chinese-nation-state-hackers-target-u.s-in-operation-tradesecret","https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/","https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf","https://www.us-cert.gov/sites/default/files/publications/IR-ALERT-MED-17-093-01C-Intrusions_Affecting_Multiple_Victims_Across_Multiple_Sectors.pdf","https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html","https://www.fbi.gov/news/stories/chinese-hackers-indicted-122018","https://attack.mitre.org/groups/G0045/","https://www.secureworks.com/research/threat-profiles/bronze-riverside","https://unit42.paloaltonetworks.com/atoms/granite-taurus","https://www.mandiant.com/resources/insights/apt-groups","https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf","https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf","https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new","https://www.crowdstrike.com/blog/two-birds-one-stone-panda/","http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks"],"sources":["mitre","misp"],"cves":["CVE-2020-1472"],"leakSites":[],"mitreId":"G0045","attackUrl":"https://attack.mitre.org/groups/G0045","techniqueCount":46,"softwareCount":25,"country":"CN","suspectedStateSponsor":"China","motive":"Espionage"},{"name":"Earth Lusca","aliases":["TAG-22","Charcoal Typhoon","CHROMIUM","ControlX","FISHMONGER","BRONZE UNIVERSITY","AQUATIC PANDA","Red Dev 10","RedHotel","BountyGlad","Red Scylla"],"description":"[Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Austral","targetSectors":["Gambling companies","Government Institutions","Education","Media and Entertainment","Pro-democracy and human rights political organizations","Telecommunications","Religious organization","Cryptocurrency","Medical","Covid-19 research organizations"],"suspectedVictims":["Australia","China","France","Germany","Hong Kong","Japan","Mongolia","Nepal","Nigeria","Philippines","Taiwan","Thailand","United Arab Emirates","United States","Vietnam"],"refs":["https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf","https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf","https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan","https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi","https://media-exp1.licdn.com/dms/document/C561FAQHhWFRcWmdCPw/feedshare-document-pdf-analyzed/0/1639591145314?e=1658966400&v=beta&t=_uCcyEVg6b_VDiBTvWQIXtBOdQ1GQAAydqGyq62KA3E","https://www.sentinelone.com/wp-content/uploads/2021/08/SentinelOne_-SentinelLabs_ShadowPad_WP_V2.pdf","https://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html","https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools","https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass","https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf","https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf","https://securelist.com/apt-annual-review-2021/105127","https://securelist.com/apt-trends-report-q2-2021/103517","https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/jolly-jellyfish/NCSC-MAR-Jolly-Jellyfish.pdf","https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/pdf/2022-year-in-retrospect-report.pdf","https://www.youtube.com/watch?v=-7Swd1ZetiQ","https://www.welivesecurity.com/en/eset-research/operation-fishmedley/"],"sources":["mitre","misp"],"cves":["CVE-2020-1472"],"leakSites":[],"mitreId":"G1006","attackUrl":"https://attack.mitre.org/groups/G1006","techniqueCount":44,"softwareCount":9,"country":"CN"},{"name":"HAFNIUM","aliases":["Operation Exchange Marauder","Silk Typhoon","ATK233","G0125","Red Dev 13","MURKY PANDA"],"description":"[HAFNIUM](https://attack.mitre.org/groups/G0125) is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. [HAFNIUM](https://attack.mitre.org/groups/G0125) primarily targets e","targetSectors":[],"suspectedVictims":[],"refs":["https://attack.mitre.org/groups/G0125/","https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers","https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/","https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html","https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers","https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day","https://twitter.com/ESETresearch/status/1366862946488451088","https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html","https://us-cert.cisa.gov/ncas/alerts/aa21-062a","https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289","https://github.com/microsoft/CSS-Exchange/tree/main/Security","https://github.com/cert-lv/exchange_webshell_detection","https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits","https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021","https://pastebin.com/J4L3r2RS","https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers","https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Execution/exchange-iis-worker-dropping-webshell.md","https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server","https://www.nextron-systems.com/2021/03/06/scan-for-hafnium-exploitation-evidence-with-thor-lite","https://www.thedailybeast.com/how-chinas-devastating-microsoft-hack-puts-us-all-at-risk"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G0125","attackUrl":"https://attack.mitre.org/groups/G0125","techniqueCount":44,"softwareCount":6,"country":"CN"},{"name":"APT3","aliases":["Gothic Panda","Pirpi","UPS Team","Buckeye","Threat Group-0110","GOTHIC PANDA","TG-0110","Group 6","UPS","Boyusec","BORON","BRONZE MAYFAIR"],"description":"[APT3](https://attack.mitre.org/groups/G0022) is a China-based threat group that researchers have attributed to China's Ministry of State Security. This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Cl","targetSectors":["Political party","Private sector"],"suspectedVictims":["United States","United Kingdom","Hong Kong"],"refs":["https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html","https://web.archive.org/web/20160910124439/http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong","https://www.cfr.org/interactive/cyber-operations/apt-3","https://www.secureworks.com/research/threat-profiles/bronze-mayfair","https://www.mandiant.com/resources/insights/apt-groups","https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf"],"sources":["mitre","misp"],"cves":["CVE-2015-3113","CVE-2014-1776"],"leakSites":[],"mitreId":"G0022","attackUrl":"https://attack.mitre.org/groups/G0022","techniqueCount":44,"softwareCount":6,"country":"CN","suspectedStateSponsor":"China","motive":"Espionage"},{"name":"MirrorFace","aliases":["Earth Kasha"],"description":"[MirrorFace](https://attack.mitre.org/groups/G1054) is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the [menuPass](https://attack.mitre.org/groups/G0045) umbrella based on targeting, tools,","targetSectors":[],"suspectedVictims":[],"refs":["https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/","https://web-assets.esetstatic.com/wls/2023/01/eset_apt_activity_report_t32022.pdf","https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/","https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html","https://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G1054","attackUrl":"https://attack.mitre.org/groups/G1054","techniqueCount":43,"softwareCount":16,"country":"CN"},{"name":"BRONZE BUTLER","aliases":["Tick","REDBALDKNIGHT","Nian","STALKER PANDA","G0060","Stalker Taurus","PLA Unit 61419","Swirl Typhoon"],"description":"[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, bi","targetSectors":["Infrastructure","Industrial","Manufacturing","Diplomacy","News - Media","Political party","Engineering","Private sector"],"suspectedVictims":["Japan","China","South Korea","Russian Federation"],"refs":["https://wikileaks.org/vault7/document/2015-08-20150814-256-CSIR-15005-Stalker-Panda/2015-08-20150814-256-CSIR-15005-Stalker-Panda.pdf","https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan","https://www.secureworks.jp/resources/rp-bronze-butler","https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/","http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html","https://www.cfr.org/interactive/cyber-operations/bronze-butler","https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses","https://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/","https://attack.mitre.org/groups/G0060/","https://www.secureworks.com/research/threat-profiles/bronze-butler","https://unit42.paloaltonetworks.com/atoms/stalkertaurus/","https://twitter.com/iiyonite/status/1384431491485155331","https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/"],"sources":["mitre","misp"],"cves":["CVE-2018-0802","CVE-2018-0798","CVE-2014-4114"],"leakSites":[],"mitreId":"G0060","attackUrl":"https://attack.mitre.org/groups/G0060","techniqueCount":40,"softwareCount":14,"country":"CN","suspectedStateSponsor":"China","motive":"Espionage"},{"name":"Tropic Trooper","aliases":["APT23","Pirate Panda","KeyBoy","PIRATE PANDA","BRONZE HOBART","G0081","Red Orthrus","Earth Centaur"],"description":"[Tropic Trooper](https://attack.mitre.org/groups/G0081) is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. [Tropic Trooper](https://attack.mitre.org/groups/G0081) focus","targetSectors":["Military","Government, Administration"],"suspectedVictims":[],"refs":["https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/","http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/","https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf","http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/","http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf","https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/","https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/","https://blog.lookout.com/titan-mobile-threat","https://attack.mitre.org/groups/G0081/","https://www.secureworks.com/research/threat-profiles/bronze-hobart","https://www.mandiant.com/resources/insights/apt-groups","https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf","https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html"],"sources":["mitre","misp"],"cves":["CVE-2018-0802","CVE-2017-11882","CVE-2012-0158"],"leakSites":[],"mitreId":"G0081","attackUrl":"https://attack.mitre.org/groups/G0081","techniqueCount":40,"softwareCount":6,"country":"CN"},{"name":"GALLIUM","aliases":["Granite Typhoon","Red Dev 4","Alloy Taurus","PHANTOM PANDA"],"description":"[GALLIUM](https://attack.mitre.org/groups/G0093) is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia","targetSectors":[],"suspectedVictims":[],"refs":["https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/","https://www.youtube.com/watch?v=fBFm2fiEPTg","https://troopers.de/troopers22/talks/7cv8pz/","https://unit42.paloaltonetworks.com/atoms/alloytaurus/","https://unit42.paloaltonetworks.com/alloy-taurus-targets-se-asian-government/"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G0093","attackUrl":"https://attack.mitre.org/groups/G0093","techniqueCount":31,"softwareCount":16,"country":"CN"},{"name":"APT5","aliases":["UNC2630","Mulberry Typhoon","MANGANESE","BRONZE FLEETWOOD","Keyhole Panda","KEYHOLE PANDA","TEMP.Bottle","Poisoned Flight"],"description":"[APT5](https://attack.mitre.org/groups/G1023) is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. [AP","targetSectors":["Electronic","Telecoms","Technology"],"suspectedVictims":[],"refs":["https://www.fireeye.com/current-threats/apt-groups.html","https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf","https://www.secureworks.com/research/threat-profiles/bronze-fleetwood","https://www.mandiant.com/resources/insights/apt-groups","https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi","http://internal-www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html","https://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G1023","attackUrl":"https://attack.mitre.org/groups/G1023","techniqueCount":29,"softwareCount":13,"country":"CN"},{"name":"ZIRCONIUM","aliases":["APT31","Violet Typhoon","JUDGMENT PANDA","BRONZE VINEWOOD","Red keres","TA412","Zirconium"],"description":"[ZIRCONIUM](https://attack.mitre.org/groups/G0128) is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders in the internatio","targetSectors":[],"suspectedVictims":[],"refs":["https://www.microsoft.com/security/blog/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/","https://duo.com/decipher/apt-groups-moving-down-the-supply-chain","https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf","https://redalert.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists","https://twitter.com/bkMSFT/status/1201876664667582466","https://www.secureworks.com/research/bronz-vinewood-uses-hanaloader-to-target-government-supply-chain","https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains","https://www.secureworks.com/research/threat-profiles/bronze-vinewood","https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report","https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf","https://research.checkpoint.com/2021/the-story-of-jian","https://supo.fi/-/suojelupoliisi-tunnisti-eduskuntaan-kohdistuneen-kybervakoiluoperaation-apt31-ksi","https://poliisi.fi/-/eduskunnan-tietojarjestelmiin-kohdistuneen-tietomurron-tutkinnassa-selvitetaan-yhteytta-apt31-toimijaan","https://pst.no/alle-artikler/pressemeldinger/etterforskningen-av-datanettverksoperasjonen-mot-fylkesmannsembetene-er-avsluttet","https://www.nrk.no/norge/pst_-har-etterretning-om-at-kinesisk-gruppe-stod-bak-dataangrep-mot-statsforvaltere-1.15540601","https://www.ncsc.gov.uk/news/uk-allies-hold-chinese-state-responsible-for-pervasive-pattern-of-hacking","https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking","https://www.foreignminister.gov.au/minister/marise-payne/media-release/australia-joins-international-partners-attribution-malicious-cyber-activity-china","https://www.consilium.europa.eu/en/press/press-releases/2021/07/19/declaration-by-the-high-representative-on-behalf-of-the-eu-urging-china-to-take-action-against-malicious-cyber-activities-undertaken-from-its-territory/","https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003"],"sources":["mitre","misp"],"cves":["CVE-2017-0005"],"leakSites":[],"mitreId":"G0128","attackUrl":"https://attack.mitre.org/groups/G0128","techniqueCount":29,"softwareCount":0,"country":"CN"},{"name":"APT1","aliases":["Comment Crew","Comment Group","Comment Panda","COMMENT PANDA","PLA Unit 61398","Byzantine Candor","Group 3","TG-8223","Brown Fox","GIF89a","ShadyRAT","G0006"],"description":"[APT1](https://attack.mitre.org/groups/G0006) is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Co","targetSectors":["Private sector","Government"],"suspectedVictims":["United States","Taiwan","Israel","Norway","United Arab Emirates","United Kingdom","Singapore","India","Belgium","South Africa","Switzerland","Canada","France","Luxembourg","Japan"],"refs":["https://en.wikipedia.org/wiki/PLA_Unit_61398","http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf","https://www.cfr.org/interactive/cyber-operations/pla-unit-61398","https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf","https://blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a-new-targeted-attack-awakens/","https://www.fireeye.com/blog/threat-research/2014/03/a-detailed-examination-of-the-siesta-campaign.html","https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-oceansalt-delivers-wave-after-wave/","https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf","https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=f1265df5-6e5e-4fcc-9828-d4ddbbafd3d7&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments","https://attack.mitre.org/groups/G0006/","https://www.nytimes.com/2014/05/20/us/us-to-charge-chinese-workers-with-cyberspying.html","https://www.mandiant.com/resources/insights/apt-groups","https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G0006","attackUrl":"https://attack.mitre.org/groups/G0006","techniqueCount":23,"softwareCount":17,"country":"CN","suspectedStateSponsor":"China","motive":"Espionage"},{"name":"APT19","aliases":["Codoso","C0d0so0","Codoso Team","Sunshop Group","DEEP PANDA","WebMasters","KungFu Kittens","Black Vine","TEMP.Avengers","Group 13","PinkPanther","Shell Crew"],"description":"[APT19](https://attack.mitre.org/groups/G0073) is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal","targetSectors":["Technology","Finance","Non-profit organisation","Private sector","Military"],"suspectedVictims":["United States"],"refs":["http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf","https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf","https://www.cfr.org/interactive/cyber-operations/deep-panda","https://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/","https://eromang.zataz.com/2013/01/02/capstone-turbine-corporation-also-targeted-in-the-cfr-watering-hole-attack-and-more/","https://www.crowdstrike.com/blog/department-labor-strategic-web-compromise/","https://www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-think-tanks/","https://krebsonsecurity.com/2015/06/catching-up-on-the-opm-breach/","https://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/","https://www.nextgov.com/cybersecurity/2015/05/third-party-software-was-entry-point-background-check-system-hack/112354/","https://www.crowdstrike.com/blog/ironman-deep-panda-uses-sakula-malware-target-organizations-multiple-sectors/","https://www.abc.net.au/news/2014-11-13/g20-china-affliliated-hackers-breaches-australian-media/5889442","https://www.washingtonpost.com/business/economy/keypoint-suffers-network-breach-thousands-of-fed-workers-could-be-affected/2014/12/18/e6c7146c-86e1-11e4-a702-fa31ff4ae98e_story.html","https://www.seattletimes.com/business/local-business/feds-warned-premera-about-security-flaws-before-breach/","https://krebsonsecurity.com/2015/05/carefirst-blue-cross-breach-hits-1-1m/","https://threatvector.cylance.com/en_us/home/shell-crew-variants-continue-to-fly-under-big-avs-radar.html","https://www.bleepingcomputer.com/news/security/us-arrests-chinese-man-involved-with-sakula-malware-used-in-opm-and-anthem-hacks/","https://gizmodo.com/u-s-indicts-chinese-hacker-spies-in-conspiracy-to-stea-1830111695","https://www.cyberscoop.com/anthem-breach-indictment-chinese-national/","https://docs.broadcom.com/doc/the-black-vine-cyberespionage-group"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G0073","attackUrl":"https://attack.mitre.org/groups/G0073","techniqueCount":21,"softwareCount":2,"country":"CN","suspectedStateSponsor":"China","motive":"Espionage"},{"name":"Lotus Blossom","aliases":["Raspberry Typhoon","LOTUS PANDA","DRAGONFISH","Spring Dragon","RADIUM","Bilbug","ST Group","BRONZE ELGIN","ATK1","G0030","Red Salamander","Lotus BLossom"],"description":"[Lotus Blossom](https://attack.mitre.org/groups/G0030) is a long-standing threat group largely targeting various entities in Asia since at least 2009. In addition to government and related targets, [Lotus Blossom](https://attack.mitre.org/g","targetSectors":["Military","Government, Administration","Government"],"suspectedVictims":["Japan","Philippines","Hong Kong","Indonesia","Taiwan","Vietnam"],"refs":["https://securelist.com/blog/research/70726/the-spring-dragon-apt/","https://securelist.com/spring-dragon-updated-activity/79067/","https://www.cfr.org/interactive/cyber-operations/lotus-blossom","https://unit42.paloaltonetworks.com/operation-lotus-blossom/","https://www.accenture.com/t00010101T000000Z__w__/gb-en/_acnmedia/PDF-46/Accenture-Security-Elise-Threat-Analysis.pdf","https://unit42.paloaltonetworks.com/attack-on-french-diplomat-linked-to-operation-lotus-blossom/","https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting","https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf","https://attack.mitre.org/groups/G0030/","https://www.secureworks.com/research/threat-profiles/bronze-elgin","https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf","https://fortiguard.fortinet.com/threat-signal-report/4879","http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments-cert-authority","https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW1aFyW"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G0030","attackUrl":"https://attack.mitre.org/groups/G0030","techniqueCount":21,"softwareCount":9,"country":"CN","suspectedStateSponsor":"China","motive":"Espionage"},{"name":"Cinnamon Tempest","aliases":["BRONZE STARLIGHT","DEV-0401","Emperor Dragonfly","SLIME34"],"description":"[Cinnamon Tempest](https://attack.mitre.org/groups/G1021) is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked [Babuk](https://attack.mitre.org/software/S0638) s","targetSectors":[],"suspectedVictims":[],"refs":["https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Li-To-Loot-Or-Not-To-Loot-That-Is-Not-a-Question.pdf","https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself","https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation","https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility","https://twitter.com/cglyer/status/1480734487000453121","https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group","https://www.sentinelone.com/labs/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector/","https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/","https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader","https://attack.mitre.org/groups/G1021/"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G1021","attackUrl":"https://attack.mitre.org/groups/G1021","techniqueCount":19,"softwareCount":8,"country":"CN"},{"name":"Daggerfly","aliases":["Evasive Panda","BRONZE HIGHLAND"," Daggerfly"],"description":"[Daggerfly](https://attack.mitre.org/groups/G1034) is a People's Republic of China-linked APT entity active since at least 2012. [Daggerfly](https://attack.mitre.org/groups/G1034) has targeted individuals, government and NGO entities, and t","targetSectors":["Government","Individuals","Universities"],"suspectedVictims":["Hong Kong","Malaysia","India","Taiwan","Macao","Nigeria"],"refs":["https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware","https://vb2020.vblocalhost.com/uploads/VB2020-43.pdf","https://www.youtube.com/watch?v=LeKi0KfzOow&list=PLffioUnqXWkdzWcZXH-bzPVgcs2R4r7iS&index=1&t=2154s","https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/","https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/","https://www.virusbulletin.com/virusbulletin/2014/02/needle-haystack"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G1034","attackUrl":"https://attack.mitre.org/groups/G1034","techniqueCount":17,"softwareCount":6,"country":"CN","suspectedStateSponsor":"China","motive":"Espionage"},{"name":"Tonto Team","aliases":["Earth Akhlut","BRONZE HUNTLEY","CactusPete","Karma Panda","KARMA PANDA","COPPER","Red Beifang","G0131","PLA Unit 65017","TAG-74"],"description":"[Tonto Team](https://attack.mitre.org/groups/G0131) is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded","targetSectors":["Military","Government","Private sector"],"suspectedVictims":["Eastern Europe","Japan","South Korea","Taiwan","United States"],"refs":["https://arstechnica.com/information-technology/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/","https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf","https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/","https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403","https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf","https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf","https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/","https://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html","https://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/","https://go.recordedfuture.com/hubfs/reports/cta-2023-0919.pdf","https://www.recordedfuture.com/multi-year-chinese-apt-campaign-targets-south-korean-academic-government-political-entities"],"sources":["mitre","misp"],"cves":["CVE-2020-8468","CVE-2019-9489","CVE-2019-0803","CVE-2018-8174","CVE-2018-0802"],"leakSites":[],"mitreId":"G0131","attackUrl":"https://attack.mitre.org/groups/G0131","techniqueCount":15,"softwareCount":6,"country":"CN","suspectedStateSponsor":"China"},{"name":"BlackTech","aliases":["Palmerworm","CIRCUIT PANDA","Temp.Overboard","HUAPI","G0098","T-APT-03","Manga Taurus","Red Djinn","Earth Hundun","Canary Typhoon","Mobwork"],"description":"[BlackTech](https://attack.mitre.org/groups/G0098) is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. [BlackTech](h","targetSectors":[],"suspectedVictims":[],"refs":["https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/","https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/","https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/","https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf","https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko","https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt","https://unit42.paloaltonetworks.com/atoms/mangataurus/","https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf","https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf","https://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html","https://blogs.jpcert.or.jp/en/2022/03/jsac2022report1.html"],"sources":["mitre","misp"],"cves":["CVE-2017-7269","CVE-2017-0199","CVE-2015-5119","CVE-2014-6352","CVE-2012-0158"],"leakSites":[],"mitreId":"G0098","attackUrl":"https://attack.mitre.org/groups/G0098","techniqueCount":14,"softwareCount":6,"country":"CN"},{"name":"Salt Typhoon","aliases":["GhostEmperor","FamousSparrow","UNC2286","RedMike","OPERATOR PANDA"],"description":"[Salt Typhoon](https://attack.mitre.org/groups/G1045) is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at major U.S. telecom","targetSectors":[],"suspectedVictims":[],"refs":["https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/","https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/30094337/GhostEmperor_technical-details_PDF_eng.pdf","https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/","https://www.ncsc.gov.uk/files/NCSC-MAR-SparrowDoor.pdf","https://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation","https://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/","https://www.wsj.com/politics/national-security/china-cyberattack-internet-providers-260bd835","https://www.recordedfuture.com/research/redmike-salt-typhoon-exploits-vulnerable-devices"],"sources":["mitre","misp"],"cves":["CVE-2018-0171"],"leakSites":[],"mitreId":"G1045","attackUrl":"https://attack.mitre.org/groups/G1045","techniqueCount":14,"softwareCount":1,"country":"CN"},{"name":"Naikon","aliases":["PLA Unit 78020","OVERRIDE PANDA","Camerashy","BRONZE GENEVA","G0019","BRONZE STERLING","G0013"],"description":"[Naikon](https://attack.mitre.org/groups/G0019) is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Un","targetSectors":["Government","Private sector"],"suspectedVictims":["India","Saudi Arabia","Vietnam","Myanmar","Singapore","Thailand","Malaysia","Cambodia","China","Philippines","South Korea","United States","Indonesia","Laos"],"refs":["https://securelist.com/analysis/publications/69953/the-naikon-apt/","https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html","https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf","https://usa.kaspersky.com/resource-center/threats/naikon-targeted-attacks","https://web.archive.org/web/20210925164035/https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/","https://threatconnect.com/blog/tag/naikon/","https://attack.mitre.org/groups/G0019/","https://www.secureworks.com/research/threat-profiles/bronze-geneva","https://cyware.com/news/chinese-naikon-group-back-with-new-espionage-attack-66a8413d","https://cluster25.io/2022/04/29/lotus-panda-awake-last-strike/","https://www.mandiant.com/resources/insights/apt-groups","https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G0019","attackUrl":"https://attack.mitre.org/groups/G0019","techniqueCount":14,"softwareCount":15,"country":"CN","suspectedStateSponsor":"China","motive":"Espionage"},{"name":"admin@338","aliases":["TEMPER PANDA","Admin338","Team338","MAGNESIUM","G0018"],"description":"[admin@338](https://attack.mitre.org/groups/G0018) is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade","targetSectors":["Activists","Trade","Finance","Political party","Government","Private sector","Civil society"],"suspectedVictims":["Hong Kong","United States"],"refs":["https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html","https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html","https://www.cfr.org/interactive/cyber-operations/admin338","https://attack.mitre.org/groups/G0018/"],"sources":["mitre","misp"],"cves":["CVE-2012-0158"],"leakSites":[],"mitreId":"G0018","attackUrl":"https://attack.mitre.org/groups/G0018","techniqueCount":12,"softwareCount":7,"country":"CN","suspectedStateSponsor":"China","motive":"Espionage"},{"name":"APT18","aliases":["APT4","SAMURAI PANDA","TG-0416","Dynamite Panda","Threat Group-0416","DYNAMITE PANDA","SCANDIUM","PLA Navy","Wekby","G0026","Satin Typhoon","Wisp Team"],"description":"[APT18](https://attack.mitre.org/groups/G0026) is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical.","targetSectors":["Aerospace","Defense","Health","High tech","Telecoms","Government","Private sector","Civil society","Military"],"suspectedVictims":["United States","United Kingdom","Hong Kong"],"refs":["https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828","https://www.cfr.org/interactive/cyber-operations/apt-18","https://attack.mitre.org/groups/G0026","https://www.mandiant.com/resources/insights/apt-groups","http://www.crowdstrike.com/blog/whois-samurai-panda/","https://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments","http://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/","https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-sykipot-smartcard-proxy-variant-33919","https://www.cfr.org/interactive/cyber-operations/sykipot","https://www.secureworks.com/research/threat-profiles/bronze-edison"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G0026","attackUrl":"https://attack.mitre.org/groups/G0026","techniqueCount":12,"softwareCount":5,"country":"CN","suspectedStateSponsor":"China","motive":"Espionage"},{"name":"Elderwood","aliases":["Beijing Group","Elderwood Gang","Sneaky Panda","SNEAKY PANDA","SIG22","G0066"],"description":"[Elderwood](https://attack.mitre.org/groups/G0066) is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora.  The group has targeted defense organizations, supply c","targetSectors":["Private sector","Civil society"],"suspectedVictims":["United States","Canada","United Kingdom","Switzerland","Hong Kong","Australia","India","Taiwan","China","Denmark"],"refs":["https://www.cfr.org/interactive/cyber-operations/sneaky-panda","https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=3b0d679a-3707-4075-a2a9-37d1af16d411&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments","https://attack.mitre.org/groups/G0066/"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G0066","attackUrl":"https://attack.mitre.org/groups/G0066","techniqueCount":9,"softwareCount":9,"country":"CN","suspectedStateSponsor":"China","motive":"Espionage"},{"name":"Aoqin Dragon","aliases":["UNC94"],"description":"[Aoqin Dragon](https://attack.mitre.org/groups/G1007) is a suspected Chinese cyber espionage threat group that has been active since at least 2013. [Aoqin Dragon](https://attack.mitre.org/groups/G1007) has primarily targeted government, edu","targetSectors":["Government","Education","Telecommunications"],"suspectedVictims":["Australia","Cambodia","Hong Kong","Singapore","Vietnam"],"refs":["https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/","https://khonggianmang.vn/uploads/CB_941_Canhbao_APT_36c5a857fa.pdf"],"sources":["mitre","misp"],"cves":["CVE-2012-0158","CVE-2010-3333"],"leakSites":[],"mitreId":"G1007","attackUrl":"https://attack.mitre.org/groups/G1007","techniqueCount":9,"softwareCount":2,"country":"CN"},{"name":"Rancor","aliases":["RANCOR","Rancor group","Rancor Group","G0075","Rancor Taurus"],"description":"[Rancor](https://attack.mitre.org/groups/G0075) is a threat group that has led targeted campaigns against the South East Asia region. [Rancor](https://attack.mitre.org/groups/G0075) uses politically-motivated lures to entice victims to open","targetSectors":["Government","Civil society"],"suspectedVictims":["Singapore","Cambodia"],"refs":["https://unit42.paloaltonetworks.com/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/","https://www.cfr.org/interactive/cyber-operations/rancor","https://attack.mitre.org/groups/G0075/","https://unit42.paloaltonetworks.com/atoms/rancortaurus/"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G0075","attackUrl":"https://attack.mitre.org/groups/G0075","techniqueCount":9,"softwareCount":4,"country":"CN","suspectedStateSponsor":"China","motive":"Espionage"},{"name":"IndigoZebra","aliases":[],"description":"[IndigoZebra](https://attack.mitre.org/groups/G0136) is a suspected Chinese cyber espionage group that has been targeting Central Asian governments since at least 2014.","targetSectors":[],"suspectedVictims":[],"refs":["https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/","https://www.rewterz.com/rewterz-news/rewterz-threat-intel-indigozebra-apt-group-targeting-central-asia-active-iocs","https://securelist.com/apt-trends-report-q2-2017/79332/"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G0136","attackUrl":"https://attack.mitre.org/groups/G0136","techniqueCount":7,"softwareCount":3,"country":"CN"},{"name":"Mofang","aliases":["Superman","BRONZE WALKER"],"description":"[Mofang](https://attack.mitre.org/groups/G0103) is a likely China-based cyber espionage group, named for its frequent practice of imitating a victim's infrastructure. This adversary has been observed since at least May 2012 conducting focus","targetSectors":["Government","Private sector"],"suspectedVictims":["Myanmar","Germany","Singapore","Canada","India","United States","South Korea"],"refs":["https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/","https://www.cfr.org/interactive/cyber-operations/mofang","https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf","https://www.secureworks.com/research/threat-profiles/bronze-walker"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G0103","attackUrl":"https://attack.mitre.org/groups/G0103","techniqueCount":6,"softwareCount":2,"country":"CN","suspectedStateSponsor":"China","motive":"Espionage"},{"name":"Suckfly","aliases":["APT22","G0039","BRONZE OLIVE","Group 46"],"description":"[Suckfly](https://attack.mitre.org/groups/G0039) is a China-based threat group that has been active since at least 2014.","targetSectors":[],"suspectedVictims":[],"refs":["https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=62e325ae-f551-4855-b9cf-28a7d52d1534&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments","https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7a60af1f-7786-446c-976b-7c71a16e9d3b&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments","https://attack.mitre.org/groups/G0039/","https://exchange.xforce.ibmcloud.com/collection/Suckfly-APT-aa8af56fd12d25c98fc49ca5341160ab","http://www.slideshare.net/CTruncer/ever-present-persistence-established-footholds-seen-in-the-wild","https://www.secureworks.com/research/threat-profiles/bronze-olive","https://www.mandiant.com/resources/insights/apt-groups"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G0039","attackUrl":"https://attack.mitre.org/groups/G0039","techniqueCount":5,"softwareCount":1,"country":"CN"},{"name":"APT12","aliases":["IXESHE","DynCalc","Numbered Panda","DNSCALC","NUMBERED PANDA","TG-2754","BeeBus","Group 22","Calc Team","DNSCalc","Crimson Iron","BRONZE GLOBE"],"description":"[APT12](https://attack.mitre.org/groups/G0005) is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments.","targetSectors":["Private sector","Government"],"suspectedVictims":["Taiwan","Japan"],"refs":["http://www.crowdstrike.com/blog/whois-numbered-panda/","https://www.cfr.org/interactive/cyber-operations/apt-12","https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html","https://www.secureworks.com/research/threat-profiles/bronze-globe","https://www.mandiant.com/resources/insights/apt-groups"],"sources":["mitre","misp"],"cves":["CVE-2012-0158","CVE-2011-0611","CVE-2011-0609","CVE-2009-4324","CVE-2009-3129"],"leakSites":[],"mitreId":"G0005","attackUrl":"https://attack.mitre.org/groups/G0005","techniqueCount":5,"softwareCount":3,"country":"CN","suspectedStateSponsor":"China","motive":"Espionage"},{"name":"TA459","aliases":["G0062"],"description":"[TA459](https://attack.mitre.org/groups/G0062) is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others.","targetSectors":[],"suspectedVictims":[],"refs":["https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts","https://attack.mitre.org/groups/G0062/"],"sources":["mitre","misp"],"cves":["CVE-2017-0199"],"leakSites":[],"mitreId":"G0062","attackUrl":"https://attack.mitre.org/groups/G0062","techniqueCount":5,"softwareCount":4,"country":"CN"},{"name":"Putter Panda","aliases":["APT2","MSUpdater","PLA Unit 61486","PUTTER PANDA","4HCrew","SULPHUR","SearchFire","TG-6952","G0024"],"description":"[Putter Panda](https://attack.mitre.org/groups/G0024) is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD).","targetSectors":["Private sector","Government"],"suspectedVictims":["U.S. satellite and aerospace sector"],"refs":["http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf","https://www.cfr.org/interactive/cyber-operations/putter-panda","https://attack.mitre.org/groups/G0024","https://www.mandiant.com/resources/insights/apt-groups","https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G0024","attackUrl":"https://attack.mitre.org/groups/G0024","techniqueCount":4,"softwareCount":4,"country":"CN","suspectedStateSponsor":"China","motive":"Espionage"},{"name":"APT30","aliases":["G0013"],"description":"[APT30](https://attack.mitre.org/groups/G0013) is a threat group suspected to be associated with the Chinese government. While [Naikon](https://attack.mitre.org/groups/G0019) shares some characteristics with [APT30](https://attack.mitre.org","targetSectors":["Government"],"suspectedVictims":["United States","South Korea","Saudi Arabia","Thailand","Vietnam","Malaysia","India"],"refs":["https://attack.mitre.org/wiki/Group/G0013","https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf","https://www.mandiant.com/resources/insights/apt-groups"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G0013","attackUrl":"https://attack.mitre.org/groups/G0013","techniqueCount":2,"softwareCount":5,"country":"CN","suspectedStateSponsor":"China","motive":"Espionage"},{"name":"APT17","aliases":["Deputy Dog","Group 8","AURORA PANDA","Hidden Lynx","Tailgater Team","Dogfish","BRONZE KEYSTONE","G0025","Group 72","G0001","Axiom","HELIUM"],"description":"[APT17](https://attack.mitre.org/groups/G0025) is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and no","targetSectors":["Defense","Intelligence","Technology","Mining","Government, Administration","Justice","Government","Private sector","Civil society"],"suspectedVictims":["United States","Netherlands","Italy","Japan","United Kingdom","Belgium","Russia","Indonesia","Germany","Switzerland","China"],"refs":["https://web.archive.org/web/20130924130243/https://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html","https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf","https://www.cfr.org/interactive/cyber-operations/apt-17","https://www.carbonblack.com/2013/02/08/bit9-and-our-customers-security/","https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware","https://web.archive.org/web/20130920000343/https://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire","https://www.recordedfuture.com/hidden-lynx-analysis/","https://www.secureworks.com/research/threat-profiles/bronze-keystone","https://attack.mitre.org/groups/G0025/","https://cfr.org/cyber-operations/axiom","https://attack.mitre.org/groups/G0001/","https://www.youtube.com/watch?v=NFJqD-LcpIg","https://www.mandiant.com/resources/insights/apt-groups"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G0025","attackUrl":"https://attack.mitre.org/groups/G0025","techniqueCount":2,"softwareCount":1,"country":"CN","suspectedStateSponsor":"China","motive":"Espionage"},{"name":"Scarlet Mimic","aliases":["G0029","Golfing Taurus"],"description":"[Scarlet Mimic](https://attack.mitre.org/groups/G0029) is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those o","targetSectors":["Activists"],"suspectedVictims":[],"refs":["https://attack.mitre.org/wiki/Groups","https://unit42.paloaltonetworks.com/scarlet-mimic-years-long-espionage-targets-minority-activists/","https://attack.mitre.org/groups/G0029/","https://unit42.paloaltonetworks.com/atoms/golfing-taurus/"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G0029","attackUrl":"https://attack.mitre.org/groups/G0029","techniqueCount":1,"softwareCount":4,"country":"CN"},{"name":"APT16","aliases":["SVCMONDR","G0023"],"description":"[APT16](https://attack.mitre.org/groups/G0023) is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations.","targetSectors":["Private sector"],"suspectedVictims":["Japan","Taiwan"],"refs":["https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html","https://www.cfr.org/interactive/cyber-operations/apt-16","https://attack.mitre.org/groups/G0023","https://www.mandiant.com/resources/insights/apt-groups","https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G0023","attackUrl":"https://attack.mitre.org/groups/G0023","techniqueCount":1,"softwareCount":1,"country":"CN","suspectedStateSponsor":"China","motive":"Espionage"},{"name":"DragonOK","aliases":["Moafee","BRONZE OVERBROOK","G0017","G0002","Shallow Taurus"],"description":"[DragonOK](https://attack.mitre.org/groups/G0017) is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, [DragonOK](https://attack.mitre.org/groups/G0017) is","targetSectors":["Private sector"],"suspectedVictims":["United States"],"refs":["https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf","https://attack.mitre.org/wiki/Groups","https://www.forcepoint.com/de/blog/x-labs/trojanized-adobe-installer-used-install-dragonok-s-new-custom-backdoor","https://github.com/m0n0ph1/APT_CyberCriminal_Campagin_Collections-1/blob/master/2017/2017.02.15.deep-dive-dragonok-rambo-backdoor/Deep%20Dive%20on%20the%20DragonOK%20Rambo%20Backdoor%20_%20Morphick%20Cyber%20Security.pdf","https://www.cfr.org/interactive/cyber-operations/moafee","https://unit42.paloaltonetworks.com/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/","https://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/","https://www.phnompenhpost.com/national/kingdom-targeted-new-malware","https://attack.mitre.org/groups/G0017/","https://attack.mitre.org/groups/G0002/","https://www.secureworks.com/research/threat-profiles/bronze-overbrook","https://unit42.paloaltonetworks.com/atoms/shallowtaurus/"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G0017","attackUrl":"https://attack.mitre.org/groups/G0017","techniqueCount":0,"softwareCount":2,"country":"CN","suspectedStateSponsor":"China","motive":"Espionage"},{"name":"Nitro","aliases":["Covert Grove"],"description":"These attackers were the subject of an extensive report by Symantec in 2011, which termed the attackers Nitro and stated: 'The goal of the attackers appears to be to collect intellectual property such as design documents, formulas, and manufacturing processes. In addition, the same attackers appear to have a lengthy operation history including attacks on other industries and organizations. Attacks","targetSectors":["Chemical"],"suspectedVictims":[],"refs":["https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/the_nitro_attacks.pdf","https://unit42.paloaltonetworks.com/new-indicators-compromise-apt-group-nitro-uncovered/","https://blog.trendmicro.com/trendlabs-security-intelligence/the-significance-of-the-nitro-attacks/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"WET PANDA","aliases":["Red Chimera"],"description":"","targetSectors":[],"suspectedVictims":[],"refs":["http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"FOXY PANDA","aliases":[],"description":"Adversary group targeting telecommunication and technology organizations.","targetSectors":["Technology","Telecoms"],"suspectedVictims":[],"refs":["https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492182276.pdf"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"PREDATOR PANDA","aliases":[],"description":"","targetSectors":[],"suspectedVictims":[],"refs":["http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"UNION PANDA","aliases":[],"description":"","targetSectors":[],"suspectedVictims":[],"refs":["https://dokumen.tips/documents/detecting-and-responding-pandas-and-bears.html"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"SPICY PANDA","aliases":[],"description":"","targetSectors":[],"suspectedVictims":[],"refs":["http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"ELOQUENT PANDA","aliases":[],"description":"","targetSectors":[],"suspectedVictims":[],"refs":["https://dokumen.tips/documents/detecting-and-responding-pandas-and-bears.html"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Grayling","aliases":[],"description":"Grayling activity was first observed in early 2023, when a number of victims were identified with distinctive malicious DLL side-loading activity. Grayling appears to target organisations in Asia, however one unknown organisation in the United States was also targeted. Industries targeted include Biomedical, Government and Information Technology. Grayling use a variety of tools during their attack","targetSectors":["Biomedical","Government","Information technology"],"suspectedVictims":["Taiwan","United States","Vietnam","Solomon Islands"],"refs":["https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayling-taiwan-cyber-attacks"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN","suspectedStateSponsor":"China"},{"name":"Storm-2603","aliases":[],"description":"The group Microsoft tracks as Storm-2603 is assessed with medium confidence to be a China-based threat actor. Microsoft has not identified links between Storm-2603 and other known Chinese threat actors. Microsoft tracks this threat actor in association with attempts to steal MachineKeys via the on-premises SharePoint vulnerabilities. Although Microsoft has observed this threat actor deploying Warl","targetSectors":[],"suspectedVictims":[],"refs":["https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"HURRICANE PANDA","aliases":[],"description":"We have investigated their intrusions since 2013 and have been battling them nonstop over the last year at several large telecommunications and technology companies. The determination of this China-based adversary is truly impressive: they are like a dog with a bone.\nHURRICANE PANDA's preferred initial vector of compromise and persistence is a China Chopper webshell – a tiny and easily obfuscated ","targetSectors":["Technology","Telecoms"],"suspectedVictims":[],"refs":["http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/","https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/","https://www.crowdstrike.com/blog/storm-chasing/","https://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Hellsing","aliases":[],"description":"This threat actor uses spear-phishing techniques to compromise diplomatic targets in Southeast Asia, India, and the United States. It also seems to have targeted the APT 30. Possibly uses the same infrastructure as Mirage","targetSectors":["Infrastructure","Diplomacy","Government"],"suspectedVictims":["Malaysia","Indonesia","Philippines","United States","India"],"refs":["https://www.cfr.org/interactive/cyber-operations/hellsing","https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN","suspectedStateSponsor":"China","motive":"Espionage"},{"name":"Night Dragon","aliases":["G0014"],"description":"","targetSectors":[],"suspectedVictims":[],"refs":["https://kc.mcafee.com/corporate/index?page=content&id=KB71150","https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf","https://attack.mitre.org/groups/G0014/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"APT14","aliases":["ANCHOR PANDA","QAZTeam","ALUMINUM"],"description":"PLA Navy\nAnchor Panda is an adversary that CrowdStrike has tracked extensively over the last year targeting both civilian and military maritime operations in the green/brown water regions primarily in the area of operations of the South Sea Fleet of the PLA Navy. In addition to maritime operations in this region, Anchor Panda also heavily targeted western companies in the US, Germany, Sweden, the ","targetSectors":["Other","Aerospace","Defense","Intelligence","Maritime","Military","Space","Government"],"suspectedVictims":["United States","United Kingdom","Germany","Australia","Sweden"],"refs":["http://www.crowdstrike.com/blog/whois-anchor-panda/","https://www.cfr.org/interactive/cyber-operations/anchor-panda","https://www.mandiant.com/resources/insights/apt-groups"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN","suspectedStateSponsor":"China","motive":"Espionage"},{"name":"APT21","aliases":["HAMMER PANDA","TEMP.Zhenbao","NetTraveler"],"description":"","targetSectors":["Government","Military"],"suspectedVictims":["Mongolia","Kazakhstan","Tajikistan","Germany","United Kingdom","India","Kyrgyzstan","South Korea","United States","Chile","Russia","China","Spain","Canada","Morocco"],"refs":["https://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/","https://www.cfr.org/interactive/cyber-operations/nettraveler","https://www.kaspersky.com/about/press-releases/2013_kaspersky-lab-uncovers--operation-nettraveler--a-global-cyberespionage-campaign-targeting-government-affiliated-organizations-and-research-institutes","https://www.kaspersky.com/about/press-releases/2014_nettraveler-gets-a-makeover-for-10th-anniversary","https://unit42.paloaltonetworks.com/nettraveler-spear-phishing-email-targets-diplomat-of-uzbekistan/","https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests","http://www.darkreading.com/endpoint/chinese-cyberspies-pivot-to-russia-in-wake-of-obama-xi-pact/d/d-id/1324242","https://www.mandiant.com/resources/insights/apt-groups"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN","suspectedStateSponsor":"China","motive":"Espionage"},{"name":"DAGGER PANDA","aliases":["IceFog","Trident","RedFoxtrot","Red Wendigo","PLA Unit 69010","UAT-7290","Red Foxtrot"],"description":"Operate since at least 2011, from several locations in China, with  members in Korea and Japan as well. Possibly linked to Onion Dog. This threat actor targets government institutions, military contractors, maritime and shipbuilding groups, telecommunications operators, and others, primarily in Japan and South Korea.","targetSectors":["Other","Maritime","Military","Government, Administration","Telecoms","Government"],"suspectedVictims":["South Korea","United States","Japan","Germany","China"],"refs":["https://securelist.com/the-icefog-apt-a-tale-of-cloak-and-three-daggers/57331/","https://securelist.com/the-icefog-apt-hits-us-targets-with-java-backdoor/58209/","https://www.cfr.org/interactive/cyber-operations/icefog","https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20133739/icefog.pdf","https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf","https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf","https://blog.talosintelligence.com/uat-7290/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN","suspectedStateSponsor":"China","motive":"Espionage"},{"name":"APT24","aliases":["PITTY PANDA","G0011","Temp.Pittytiger"],"description":"The Pitty Tiger group has been active since at least 2011. They have been seen using HeartBleed vulnerability in order to directly get valid credentials","targetSectors":[],"suspectedVictims":[],"refs":["http://blog.airbuscybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2","http://blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2","https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/2014.07.11.Pitty_Tiger/Pitty_Tiger_Final_Report.pdf","https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities/","https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html","https://attack.mitre.org/groups/G0011","https://www.mandiant.com/resources/insights/apt-groups"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"RADIO PANDA","aliases":["Shrouded Crossbow"],"description":"","targetSectors":[],"suspectedVictims":[],"refs":[],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"APT.3102","aliases":[],"description":"","targetSectors":[],"suspectedVictims":[],"refs":["http://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"IMPERSONATING PANDA","aliases":[],"description":"","targetSectors":[],"suspectedVictims":[],"refs":[],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"APT20","aliases":["VIOLIN PANDA","TH3Bug","Crawling Taurus"],"description":"We’ve uncovered some new data and likely attribution regarding a series of APT watering hole attacks this past summer. Watering hole attacks are an increasingly popular component of APT campaigns, as many people are more aware of spear phishing and are less likely to open documents or click on links in unsolicited emails. Watering hole attacks offer a much better chance of success because they inv","targetSectors":[],"suspectedVictims":[],"refs":["http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/","https://www.fox-it.com/nl/actueel/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/","https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Aug.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters/HTExploitTelemetry.pdf","https://unit42.paloaltonetworks.com/atoms/crawling-taurus/","https://www.mandiant.com/resources/insights/apt-groups"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"TOXIC PANDA","aliases":[],"description":"A group targeting dissident groups in China and at the boundaries.","targetSectors":[],"suspectedVictims":[],"refs":["https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"HummingBad","aliases":[],"description":"This group created a malware that takes over Android devices and generates $300,000 per month in fraudulent ad revenue.  The group effectively controls an arsenal of over 85 million mobile devices around the world. With the potential to sell access to these devices to the highest bidder","targetSectors":[],"suspectedVictims":[],"refs":["http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"TA530","aliases":[],"description":"TA530, who we previously examined in relation to large-scale personalized phishing campaigns","targetSectors":[],"suspectedVictims":[],"refs":["https://www.proofpoint.com/uk/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"PassCV","aliases":[],"description":"The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates.  Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post. His post provides a good introduction to the group and covers some of the older infrastructure, stolen code-signing certificate reuse, and other connections as","targetSectors":[],"suspectedVictims":[],"refs":["https://threatvector.cylance.com/en_us/home/digitally-signed-malware-targeting-gaming-companies.html"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Blue Termite","aliases":["Cloudy Omega","Emdivi"],"description":"Blue Termite is a group of suspected Chinese origin active in Japan.","targetSectors":["Government","Private sector"],"suspectedVictims":["Japan"],"refs":["https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/","https://www.cfr.org/interactive/cyber-operations/blue-termite"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN","suspectedStateSponsor":"Unknown","motive":"Espionage"},{"name":"APT26","aliases":["JerseyMikes","TURBINE PANDA","BRONZE EXPRESS","TECHNETIUM","Taffeta Typhoon"],"description":"","targetSectors":[],"suspectedVictims":[],"refs":["https://www.secureworks.com/research/threat-profiles/bronze-express","https://www.uscc.gov/sites/default/files/2022-02/Adam_Kozy_Testimony.pdf","https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"SABRE PANDA","aliases":[],"description":"","targetSectors":[],"suspectedVictims":[],"refs":["http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"BIG PANDA","aliases":[],"description":"","targetSectors":[],"suspectedVictims":[],"refs":["http://www.darkreading.com/attacks-and-breaches/crowdstrike-falcon-traces-attacks-back-to-hackers/d/d-id/1110402?"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"POISONUS PANDA","aliases":[],"description":"","targetSectors":[],"suspectedVictims":[],"refs":["https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492182276.pdf"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"TEST PANDA","aliases":[],"description":"","targetSectors":[],"suspectedVictims":[],"refs":["http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"ELECTRIC PANDA","aliases":[],"description":"","targetSectors":[],"suspectedVictims":[],"refs":["http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"GIBBERISH PANDA","aliases":[],"description":"","targetSectors":[],"suspectedVictims":[],"refs":["http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"APT6","aliases":["1.php Group"],"description":"The FBI issued a rare bulletin admitting that a group named Advanced Persistent Threat 6 (APT6) hacked into US government computer systems as far back as 2011 and for years stole sensitive data.\nThe FBI alert was issued in February and went largely unnoticed. Nearly a month later, security experts are now shining a bright light on the alert and the mysterious group behind the attack.\n“This is a ra","targetSectors":[],"suspectedVictims":[],"refs":["https://threatpost.com/fbi-quietly-admits-to-multi-year-apt-attack-sensitive-data-stolen/117267/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"PALE PANDA","aliases":[],"description":"","targetSectors":[],"suspectedVictims":[],"refs":["http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Mana Team","aliases":[],"description":"","targetSectors":[],"suspectedVictims":[],"refs":["http://webcache.googleusercontent.com/search?q=cache:TWoHHzH9gU0J:en.hackdig.com/02/39538.htm"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"TempTick","aliases":[],"description":"This threat actor targets organizations in the finance, defense, aerospace, technology, health-care, and automotive sectors and media organizations in East Asia for the purpose of espionage. Believed to be responsible for the targeting of South Korean actors prior to the meeting of Donald J. Trump and Kim Jong-un","targetSectors":["Government","Private sector"],"suspectedVictims":["South Korea","Japan"],"refs":["https://www.cfr.org/interactive/cyber-operations/temptick"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN","suspectedStateSponsor":"China"},{"name":"HenBox","aliases":[],"description":"This threat actor targets Uighurs—a minority ethnic group located primarily in northwestern China—and devices from Chinese mobile phone manufacturer Xiaomi, for espionage purposes.","targetSectors":["Civil society"],"suspectedVictims":["Uighurs"],"refs":["https://www.cfr.org/interactive/cyber-operations/henbox"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN","suspectedStateSponsor":"China","motive":"Espionage"},{"name":"Unnamed Actor","aliases":[],"description":"This threat actor compromises civil society groups the Chinese Communist Party views as hostile to its interests, such as Tibetan, Uyghur, Hong Kong, and Taiwanese activist. The threat actor also targeted the Myanmar electoral commission. ","targetSectors":["Civil society","Government"],"suspectedVictims":["China","Myanmar","Hong Kong","Taiwan"],"refs":["https://www.cfr.org/interactive/cyber-operations/unnamed-actor"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN","suspectedStateSponsor":"China","motive":"Espionage"},{"name":"Blackgear","aliases":["Topgear","Comnie","BLACKGEAR"],"description":"BLACKGEAR is an espionage campaign which has targeted users in Taiwan for many years. Multiple papers and talks have been released covering this campaign, which used the ELIRKS backdoor when it was first discovered in 2012. It is known for using blogs and microblogging services to hide the location of its actual command-and-control (C&C) servers. This allows an attacker to change the C&C server us","targetSectors":[],"suspectedVictims":[],"refs":["https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-evolves-adds-japan-target-list/","https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-cyberespionage-campaign-resurfaces-abuses-social-media-for-cc-communication/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"TA428","aliases":["Colourful Panda","BRONZE DUDLEY"],"description":"Proofpoint researchers have identified a targeted APT campaign that utilized malicious RTF documents to deliver custom malware to unsuspecting victims. We dubbed this campaign “Operation LagTime IT” based on entities that were targeted and the distinctive domains registered to C&C IP infrastructure. Beginning in early 2019, these threat actors targeted a number of government agencies in East Asia ","targetSectors":[],"suspectedVictims":[],"refs":["https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology","https://www.recordedfuture.com/china-linked-ta428-threat-group","https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia","https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop","https://blog.group-ib.com/task","https://www.sentinelone.com/labs/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op","https://www.youtube.com/watch?v=1WfPlgtfWnQ","https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf","https://vb2020.vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf","https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Budminer","aliases":["Budminer cyberespionage group"],"description":"Based on the evidence we have presented Symantec attributed the activity involving theDripion malware to the Budminer advanced threat group. While we have not seen newcampaigns using Taidoor malware since 2014, we believe the Budminer group has changedtactics to avoid detection after being outed publicly in security white papers and blogs over thepast few years.","targetSectors":[],"suspectedVictims":[],"refs":["https://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan","https://app.box.com/s/xqh458fe1url7mgl072hhd0yxqw3x0jm","https://www.research-collection.ethz.ch/bitstream/handle/20.500.11850/389371/1/Cyber-Reports-2020-01-A-one-sided-Affair.pdf"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Operation Shadow Force","aliases":["TA-ShadowCricket","Larva-24013"],"description":"Operation Shadow Force is a group of malware that is representative of Shadow Force and Wgdrop from 2013 to 2020, and is a group activity that attacks Korean companies and organizations. The group's first confirmed attack was in March 2013, but considering the date of malware creation, it is likely to have been active before 2012. Since the malware used mainly by them is Shadow Force, it was named","targetSectors":[],"suspectedVictims":[],"refs":["https://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?curPage=1&menu_dist=2&seq=29129","https://mobile.twitter.com/mstoned7/status/1247361687570673664","https://www.ahnlab.com/en/contents/content-center/35891","https://asec.ahnlab.com/en/52479/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Antlion","aliases":[],"description":"Antlion is a Chinese state-backed advanced persistent threat (APT) group, who has been targeting financial institutions in Taiwan. This persistent campaign has lasted over the course of at least 18 months.","targetSectors":["Financial"],"suspectedVictims":["Taiwan"],"refs":["https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Avivore","aliases":[],"description":"The group’s existence came to light during Context’s investigation of a number of attacks against multinational enterprises that compromise smaller engineering services and consultancies working in their supply chains.","targetSectors":[],"suspectedVictims":[],"refs":["https://www.computerweekly.com/news/252471769/New-threat-group-behind-Airbus-cyber-attacks-claim-researchers","https://www.contextis.com/en/news/context-identifies-new-avivore-threat-group","https://web.archive.org/web/20191208223958/https://www.contextis.com/en/blog/avivore"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Scarab","aliases":[],"description":"Scarab APT was first spotted in 2015, but is believed to have been active since at least 2012, conducting surgical attacks against a small number of individuals across the world, including Russia and the United States. The backdoor deployed by Scarab in their campaigns is most commonly known as Scieron.","targetSectors":[],"suspectedVictims":["Russia","Ukraine","United States"],"refs":["https://web.archive.org/web/20150124025612/http://www.symantec.com:80/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012","https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN","motive":"Espionage"},{"name":"Curious Gorge","aliases":["UNC3742"],"description":"Curious Gorge, a group TAG attributes to China's PLA SSF, has conducted campaigns against government and military organizations in Ukraine, Russia, Kazakhstan, and Mongolia. The actor has remained active against government, military, logistics and manufacturing organizations in Ukraine, Russia and Central Asia. In Russia, long running campaigns against multiple government organizations have contin","targetSectors":["Government","Military","Logistics","Defense Contractor"],"suspectedVictims":["Ukraine","Russia","Kazakhstan","Mongolia"],"refs":["https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe","https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/","https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN","motive":"Espionage"},{"name":"Red Menshen","aliases":["Red Dev 18","Earth Bluecrow"],"description":"Since 2021, Red Menshen, a China based threat actor, which has been observed targeting telecommunications providers across the Middle East and Asia, as well as entities in the government, education, and logistics sectors using a custom backdoor referred as BPFDoor. This threat actor uses a variety of tools in its post-exploitation phase. This includes custom variants of the shared tool Mangzamel (","targetSectors":["Government","Education","Logistics"],"suspectedVictims":["Middle East","Asia"],"refs":["https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf","https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf","https://troopers.de/troopers22/talks/7cv8pz","https://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.html"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Earth Berberoka","aliases":["GamblingPuppet"],"description":"According to TrendMicro, Earth Berberoka is a threat group originating from China that mainly focuses on targeting gambling websites. This group's campaign uses multiple malware families that target the Windows, Linux, and macOS platforms that have been attributed to Chinese-speaking actors. Aside from using tried-and-tested malware families that have been upgraded, such as PlugX and Gh0st RAT, Ea","targetSectors":["Gambling Websites","Information technology","Electronics Manufacturers","Education"],"suspectedVictims":["China","United States","Hong Kong","Malaysia","Taiwan"],"refs":["https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf","https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html","https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt","https://documents.trendmicro.com/assets/txt/earth-berberoka-linux-iocs-2.txt","https://documents.trendmicro.com/assets/txt/earth-berberoka-macos-iocs-2.txt","https://documents.trendmicro.com/assets/txt/earth-berberoka-domains-2.txt","https://www.youtube.com/watch?v=QXGO4RJaUPQ","https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf","https://securelist.com/diceyf-deploys-gameplayerframework-in-online-casino-development-studio/107723/","https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Earth Wendigo","aliases":[],"description":"Earth Wendigo is a threat actor from China that has been targeting several organizations — including government organizations, research institutions, and universities in Taiwan — since May 2019, aiming to exfiltrate emails from targeted organizations via the injection of JavaScript backdoors to a webmail system that is widely used in Taiwan. The threat actor also sent spear-phishing emails embedde","targetSectors":["Government","Education"],"suspectedVictims":["Hong Kong","Taiwan"],"refs":["https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"BRONZE EDGEWOOD","aliases":["Red Hariasa"],"description":"In early 2021 CTU researchers observed BRONZE EDGEWOOD exploiting the Microsoft Exchange Server of an organization in Southeast Asia. The threat group deployed a China Chopper webshell and ran the Nishang Invoke-PowerShellTcp.ps1 script to connect back to C2 infrastructure. The threat group is publicly linked to malware families Chinoxy, PCShare and FunnyDream. CTU researchers have discovered that","targetSectors":[],"suspectedVictims":["Kyrgyzstan","Malaysia","Vietnam"],"refs":["https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf","https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"APT9","aliases":["NIGHTSHADE PANDA","Red Pegasus","Group 27"],"description":"APT9 engages in cyber operations where the goal is data theft, usually focusing on the data and projects that make a particular organization competitive within its field. APT9 was historically very active in the pharmaceuticals and biotechnology industry. We have observed this actor use spearphishing, valid accounts, as well as remote services for Initial Access. On at least one occasion, Mandiant","targetSectors":["Pharmaceuticals","Healthcare","Construction","Aerospace","Defense industrial base"],"suspectedVictims":["United States"],"refs":["https://otx.alienvault.com/pulse/55bbc68e67db8c2d547ae393","https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf","https://www.mandiant.com/resources/insights/apt-groups","https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn","https://news.softpedia.com/news/trochilus-rat-evades-antivirus-detection-used-for-cyber-espionage-in-south-east-asia-498776.shtml","https://unit42.paloaltonetworks.com/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"BRONZE SPRING","aliases":["UNC302"],"description":"BRONZE SPRING is a threat group that CTU researchers assess with high confidence operates on behalf of China in the theft of intellectual property from defense, engineering, pharmaceutical and technology companies. The threat group typically uses scan-and-exploit for initial access, deploys the China Chopper webshell for remote execution and persistence, and creates RAR archives with a '.jpg' file","targetSectors":["Information technology","Medical","Civil engineering","Business","Education","Gaming","Energy","Pharmaceuticals","Defense industrial base"],"suspectedVictims":["United States","Australia","Belgium","Germany","Japan","Lithuania","Netherlands","Spain","South Korea","Sweden","United Kingdom"],"refs":["https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion","https://www.justice.gov/opa/press-release/file/1295981/download","https://www.justice.gov/opa/press-release/file/1295986/download","https://intrusiontruth.wordpress.com/2021/05/06/an-apt-with-no-name","https://twitter.com/MrDanPerez/status/1390285821786394624"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"BRONZE SPIRAL","aliases":[],"description":"In December 2020, the IT management software provider SolarWinds announced that an unidentified threat actor had exploited a vulnerability in their Orion Platform software to deploy a web shell dubbed SUPERNOVA. CTU researchers track the operators of the SUPERNOVA web shell as BRONZE SPIRAL and assess with low confidence that the group is of Chinese origin. SUPERNOVA was likely deployed through ex","targetSectors":[],"suspectedVictims":[],"refs":["https://unit42.paloaltonetworks.com/solarstorm-supernova","https://www.guidepointsecurity.com/blog/supernova-solarwinds-net-webshell-analysis","https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group","https://www.sentinelone.com/labs/solarwinds-understanding-detecting-the-supernova-webshell-trojan","https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a","https://www.cisa.gov/news-events/analysis-reports/ar21-112a"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"BRONZE VAPOR","aliases":[],"description":"BRONZE VAPOR is a targeted threat group assessed with moderate confidence to be of Chinese origin. Artefacts from tools associated with this group and open source reporting on related incidents indicate that BRONZE VAPOR have operated since at least 2017.  The group conducts espionage against multiple industries including semiconductors, aviation and telecommunications.  CTU researchers assess BRO","targetSectors":["Semiconductor Industry"],"suspectedVictims":["Taiwan"],"refs":["https://www.secureworks.com/research/threat-profiles/bronze-vapor"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Vicious Panda","aliases":["SixLittleMonkeys"],"description":"Check Point Research discovered a new campaign against the Mongolian public sector, which takes advantage of the current Coronavirus scare, in order to deliver a previously unknown malware implant to the target. \nA closer look at this campaign allowed us to tie it to other operations which were carried out by the same anonymous group, dating back to at least 2016. Over the years, these operations ","targetSectors":[],"suspectedVictims":["Belarus","Russia","Mongolia","Ukraine"],"refs":["https://securelist.com/microcin-is-here/97353","https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636","https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia","https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia","https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign","https://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan","https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf","https://securelist.com/apt-trends-report-q2-2019/91897","https://securelist.com/apt-trends-report-q2-2020/97937","https://securelist.com/it-threat-evolution-q2-2020/98230","https://securelist.com/apt-trends-report-q3-2021/104708","https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Red Nue","aliases":["LuoYu"],"description":"Red Nue, active since at least 2017, is known for its use of the multi-platform LootRAt backdoor, also known as ReverseWindow. LootRAT has variants for Windows and Macintosh (reported in open source as Demsty), as well as an Android variant known as SpyDealer. Red Nue has also used another Windows backdoor known as WinDealer since at least 2019, when it deployed it to targets as part of a watering","targetSectors":[],"suspectedVictims":[],"refs":["https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf","https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_301_shui-leon_en.pdf","https://blogs.jpcert.or.jp/en/2021/10/windealer.html","https://securelist.com/windealer-dealing-on-the-side/105946","https://blogs.blackberry.com/en/2022/06/threat-thursday-china-based-apt-plays-auto-updater-card-to-deliver-windealer-malware","https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"TianWu","aliases":[],"description":"","targetSectors":["Private Sector","Gambling companies","Gaming","Information technology","Telecommunications","Government","Transportation systems","Dissident"],"suspectedVictims":["China","Hong Kong","Kazakhstan","Taiwan","Philippines"],"refs":["https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Li-To-Loot-Or-Not-To-Loot-That-Is-Not-a-Question.pdf","https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf","https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies","https://github.com/avast/ioc/tree/master/OperationDragonCastling"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN","suspectedStateSponsor":"China"},{"name":"SLIME29","aliases":[],"description":"","targetSectors":["Private Sector"],"suspectedVictims":[],"refs":["https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Li-To-Loot-Or-Not-To-Loot-That-Is-Not-a-Question.pdf"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN","suspectedStateSponsor":"China"},{"name":"GOBLIN PANDA","aliases":["Conimes","Cycldek"],"description":"Goblin Panda is one of a handful of elite Chinese advanced persistent threat (APT) groups. Most Chinese APTs target the United States and NATO, but Goblin Panda focuses primarily on Southeast Asia.","targetSectors":["Private Sector"],"suspectedVictims":["Malaysia","India","Indonesia","Japan","Philippines","Southeast Asia","South Korea","Vietnam"],"refs":["https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/","https://securelist.com/cycldek-bridging-the-air-gap/97157/","https://www.fortinet.com/blog/threat-research/cta-security-playbook--goblin-panda.html","https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf","https://cyberthreat.thalesgroup.com/sites/default/files/2022-05/THALES%20THREAT%20HANDBOOK%202022%20Light%20Version_1.pdf"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN","suspectedStateSponsor":"China"},{"name":"Red Dev 17","aliases":[],"description":"In 2021, PwC started tracking a series of intrusions under the moniker of Red Dev 17 that they assess were highly likely conducted by a China-based threat actor. Their analysis suggests Red Dev 17 has been active since at least 2017. Red Dev 17's observed targets are mainly in India, and include the Indian military, a multinational India-based technology company, and a state energy company. They a","targetSectors":["High-Tech","Military","Energy"],"suspectedVictims":["India"],"refs":["https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf","https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"DEV-0147","aliases":[],"description":"DEV-0147 is a China-based cyber espionage actor was observed compromising diplomatic targets in South America, a notable expansion of the group's data exfiltration operations that traditionally targeted gov't agencies and think tanks in Asia and Europe. DEV-0147 is known to use tools like ShadowPad, a remote access trojan associated with other China-based actors, to maintain persistent access, and","targetSectors":[],"suspectedVictims":["South America","Asia","European Union"],"refs":["https://twitter.com/MsftSecIntel/status/1625181255754039318"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"RedGolf","aliases":[],"description":"Recorded Future’s Insikt Group has identified a large cluster of new operational infrastructure associated with use of the custom Windows and Linux backdoor KEYPLUG. We attribute this activity to a threat activity group tracked as RedGolf, which is highly likely to be a Chinese state-sponsored group. RedGolf closely overlaps with threat activity reported in open sources under the aliases APT41/BAR","targetSectors":["Aviation","Automotive","Education","Intergovernmental","Media and Entertainment","Information Technology","Religious Organizations"],"suspectedVictims":[],"refs":["https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf","https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN","suspectedStateSponsor":"China","motive":"state-sponsored espionage and financially motivated"},{"name":"Worok","aliases":[],"description":"Worok is a cyber espionage group, mostly targeting Central Asia. The group toolset includes a C++ loader named CLRLoad, a PowerShell backdoor named PowHeartBeat, and a C# loader named PNGLoad.","targetSectors":["Government","Energy Company"],"suspectedVictims":["East Asia","Central Asia","Southeast Asia","The Middle East","Southern Africa"],"refs":["https://www.welivesecurity.com/2022/09/06/worok-big-picture/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN","suspectedStateSponsor":"China","motive":"Espionage"},{"name":"Camaro Dragon","aliases":[],"description":"In early 2023, the Check Point Incident Response Team (CPIRT) team investigated a malware incident at a European healthcare institution involving a set of tools mentioned in the Avast report in late 2022. The incident was attributed to Camaro Dragon, a Chinese-based espionage threat actor whose activities overlap with activities tracked by different researchers as Mustang Panda and LuminousMoth, w","targetSectors":[],"suspectedVictims":[],"refs":["https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/","https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Storm-0558","aliases":[],"description":"Storm-0558 is a China-based threat actor with espionage objectives. While there are some minimal overlaps with other Chinese groups such as Violet Typhoon (ZIRCONIUM, APT31), Microsoft maintain high confidence that Storm-0558 operates as its own distinct group","targetSectors":["Government"],"suspectedVictims":["United States","Germany"],"refs":["https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/","https://www.wiz.io/blog/storm-0558-compromised-microsoft-key-enables-authentication-of-countless-micr","https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition/","https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html","https://blogs.microsoft.com/on-the-issues/2023/07/11/mitigation-china-based-threat-actor/","https://msrc.microsoft.com/blog/2023/07/microsoft-mitigates-china-based-threat-actor-storm-0558-targeting-of-customer-email/","https://www.youtube.com/watch?v=khywfhJv4H8","https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review_of_the_Summer_2023_MEO_Intrusion_Final_508c.pdf"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN","suspectedStateSponsor":"China","motive":"Espionage"},{"name":"Xiaoqiying","aliases":["Genesis Day","Teng Snake"],"description":"Xiaoqiying is a primarily Chinese-speaking threat group that is most well known for conducting website defacement and data exfiltration attacks on more than a dozen South Korean research and academic institutions in late-January 2023. Research from Recorded Futures Insikt Group has found that the groups affiliated threat actors have signaled a new round of cyberattacks against organizations in Jap","targetSectors":[],"suspectedVictims":[],"refs":["https://www.recordedfuture.com/xiaoqiying-genesis-day-threat-actor-group-targets-south-korea-taiwan","https://medium.com/s2wblog/%E5%8F%98%E8%84%B8-teng-snake-a-k-a-code-core-8c35268b4d1a","https://therecord.media/samsung-investigating-claims-of-hack-on-south-korea-systems-internal-employee-platform/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Storm-0062","aliases":["Oro0lxy","DarkShadow"],"description":"The cyberattack campaign that Microsoft uncovered was launched by a China-linked hacking group called Storm-0062. According to the company, the group is launching cyberattacks by exploiting a vulnerability in the Data Center and Server editions of Confluence. Those are versions of the application that companies run on-premises.","targetSectors":[],"suspectedVictims":[],"refs":["https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/monthly-news-november-2023/ba-p/3970796","https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-41-5/","https://twitter.com/MsftSecIntel/status/1711871732644970856"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Witchetty","aliases":["LookingFrog"],"description":"Witchetty was first documented by ESET in April 2022, who concluded that it was one of three sub-groups of TA410, a broad cyber-espionage operation with some links to the Cicada group (aka APT10). Witchetty’s activity was characterized by the use of two pieces of malware, a first-stage backdoor known as X4 and a second-stage payload known as LookBack. ESET reported that the group had targeted gove","targetSectors":[],"suspectedVictims":[],"refs":["https://www.rewterz.com/rewterz-news/rewterz-threat-alert-witchetty-apt-group-active-iocs","https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage","https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"REF2924","aliases":[],"description":"A group monitored as REF2924 by Elastic Security Labs is wielding novel data-stealing malware — an HTTP listener written in C# dubbed Naplistener by the researchers — in attacks against victims operating in southern and southeast Asia.According to a blog post by Elastic senior security research engineer Remco Sprooten, in that region of the world, network-based detection and prevention technologie","targetSectors":[],"suspectedVictims":[],"refs":["https://www.elastic.co/security-labs/ref2924-howto-maintain-persistence-as-an-advanced-threat","https://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"SharpPanda","aliases":["Sharp Dragon"],"description":"SharpPanda, an APT group originating from China, has seen a rise in its cyber-attack operations starting from at least 2018. The APT group utilizes spear-phishing techniques to obtain initial access, employing a combination of outdated Microsoft Office document vulnerabilities, novel evasion techniques, and highly potent backdoor malware.","targetSectors":[],"suspectedVictims":["Germany"],"refs":["https://blog.cyble.com/2023/06/01/sharppanda-apt-campaign-expands-its-arsenal-targeting-g20-nations/","https://www.rewterz.com/rewterz-news/rewterz-threat-alert-sharppanda-chinese-apt-group-targets-southeast-asian-government-active-iocs","https://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/","https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html","https://research.checkpoint.com/2024/sharp-dragon-expands-towards-africa-and-the-caribbean/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"1937CN","aliases":[],"description":"1937CN is a Chinese hacking group that has been active since at least 2013. The group is known for targeting Vietnamese organizations, including government agencies, businesses, and media outlets. 1937CN has been linked to a number of high-profile cyberattacks, including the hacking of Vietnam Airlines in 2016 and the defacement of Vietnamese government websites in 2015.","targetSectors":[],"suspectedVictims":[],"refs":["https://www.trendmicro.com/en_us/research/23/b/earth-zhulong-familiar-patterns-target-southeast-asian-firms.html","https://www.recordedfuture.com/international-hacktivism-analysis/","http://securityaffairs.co/wordpress/49876/hacking/china-1937cn-team-vietnam.html","https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"IronHusky","aliases":[],"description":"IronHusky is a Chinese-based threat actor first attributed in July 2017 targeting Russian and Mongolian governments, as well as aviation companies and research institutes. Since their initial attacks ceased in 2018, they have been working on a new remote access trojan dubbed MysterySnail.","targetSectors":[],"suspectedVictims":[],"refs":["https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/","https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk175885"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Dalbit","aliases":[],"description":"The group usually targets vulnerable servers to breach information including internal data from companies or encrypts files and demands money. Their targets of attack are usually Windows servers that are poorly managed or are not patched to the latest version. Besides these, there are also attack cases that targeted email servers or MS-SQL database servers.","targetSectors":[],"suspectedVictims":[],"refs":["https://asec.ahnlab.com/en/56941/","https://asec.ahnlab.com/en/56236/","https://asec.ahnlab.com/en/47455/","https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"DiceyF","aliases":[],"description":"DiceyF is an advanced persistent threat group that has been targeting online casinos and other victims in Southeast Asia for an extended period. They have exhibited overlapping activity with LuckyStar PlugX and Earth Berberoka/GamblingPuppet, as reported by various cybersecurity vendors. While their motivations remain unclear, previous incidents suggest a combination of espionage and intellectual ","targetSectors":[],"suspectedVictims":[],"refs":["https://securelist.com/diceyf-deploys-gameplayerframework-in-online-casino-development-studio/107723/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"DriftingCloud","aliases":[],"description":"DriftingCloud is a persistent threat actor known for targeting various industries and locations. They are skilled at developing or acquiring zero-day exploits to gain unauthorized access to target networks. Compromising gateway devices is a common tactic used by DriftingCloud, making network monitoring solutions crucial for detecting their attacks.","targetSectors":[],"suspectedVictims":[],"refs":["https://socradar.io/driftingcloud-apt-group-exploits-zero-day-in-sophos-firewall/","https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/","https://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"UNC4191","aliases":[],"description":"UNC4191 is a China-linked threat actor that has been involved in cyber espionage campaigns targeting public and private sectors primarily in Southeast Asia. They have been known to use USB devices as an initial infection vector and have been observed deploying various malware families on infected systems. UNC4191's operations have also extended to the US, Europe, and the Asia Pacific Japan region,","targetSectors":[],"suspectedVictims":[],"refs":["https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia","https://therecord.media/espionage-group-using-usb-devices-to-hack-targets-in-southeast-asia/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"DragonSpark","aliases":[],"description":"DragonSpark is a threat actor that has been conducting attacks primarily targeting organizations in East Asia. They utilize the open-source tool SparkRAT, which is a multi-platform and frequently updated remote access Trojan. The threat actor is believed to be Chinese-speaking based on their use of Chinese language support and compromised infrastructure located in China and Taiwan. They employ var","targetSectors":[],"suspectedVictims":[],"refs":["https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"UNC4841","aliases":["SLIME57"],"description":"UNC4841 is a well-resourced threat actor that has utilized a wide range of malware and purpose-built tooling to enable their global espionage operations. They have been observed selectively deploying specific malware families at high priority targets, with SKIPJACK being the most widely deployed. UNC4841 primarily targeted government and technology organizations, but they have also been observed t","targetSectors":[],"suspectedVictims":[],"refs":["https://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation/","https://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/","https://i.blackhat.com/Asia-24/Presentations/Asia-24-Chen-Chinese-APT.pdf","https://www.youtube.com/watch?v=PSaix1C-UMI","https://www.youtube.com/watch?v=4zaStuUdvrE","https://sansorg.egnyte.com/dd/8ekLJCPHPj/","https://www.cisa.gov/sites/default/files/2023-07/MAR-10454006.r3.v1.CLEAR_.pdf","https://www.cisa.gov/sites/default/files/2023-07/MAR-10454006.r2.v1.CLEAR_.pdf","https://www.cisa.gov/sites/default/files/2023-07/MAR-10454006.r1.v2.CLEAR_.pdf","https://www.cisa.gov/sites/default/files/2023-08/MAR-10459736.r1.v1.CLEAR_.pdf","https://www.cisa.gov/sites/default/files/2023-08/MAR-10454006.r4.v2.CLEAR_.pdf","https://www.cisa.gov/sites/default/files/2023-09/MAR-10454006.r5.v1.CLEAR__0.pdf","https://www.barracuda.com/company/legal/esg-vulnerability","https://mandiant.widen.net/s/qwlxddwdg6/barracuda-cve-2023-2868-hardening","https://jsac.jpcert.or.jp/archive/2025/pdf/JSAC2025_1_5_leon-chang_theo-chen_en.pdf"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"TEMP_Heretic","aliases":[],"description":"TEMP_Heretic is a threat actor that has been observed engaging in targeted spear-phishing campaigns. They exploit vulnerabilities in email platforms, such as Zimbra, to exfiltrate emails from government, military, and media organizations. They use multiple outlook.com email addresses and manually craft content for each email before sending it.","targetSectors":[],"suspectedVictims":[],"refs":["https://www.welivesecurity.com/en/eset-research/mass-spreading-campaign-targeting-zimbra-users/","https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Webworm","aliases":["Space Pirates"],"description":"Space Pirates is a cybercrime group that has been active since at least 2017. They primarily target Russian companies and have been observed using various malware, including Deed RAT and ShadowPad. The group uses a combination of publicly available tools and their own protocols to communicate with their command-and-control servers.","targetSectors":[],"suspectedVictims":[],"refs":["http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats","https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/","https://blog.polyswarm.io/space-pirates-target-russian-aerospace"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Moshen Dragon","aliases":[],"description":"Moshen Dragon is a Chinese-aligned cyberespionage threat actor operating in Central Asia. They have been observed deploying multiple malware triads and utilizing DLL search order hijacking to sideload ShadowPad and PlugX variants. The threat actor also employs various tools, including an LSA notification package and a passive backdoor known as GUNTERS. Their activities involve targeting the teleco","targetSectors":[],"suspectedVictims":[],"refs":["https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"TiltedTemple","aliases":["DEV-0322","Circle Typhoon"],"description":"One of their notable tools is a custom backdoor called SockDetour, which operates filelessly and socketlessly on compromised Windows servers. The group's activities have been linked to the exploitation of vulnerabilities in Zoho ManageEngine ADSelfService Plus and ServiceDesk Plus.","targetSectors":[],"suspectedVictims":[],"refs":["https://unit42.paloaltonetworks.com/sockdetour/","https://blog.fox-it.com/2021/11/08/ta505-exploits-solarwinds-serv-u-vulnerability-cve-2021-35211-for-initial-access/","https://www.microsoft.com/en-us/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Storm Cloud","aliases":[],"description":"Storm Cloud is a Chinese espionage threat actor known for targeting organizations across Asia, particularly Tibetan organizations and individuals. They use a variety of malware families, including GIMMICK and GOSLU, which are feature-rich and multi-platform. Storm Cloud leverages public cloud hosting services like Google Drive for command-and-control channels, making it difficult to detect their a","targetSectors":[],"suspectedVictims":[],"refs":["https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/","https://www.rewterz.com/rewterz-news/rewterz-threat-alert-gimmick-malware-active-iocs"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"TunnelSnake","aliases":[],"description":"The TunnelSnake campaign demonstrates the activity of a sophisticated actor that invests significant resources in designing an evasive toolset and infiltrating networks of high-profile organizations. By leveraging Windows drivers, covert communications channels and proprietary malware, the group behind it maintains a considerable level of stealth. That said, some of its TTPs, like the usage of a c","targetSectors":[],"suspectedVictims":[],"refs":["https://www.redpacketsecurity.com/operation-tunnelsnake/","https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"UNC2717","aliases":[],"description":"UNC2717 is a threat actor that engages in espionage activities aligned with Chinese government priorities. They demonstrate advanced tradecraft and take measures to avoid detection, making it challenging for network defenders to identify their tools and intrusion methods. UNC2717, along with other Chinese APT actors, has been observed stealing credentials, email communications, and intellectual pr","targetSectors":[],"suspectedVictims":[],"refs":["https://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html","http://internal-www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"WIP19","aliases":[],"description":"WIP19 is a Chinese-speaking threat group involved in espionage targeting the Middle East and Asia. They utilize a stolen certificate to sign their malware, including SQLMaggie, ScreenCap, and a credential dumper. The group has been observed targeting telecommunications and IT service providers, using toolsets authored by WinEggDrop. WIP19's activities suggest they are after specific information an","targetSectors":[],"suspectedVictims":[],"refs":["https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"UNC215","aliases":[],"description":"UNC215 is a Chinese nation-state threat actor that has been active since at least 2014. They have targeted organizations in various sectors, including government, technology, telecommunications, defense, finance, entertainment, and healthcare. UNC215 has been observed using tools such as Mimikatz, FOCUSFJORD, and HYPERBRO for initial access and post-compromise activities. They have demonstrated a ","targetSectors":[],"suspectedVictims":[],"refs":["https://www.esentire.com/security-advisories/ransomware-hackers-attack-a-top-safety-testing-org-using-tactics-and-techniques-borrowed-from-chinese-espionage-groups","https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Sandman APT","aliases":[],"description":"First disclosed in 2023, the Sandman APT is likely associated with suspected China-based threat clusters known for using the KEYPLUG backdoor, specifically STORM-0866/Red Dev 40. Sandman is tracked as a distinct cluster, pending additional conclusive information. A notable characteristic is its use of the LuaDream backdoor. LuaDream is based on the Lua platform, a relatively rare occurrence in the","targetSectors":["Government","Telecommunications"],"suspectedVictims":["Middle East","Southeast Asian","France","Egypt","Sudan","South Sudan","Libya","Turkey","Saudi Arabia","Oman","Yemen","Sri Lanka","India","Pakistan","Iran","Afghanistan","Kuwait","Iraq","United Arab Emirates"],"refs":[],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN","suspectedStateSponsor":"China","motive":"Espionage"},{"name":"UTA0178","aliases":["UNC5221","Red Dev 61"],"description":"While Volexity largely observed the attacker essentially living off the land, they still deployed a handful of malware files and tools during the course of the incident which primarily consisted of webshells, proxy utilities, and file modifications to allow credential harvesting. Once UTA0178 had access into the network via the ICS VPN appliance, their general approach was to pivot from system to ","targetSectors":[],"suspectedVictims":["Germany"],"refs":["https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/","https://www.rewterz.com/rewterz-news/rewterz-threat-advisory-ivanti-vpn-zero-days-weaponized-by-unc5221-threat-actors-to-deploy-multiple-malware-families-active-iocs/","https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day","https://quointelligence.eu/2024/01/unc5221-unreported-and-undetected-wirefire-web-shell-variant/","https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations/","https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation","https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html","https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"TAG-28","aliases":[],"description":"TAG-28 is a Chinese state-sponsored threat actor that has been targeting Indian organizations, including media conglomerates and government agencies. They have been using the Winnti malware, which is commonly shared among Chinese state-sponsored groups. TAG-28's main objective is to gather intelligence on Indian targets, potentially for espionage purposes.","targetSectors":[],"suspectedVictims":[],"refs":["https://www.recordedfuture.com/blog/china-linked-tag-28-targets-indias-the-times-group"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Flax Typhoon","aliases":["Ethereal Panda","Storm-0919"],"description":"Flax Typhoon is a Chinese state-sponsored threat actor that primarily targets organizations in Taiwan. They conduct espionage campaigns and focus on gaining and maintaining long-term access to networks using minimal malware. Flax Typhoon relies on tools built into the operating system and legitimate software to remain undetected. They exploit vulnerabilities in public-facing servers, use living-of","targetSectors":[],"suspectedVictims":[],"refs":["https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/","https://www.crowdstrike.com/global-threat-report/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Blackwood","aliases":[],"description":"Blackwood is a China-aligned APT group that has been active since at least 2018. They primarily engage in cyberespionage operations targeting individuals and companies in China, Japan, and the United Kingdom. Blackwood utilizes sophisticated techniques such as adversary-in-the-middle attacks to deliver their custom implant, NSPX30, through updates of legitimate software. They also have the capabil","targetSectors":[],"suspectedVictims":[],"refs":["https://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/","https://blog.sonicwall.com/en-us/2024/01/blackwood-apt-group-has-a-new-dll-loader/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Lilac Typhoon","aliases":["DEV-0234"],"description":"Lilac Typhoon is a threat actor attributed to China. They have been identified as exploiting the Atlassian Confluence RCE vulnerability CVE-2022-26134, which allows for remote code execution. This vulnerability has been used in cryptojacking campaigns and is included in commercial exploit frameworks. Lilac Typhoon has also been involved in deploying various payloads such as Cobalt Strike, web shel","targetSectors":[],"suspectedVictims":[],"refs":["https://securityboulevard.com/2022/10/analysis-of-cisa-releases-advisory-on-top-cves-exploited-chinese-state-sponsored-groups/","https://riskybiznews.substack.com/p/risky-biz-news-google-shuts-down","https://twitter.com/MsftSecIntel/status/1535417776290111489"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"ShaggyPanther","aliases":[],"description":"ShaggyPanther is a threat actor that primarily targets government entities in Taiwan and Malaysia. They have been active since 2008 and utilize hidden encrypted payloads in registry keys. Their activities have been detected in various locations, including Indonesia and Syria.","targetSectors":[],"suspectedVictims":[],"refs":["https://securelist.com/ksb-2019-review-of-the-year/95394/","https://securelist.com/apt-trends-report-q3-2019/94530/","https://securelist.com/apt-review-of-the-year/89117/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"CardinalLizard","aliases":[],"description":"CardinalLizard, a cyber threat actor linked to China, has targeted entities in Asia since 2018. Their methods include spear-phishing, custom malware with anti-detection features, and potentially shared infrastructure with other actors.","targetSectors":[],"suspectedVictims":[],"refs":["https://securelist.com/apt-review-of-the-year/89117/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Operation Red Signature","aliases":[],"description":"The threat actors compromised the update server of a remote support solutions provider to deliver a remote access tool called 9002 RAT to their targets of interest through the update process. They carried this out by first stealing the company’s certificate then using it to sign the malware. They also configured the update server to only deliver malicious files if the client is located in the rang","targetSectors":[],"suspectedVictims":[],"refs":["https://decoded.avast.io/threatintel/avast-finds-backdoor-on-us-government-commission-network/?utm_source=rss&utm_medium=rss&utm_campaign=avast-finds-backdoor-on-us-government-commission-network","https://www.trendmicro.com/en_my/research/18/h/supply-chain-attack-operation-red-signature-targets-south-korean-organizations.html"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"GoldFactory","aliases":[],"description":"GoldFactory is a threat actor group attributed to developing sophisticated mobile banking malware targeting victims primarily in the Asia-Pacific region, specifically Vietnam and Thailand. They utilize social engineering to deliver malware to victims' devices and have close connections to the Gigabud malware family. GoldFactory's Trojans, such as GoldPickaxe and GoldDigger, employ tactics like smi","targetSectors":[],"suspectedVictims":[],"refs":["https://www.group-ib.com/blog/goldfactory-ios-trojan/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"UNC5325","aliases":[],"description":"UNC5325 is a suspected Chinese cyber espionage operator that exploited CVE-2024-21893 to compromise Ivanti Connect Secure appliances. UNC5325 leveraged code from open-source projects, installed custom malware, and modified the appliance's settings in order to evade detection and attempt to maintain persistence. UNC5325 has been observed deploying LITTLELAMB.WOOLTEA, PITSTOP, PITDOG, PITJET, and PI","targetSectors":[],"suspectedVictims":[],"refs":["https://www.mandiant.com/resources/blog/investigating-ivanti-exploitation-persistence"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Earth Krahang","aliases":[],"description":"Earth Krahang is an APT group targeting government organizations worldwide. They use spear-phishing emails, weak internet-facing servers, and custom backdoors like Cobalt Strike, RESHELL, and XDealer to conduct cyber espionage. The group creates VPN servers on infected systems, employs brute force attacks on email accounts, and exploits compromised government infrastructure to attack other governm","targetSectors":[],"suspectedVictims":[],"refs":["https://www.rewterz.com/rewterz-news/rewterz-threat-alert-china-linked-earth-krahang-apt-breached-70-organizations-in-23-nations-active-iocs","https://www.trendmicro.com/en_us/research/24/c/earth-krahang.html"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Smishing Triad","aliases":[],"description":"The Smishing Triad is a Chinese-speaking threat group known for targeting postal services and their customers globally through smishing campaigns. They leverage compromised Apple iMessage accounts to send fraudulent messages warning of undeliverable packages, aiming to collect personally identifying information and payment credentials. The group offers smishing kits for sale on platforms like Tele","targetSectors":[],"suspectedVictims":[],"refs":["https://www.resecurity.com/blog/article/Smishing-Triad-Impersonates-Emirates-Post-Target-UAE-Citizens"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"UNC5330","aliases":[],"description":"UNC5330 is a suspected China-nexus espionage actor. UNC5330 has been observed chaining CVE-2024-21893 and CVE-2024-21887 to compromise Ivanti Connect Secure VPN appliances as early as Feb. 2024. Post-compromise activity by UNC5330 includes deployment of PHANTOMNET and TONERJAM. UNC5330 has employed Windows Management Instrumentation (WMI) to perform reconnaissance, move laterally, manipulate regis","targetSectors":[],"suspectedVictims":[],"refs":["https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"UNC5337","aliases":[],"description":"UNC5337 is a suspected China-nexus espionage actor that compromised Ivanti Connect Secure VPN appliances as early as Jan. 2024. UNC5337 is suspected to exploit CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection) for infecting Ivanti Connect Secure appliances. UNC5337 leveraged multiple custom malware families including the SPAWNSNAIL passive backdoor, SPAWNMOLE tunneler, ","targetSectors":[],"suspectedVictims":[],"refs":["https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"UNC3569","aliases":[],"description":"China-nexus espionage actor that has been observed exploiting vulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator, among others, to gain initial access to target environments. ","targetSectors":[],"suspectedVictims":[],"refs":["https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Earth Freybug","aliases":[],"description":"Earth Freybug, identified as a subset of APT41, is a cyberthreat group active since at least 2012, engaging in espionage and financially motivated activities across various sectors worldwide. The tactics, techniques, and procedures (TTPs) used in this campaign are similar to the ones from a campaign (Operation CuckooBees) described in an article published by Cybereason. They employ a diverse toolk","targetSectors":[],"suspectedVictims":[],"refs":["https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Unfading Sea Haze","aliases":[],"description":"Unfading Sea Haze is a threat actor focused on espionage, targeting government and military organizations in the South China Sea region since 2018. They employ spear-phishing emails with malicious attachments to gain initial access, followed by the deployment of custom malware such as Gh0st RAT variants and SharpJSHandler. The group utilizes scheduled tasks and manipulates local administrator acco","targetSectors":[],"suspectedVictims":[],"refs":["https://www.securityweek.com/newly-detected-chinese-group-targeting-military-government-entities/","https://www.bleepingcomputer.com/news/security/unfading-sea-haze-hackers-hide-on-military-and-govt-networks-for-6-years/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"RedJuliett","aliases":[],"description":"RedJuliett is a likely Chinese state-sponsored threat actor targeting government, academic, technology, and diplomatic organizations in Taiwan. They exploit vulnerabilities in network edge devices for initial access and use SQL injection and directory traversal exploits against web and SQL applications. The group operates from Fuzhou, China, and aims to support Beijing's intelligence collection on","targetSectors":[],"suspectedVictims":[],"refs":["https://www.recordedfuture.com/redjuliett-intensifies-taiwanese-cyber-espionage-via-network-perimeter"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"SneakyChef","aliases":[],"description":"SneakyChef is a threat actor known for using the SugarGh0st RAT to target government agencies, research institutions, and organizations worldwide. They have been active since at least August 2023, with a focus on leveraging old and new command and control domains. The group has been observed using lures in the form of scanned documents related to Ministries of Foreign Affairs and embassies. Talos ","targetSectors":[],"suspectedVictims":[],"refs":["https://blog.talosintelligence.com/sneakychef-sugarghost-rat/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Dragonbridge","aliases":["Spamouflage Dragon"],"description":"DRAGONBRIDGE is a Chinese state-sponsored threat actor known for engaging in information operations to promote the political interests of the People's Republic of China. They have been observed using AI-generated images and videos to spread propaganda on social media platforms. The group has targeted various countries and regions, including the US, Taiwan, and Japan, with narratives promoting pro-","targetSectors":[],"suspectedVictims":[],"refs":["https://cloud.google.com/blog/topics/threat-intelligence/prc-dragonbridge-influence-elections/","https://quointelligence.eu/2024/06/european-election-at-risk-analysis/","https://blog.google/threat-analysis-group/over-50000-instances-of-dragonbridge-activity-disrupted-in-2022/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Water Sigbin","aliases":["8220 Gang"],"description":"The 8220 Gang, also known as Water Sigbin, is a threat actor group that focuses on deploying cryptocurrency-mining malware. They exploit vulnerabilities in Oracle WebLogic servers, such as CVE-2017-3506 and CVE-2023-21839, to deliver cryptocurrency miners using PowerShell scripts. The group has demonstrated a sophisticated multistage loading technique to deploy the PureCrypter loader and XMRIG cry","targetSectors":[],"suspectedVictims":[],"refs":["https://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.html","https://www.trendmicro.com/en_us/research/24/e/decoding-8220-latest-obfuscation-tricks.html","https://www.uptycs.com/blog/8220-gang-cryptomining-cloud-based-infrastructure-cyber-threat","https://www.imperva.com/blog/imperva-detects-undocumented-8220-gang-activities/","https://asec.ahnlab.com/en/51568/","https://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-strategies-adapted.html","https://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134","https://www.sentinelone.com/blog/from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"UNC4540","aliases":[],"description":"UNC4540 is a suspected Chinese threat actor targeting unpatched SonicWall Secure Mobile Access appliances to deploy custom malware that establishes long-term persistence for cyber espionage. The malware is designed to steal hashed credentials, provide shell access, and persist through firmware upgrades, utilizing a variant of the TinyShell backdoor. Mandiant has tracked UNC4540's activities back t","targetSectors":[],"suspectedVictims":[],"refs":["https://www.mandiant.com/resources/blog/suspected-chinese-persist-sonicwall"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"TIDRONE","aliases":["Earth Ammit","VENOM"],"description":"TIDRONE is an unidentified threat actor linked to Chinese-speaking groups, with a focus on military-related industry chains, particularly drone manufacturers in Taiwan. The actor employs advanced malware variants such as CXCLNT and CLNTEND, which are distributed through ERP software or remote desktops. The consistency in file compilation times and operational patterns aligns with other Chinese esp","targetSectors":[],"suspectedVictims":[],"refs":["https://www.trendmicro.com/en_us/research/24/i/tidrone-targets-military-and-satellite-industries-in-taiwan.html","https://www.trendmicro.com/en_us/research/25/e/earth-ammit.html"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Earth Baxia","aliases":[],"description":"Earth Baxia is a threat actor opearting out of China, targeting government organizations in Taiwan and potentially across the APAC region, using spear-phishing emails and exploiting the GeoServer vulnerability CVE-2024-36401 for remote code execution, deploying customized Cobalt Strike components with altered signatures, leveraging GrimResource and AppDomainManager injection techniques to deliver ","targetSectors":[],"suspectedVictims":[],"refs":["https://www.tgsoft.it/news/news_archivio.asp?id=1568","https://jp.security.ntt/tech_blog/appdomainmanager-injection","https://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html","https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/i/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac/IOCs%20-%20Earth%20Baxia%20Uses%20Spear-Phishing%20and%20GeoServer%20Exploit%20to%20Target%20APAC.txt"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"CeranaKeeper","aliases":[],"description":"CeranaKeeper is a China-aligned APT that has been active since at least early 2022, primarily targeting governmental institutions in Asian countries. The group employs custom backdoors like TONESHELL and OneDoor, leveraging cloud services such as Dropbox and OneDrive for data exfiltration. CeranaKeeper utilizes techniques like side-loading, brute-force attacks, and the deployment of BAT scripts to","targetSectors":[],"suspectedVictims":[],"refs":["https://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"TaskMasters","aliases":["BlueTraveller"],"description":"TaskMasters is a state-sponsored Chinese APT that has been active since at least 2010, primarily targeting industrial, energy, and government sectors in Russia and the CIS. The group has been linked to the Webdav-O Trojan, which employs techniques to bypass network defenses by connecting to legitimate services. Investigations suggest that TaskMasters may have been involved in attacks against Russi","targetSectors":[],"suspectedVictims":[],"refs":["https://www.group-ib.com/blog/task/","https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/?utm_source=rss&utm_medium=rss&utm_campaign=apt-group-targeting-governmental-agencies-in-east-asia"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"IcePeony","aliases":[],"description":"IcePeony is a China-nexus APT group that has been active since at least 2023, targeting government agencies, academic institutions, and political organizations in countries such as India, Mauritius, and Vietnam. They primarily employ SQL injection techniques to exploit vulnerabilities in publicly accessible web servers, subsequently installing web shells or executing malware like IceCache to facil","targetSectors":[],"suspectedVictims":[],"refs":["https://nao-sec.org/2024/10/IcePeony-with-the-996-work-culture.html"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Tstark","aliases":[],"description":"TStark is a threat actor identified by X-Ops, associated with a cluster of devices that executed the bookmark buffer overflow exploit targeting CVE-2020-15069 (T1203). The actor exhibited odd telemetry behavior indicative of intermittent VPN usage, switching between IP addresses geolocated to Hong Kong and Chengdu. Analysis revealed malware samples for Mac OS X and iOS, as well as IFRAME injection","targetSectors":[],"suspectedVictims":[],"refs":["https://news.sophos.com/en-us/2024/10/31/pacific-rim-timeline/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"TAG-112","aliases":[],"description":"TAG-112 is a Chinese state-sponsored APT that compromised Tibetan websites, including Tibet Post and Gyudmed Tantric University, to deliver Cobalt Strike malware. The group exploited vulnerabilities in the Joomla CMS to embed malicious JavaScript that spoofed a TLS certificate error, tricking users into downloading a compromised security certificate. TAG-112's infrastructure, concealed using Cloud","targetSectors":[],"suspectedVictims":[],"refs":["https://www.recordedfuture.com/research/china-nexus-tag-112-compromises-tibetan-websites"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"SilkSpecter","aliases":[],"description":"SilkSpecter is a Chinese financially motivated threat actor that orchestrates phishing campaigns targeting e-commerce shoppers, particularly during peak shopping seasons. They exploit legitimate payment processors like Stripe to exfiltrate Cardholder Data and Personally Identifiable Information through convincing fake e-commerce sites created using the oemapps SaaS platform. Their phishing infrast","targetSectors":[],"suspectedVictims":[],"refs":["https://blog.eclecticiq.com/inside-intelligence-center-financially-motivated-chinese-threat-actor-silkspecter-targeting-black-friday-shoppers"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"BrazenBamboo","aliases":[],"description":"BrazenBamboo is a Chinese state-affiliated threat actor known for developing the LIGHTSPY, DEEPDATA, and DEEPPOST malware families. Their infrastructure includes capabilities for zero-day exploitation, specifically targeting vulnerabilities like FortiClient, and employs a command-and-control architecture that supports multi-platform operations. Volexity's analysis indicates that BrazenBamboo is a ","targetSectors":[],"suspectedVictims":[],"refs":["https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Storm-2077","aliases":["TAG-100","RedNovember"],"description":"TAG-100 is a cyber-espionage APT that targets government and private sector organizations globally, exploiting vulnerabilities in internet-facing devices such as Citrix NetScaler and F5 BIG-IP for initial access. The group employs open-source tools like Pantegana and SparkRAT for persistence and post-exploitation activities, including credential theft and email data exfiltration. TAG-100 has compr","targetSectors":[],"suspectedVictims":[],"refs":["https://www.microsoft.com/en-us/security/blog/2024/11/22/microsoft-shares-latest-intelligence-on-north-korean-and-chinese-threat-actors-at-cyberwarcon/","https://www.recordedfuture.com/research/tag-100-uses-open-source-tools-in-suspected-global-espionage-campaign","https://thehackernews.com/2025/09/chinese-hackers-rednovember-target.html"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Storm-0940","aliases":["CovertNetwork-1658","ORB07"],"description":"Storm-0940 is a Chinese threat actor active since at least 2021, known for gaining initial access through password spray and brute-force attacks, as well as exploiting network edge applications. Microsoft has observed Storm-0940 utilizing valid credentials obtained from CovertNetwork-1658's password spray operations, indicating a close operational relationship between the two. Once inside a victim","targetSectors":[],"suspectedVictims":[],"refs":["https://www.microsoft.com/en-us/security/blog/2024/10/31/chinese-threat-actor-storm-0940-uses-credentials-from-password-spray-attacks-from-a-covert-network/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"LIMINAL PANDA","aliases":[],"description":"LIMINAL PANDA is a China-nexus APT that targets telecommunications entities, employing custom malware and publicly available tools for covert access, C2, and data exfiltration. The adversary demonstrates extensive knowledge of telecom networks, utilizing GSM protocols to retrieve mobile subscriber information and call metadata. LIMINAL PANDA exploits trust relationships and security gaps between p","targetSectors":[],"suspectedVictims":[],"refs":["https://www.crowdstrike.com/en-us/blog/liminal-panda-telecom-sector-threats/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Operation DRBControl","aliases":[],"description":"Operation DRBControl is a cyberespionage campaign targeting gambling companies in Southeast Asia, first identified in 2019. The operation involves the use of HyperBro malware and SysUpdate variants, with evidence of customer database and source code exfiltration. The threat actor has employed domain spoofing for command and control and has shown a consistent interest in the gambling industry. Tren","targetSectors":[],"suspectedVictims":[],"refs":["https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"PlushDaemon","aliases":[],"description":"PlushDaemon is a China-aligned APT group that has conducted cyberespionage operations against targets in China, Taiwan, Hong Kong, South Korea, the United States, and New Zealand. They executed a supply chain attack on the South Korean VPN provider IPany, compromising its installer to deploy the SlowStepper backdoor, which features a toolkit of over 30 components. PlushDaemon primarily gains initi","targetSectors":[],"suspectedVictims":[],"refs":["https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Teleboyi","aliases":[],"description":"Teleboyi is a threat actor reportedly based in China, associated with the PlugX RAT. TeamT5 identified a custom PlugX loader used by Teleboyi that employs a similar string decryption algorithm as seen in the McUtil.dll loader from Operation Harvest. While there are weak links to the dsqurey[.]com domain, the connection remains uncertain due to the domain's registration history.","targetSectors":[],"suspectedVictims":[],"refs":["https://www.trendmicro.com/en_us/research/25/b/updated-shadowpad-malware-leads-to-ransomware-deployment.html"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"REF7707","aliases":["CL-STA-0049","Jewelbug"],"description":"REF7707 is a cyber campaign targeting government entities, particularly a foreign ministry in South America, utilizing malware families such as FinalDraft, GuidLoader, and PathLoader for persistence and lateral movement. The threat actor employs the Microsoft Graph API for C2 communication, blending malicious traffic with legitimate activity to evade detection. Despite their technical sophisticati","targetSectors":[],"suspectedVictims":[],"refs":["https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/","https://www.elastic.co/security-labs/fragile-web-ref7707","https://www.security.com/threat-intelligence/jewelbug-apt-russia"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Earth Alux","aliases":[],"description":"Earth Alux is a China-linked APT group known for conducting cyberespionage attacks across various sectors, including government, technology, and telecommunications. They primarily exploit vulnerable services in exposed servers to gain initial access, implanting web shells like GODZILLA and deploying backdoors such as VARGEIT and COBEACON. The group employs tools like RSBINJECT and MASQLOADER for l","targetSectors":[],"suspectedVictims":[],"refs":["https://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"PurpleHaze","aliases":[],"description":"PurpleHaze is a China-nexus threat actor tracked by SentinelLABS, linked to APT15, known for targeting critical infrastructure sectors such as telecommunications and government organizations. The actor has been associated with reconnaissance attempts against SentinelOne and has utilized ShadowPad, a modular backdoor platform, for cyberespionage and potential ransomware deployment. Investigations a","targetSectors":[],"suspectedVictims":[],"refs":["https://www.sentinelone.com/labs/top-tier-target-what-it-takes-to-defend-a-cybersecurity-company-from-todays-adversaries/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Chaya_004","aliases":[],"description":"Chaya_004 is a Chinese threat actor identified through malicious infrastructure, including a network of servers hosting Supershell backdoors and various pen testing tools of Chinese origin. The actor's activities are linked to the exploitation of a specific vulnerability, with a focus on using Chinese cloud providers. Analysis of the infrastructure has revealed TTPs associated with Chaya_004, indi","targetSectors":[],"suspectedVictims":[],"refs":["https://www.forescout.com/blog/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"CL-STA-0048","aliases":["CL STA 0048"],"description":"CL-STA-0048 is a Chinese state-backed APT that targets strategic sectors in South Asia, particularly government and telecommunications entities, with a focus on espionage. The group has been linked to SAP NetWeaver intrusions and employs techniques such as DNS beaconing using ping commands and exploiting unpatched vulnerabilities in services like IIS, Apache Tomcat, and MSSQL. Analysts have observ","targetSectors":[],"suspectedVictims":[],"refs":["https://unit42.paloaltonetworks.com/espionage-campaign-targets-south-asian-entities/","https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Houken","aliases":[],"description":"Houken is a Chinese state-sponsored threat actor that exploits zero-day vulnerabilities in Ivanti Cloud Services Appliance devices to gain initial access to critical infrastructure networks, particularly in France. The group employs a sophisticated rootkit alongside open-source tools, primarily developed by Chinese-speaking authors, to maintain persistence and control over compromised systems. Hou","targetSectors":[],"suspectedVictims":[],"refs":["https://www.cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-009/","https://meterpreter.org/anssi-exposes-houken-china-linked-apt-exploiting-ivanti-csa-zero-days-deploying-linux-rootkits/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Earth Lamia","aliases":["UNC5454"],"description":"Earth Lamia is a China-nexus APT that targets organizations across multiple sectors, including finance, logistics, and government, primarily in Latin America, the Middle East, and Southeast Asia. The actor exploits web application vulnerabilities, such as CVE-2025-55182, and employs techniques like SQL injection, DLL sideloading, and the deployment of custom backdoors like PULSEPACK and BypassBoss","targetSectors":[],"suspectedVictims":[],"refs":["https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182","https://www.trendmicro.com/en_us/research/25/e/earth-lamia.html"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"LongNosedGoblin","aliases":[],"description":"LongNosedGoblin is a China-aligned APT group targeting governmental entities in Southeast Asia and Japan for cyberespionage. The group employs Group Policy for malware deployment and utilizes cloud services like Microsoft OneDrive and Google Drive as C&C servers. Their operations feature a modular malware ecosystem, including backdoors, browser data stealers, and PowerShell-based downloaders that ","targetSectors":[],"suspectedVictims":[],"refs":["https://botcrawl.com/chinese-apt-longnosedgoblin-targets-government-networks-in-southeast-asia-and-japan/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"UAT-9686","aliases":[],"description":"UAT-9686 is a Chinese state-sponsored APT known for targeting networking infrastructure and edge appliances through a sophisticated espionage campaign. They exploit a critical flaw in the Cisco AsyncOS Spam Quarantine interface to gain root access and deploy custom malware, including AquaShell, along with Python scripts that execute natively. Their operations involve reverse tunneling and log purg","targetSectors":[],"suspectedVictims":[],"refs":["https://www.secpod.com/blog/zero-day-crisis-cve-2025-20393-unpatched-on-cisco-email-gateways-exploited-by-china-linked-hackers/","https://blog.talosintelligence.com/uat-9686/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"UNC6384","aliases":["Vertigo Panda"],"description":"UNC6384 (also tracked as Vertigo Panda) is a Chinese-affiliated APT that conducts targeted espionage campaigns primarily against diplomatic entities in Southeast Asia and Europe, specifically Belgium and Hungary. The group exploits the ZDI-CAN-25373 Windows shortcut vulnerability to gain initial code execution via malicious .LNK files, deploying the PlugX RAT through sophisticated delivery mechani","targetSectors":[],"suspectedVictims":[],"refs":["https://cloud.google.com/blog/topics/threat-intelligence/prc-nexus-espionage-targets-diplomats/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"UnsolicitedBooker","aliases":[],"description":"UnsolicitedBooker is a China-aligned APT group known for its persistent targeting of an unnamed international organization in Saudi Arabia, employing a backdoor called MarsSnake. The group utilizes spear-phishing emails, often featuring flight tickets as decoys, to infiltrate governmental organizations across Asia, Africa, and the Middle East. Their operations have included multiple intrusion atte","targetSectors":[],"suspectedVictims":[],"refs":["https://www.welivesecurity.com/en/podcasts/eset-apt-activity-report-q4-2024q1-2025-malware-sharing-wipers-exploits/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"WARP PANDA","aliases":[],"description":"WARP PANDA is a China-nexus APT that targets VMware vCenter environments and Microsoft Azure infrastructures, primarily focusing on legal, technology, and manufacturing sectors in the U.S. The group exploits internet-facing edge devices for initial access, later pivoting to vCenter environments using compromised credentials or vulnerabilities. Their toolkit includes the BRICKSTORM backdoor, along ","targetSectors":[],"suspectedVictims":[],"refs":["https://www.crowdstrike.com/en-us/blog/warp-panda-cloud-threats/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"GTG-1002","aliases":[],"description":"GTG-1002 is a Chinese state-sponsored APT that conducted a large-scale autonomous cyber espionage campaign targeting approximately 30 global organizations across various sectors, focusing on military and energy-related data. The operation utilized AI, specifically Anthropic’s Claude model, for reconnaissance, exploitation, and data exfiltration, significantly reducing human involvement. Attackers ","targetSectors":[],"suspectedVictims":[],"refs":["https://assets.anthropic.com/m/ec212e6566a0d47/original/Disrupting-the-first-reported-AI-orchestrated-cyber-espionage-campaign.pdf","https://socradar.io/blog/ai-powered-gtg-1002-campaign/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"GhostRedirector","aliases":[],"description":"GhostRedirector is a China-aligned threat actor that has compromised at least 65 Windows servers across various sectors, primarily in Brazil, Thailand, and Vietnam. It employs a passive C++ backdoor named Rungan and a malicious IIS module called Gamshen to maintain persistent access and manipulate search engine results for SEO fraud. The actor utilizes public exploits like EfsPotato and BadPotato ","targetSectors":[],"suspectedVictims":[],"refs":["https://www.welivesecurity.com/en/eset-research/ghostredirector-poisons-windows-servers-backdoors-side-potatoes/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"UTA0388","aliases":[],"description":"UTA0388 is a China-aligned APT known for spear-phishing campaigns targeting organizations in North America, Asia, and Europe, primarily to deliver a Go-based implant called GOVERSHELL. The group employs \"rapport-building phishing\" tactics, engaging targets in benign conversations before sending malicious links, and has been linked to the use of Large Language Models for crafting phishing emails in","targetSectors":[],"suspectedVictims":[],"refs":["https://www.volexity.com/blog/2025/10/08/apt-meets-gpt-targeted-operations-with-untamed-llms/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"UAT-8837","aliases":[],"description":"UAT-8837 is a sophisticated China-linked APT group exploiting critical zero-day vulnerabilities, such as CVE-2025-53690 in the Sitecore platform, to achieve remote code execution and deploy the WeepSteel backdoor for espionage and data exfiltration. The group targets high-value enterprise and government sectors, focusing on public-facing applications to gain initial access and conducting stealthy ","targetSectors":[],"suspectedVictims":[],"refs":["https://blog.talosintelligence.com/uat-8837/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Storm-1175","aliases":[],"description":"Storm-1175 is a cybercriminal group known for deploying Medusa ransomware and exploiting public-facing applications for initial access. They have been observed exploiting a critical deserialization vulnerability in GoAnywhere MFT, tracked as CVE-2025-10035, which could lead to command injection and potential RCE. Microsoft Defender researchers identified exploitation activity aligned with TTPs att","targetSectors":[],"suspectedVictims":[],"refs":["https://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"UAT-7237","aliases":[],"description":"UAT-7237 is a Chinese-speaking APT group that has been active since at least 2022, primarily targeting web infrastructure entities in Taiwan. They utilize a customized Shellcode loader known as “SoundBill” to execute shellcode, including Cobalt Strike payloads, and rely on SoftEther VPN clients and RDP for persistence and access. UAT-7237 employs techniques such as credential extraction using Mimi","targetSectors":[],"suspectedVictims":[],"refs":["https://blog.talosintelligence.com/uat-7237-targets-web-hosting-infra/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"UAT-8099","aliases":[],"description":"UAT-8099 is a Chinese-speaking cybercrime group primarily engaged in SEO fraud and the theft of high-value credentials, configuration files, and certificate data from vulnerable IIS servers. They utilize web shells and PowerShell to deploy the GotoHTTP tool for remote access, while also employing techniques such as DLL sideloading and RDP for persistence. The group has been observed using BadIIS v","targetSectors":[],"suspectedVictims":[],"refs":["https://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-regional-focus/","https://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"UAT-6382","aliases":[],"description":"UAT-6382 is a Chinese-speaking threat actor that exploits CVE-2025-0944 to gain access to enterprise networks, particularly targeting local governing bodies in the U.S. They deploy web shells like AntSword and chinatso/Chopper on IIS web servers and utilize Rust-based loaders to implement Cobalt Strike and VSHell for persistent access. UAT-6382 employs custom tooling, such as TetraLoader, and cond","targetSectors":[],"suspectedVictims":[],"refs":["https://blog.talosintelligence.com/uat-6382-exploits-cityworks-vulnerability/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"XinXin","aliases":["changqixinyun","Black Technology"],"description":"XinXin is a Chinese-speaking threat actor known for its phishing-as-a-service platform, Lucid, which targets global organizations to steal credit card details and personally identifiable information through smishing campaigns. The group employs advanced techniques such as exploiting Rich Communication Services and Apple's iMessage protocol to bypass traditional SMS filters. XinXin also develops an","targetSectors":[],"suspectedVictims":[],"refs":["https://catalyst.prodaft.com/public/report/lucid/overview#paragraph-1055|388"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Amaranth-Dragon","aliases":[],"description":"Amaranth-Dragon is a previously untracked threat actor assessed to be closely linked to the China-affiliated APT 41 ecosystem, exhibiting similar tooling and operational patterns. The group demonstrated technical maturity by rapidly operationalizing CVE-2025-8088, a vulnerability in WinRAR, shortly after its public disclosure. Check Point Research has identified multiple campaigns targeting Cambod","targetSectors":[],"suspectedVictims":[],"refs":["https://blog.checkpoint.com/research/amaranth-dragon-targeted-cyber-espionage-campaigns-across-southeast-asia/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"UAT-9921","aliases":["VoidLink Operator"],"description":"UAT-9921 is a China-nexus threat actor active since 2019, tracked by Cisco Talos. In 2026, they were observed deploying 'VoidLink', a sophisticated modular framework primarily targeting Linux systems (IoT, Critical Infrastructure). Unique characteristics include the use of AI-enabled IDEs for rapid development (ZigLang implant, GoLang backend), P2P mesh networking for C2, and advanced persistence ","targetSectors":[],"suspectedVictims":[],"refs":["https://blog.talosintelligence.com/voidlink/","https://isovalent.com/blog/post/voidlink-cloud-malware-detection/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"UNC6201","aliases":[],"description":"UNC6201 is a sophisticated Chinese state-sponsored hacking group that exploited CVE-2026–22769, a critical vulnerability in Dell RecoverPoint for Virtual Machines appliances, to establish a persistent presence. They deployed a permanent backdoor using techniques like Single Packet Authorization and \"Port Knocking.\" Unlike typical hackers who conceal their activities within the Operating System, UN","targetSectors":[],"suspectedVictims":[],"refs":["https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"UNC2814","aliases":[],"description":"UNC2814 is a suspected PRC-nexus cyber espionage group that has targeted telecommunications providers and government entities globally since at least 2017. The group employs the GRIDTIDE backdoor to blend malicious traffic with legitimate cloud API activity and utilizes living-off-the-land techniques, including SSH lateral movement and the creation of malicious systemd services. GTIG has confirmed","targetSectors":[],"suspectedVictims":[],"refs":["https://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"UAT-9244","aliases":[],"description":"UAT-9244 is a China-nexus APT actor, disclosed by Cisco Talos on March 5, 2026, assessed with high confidence as closely associated with Famous Sparrow and overlapping with Tropic Trooper. Active since 2024, it exclusively targets South American telecommunication providers, deploying three novel cross-platform malware families: TernDoor (Windows backdoor with DLL side-loading and evasion driver), ","targetSectors":[],"suspectedVictims":[],"refs":["https://blog.talosintelligence.com/uat-9244/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"CL-STA-1087","aliases":[],"description":"CL-STA-1087 is a suspected state-sponsored espionage campaign operating out of China, targeting military organizations in Southeast Asia. The actor has demonstrated operational patience, maintaining dormant access for extended periods while focusing on precision intelligence collection and employing robust operational security measures. Their infrastructure includes the use of a legitimate cloud s","targetSectors":[],"suspectedVictims":[],"refs":["https://origin-unit42.paloaltonetworks.com/espionage-campaign-against-military-targets/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"GopherWhisper","aliases":[],"description":"GopherWhisper is a China-aligned APT that routes C2 traffic through legitimate enterprise platforms like Slack, Discord, and Microsoft 365 Outlook to evade detection. Its toolkit includes the LaxGopher backdoor for Slack, RatGopher for Discord, and CompactGopher for data exfiltration via file.io. The group employs DLL side-loading via JabGopher and uses raw OpenSSL socket C2 on port 443 with the S","targetSectors":[],"suspectedVictims":[],"refs":["https://web-assets.esetstatic.com/wls/en/papers/white-papers/gopherwhisper-burrow-full-malware.pdf"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"UAT-8302","aliases":[],"description":"UAT-8302 is a sophisticated China-nexus APT group targeting government entities in South America and southeastern Europe, deploying custom-made malware such as NetDraft, CloudSorcerer version 3, and VSHELL. They utilize tools like SNOWLIGHT and SNOWRUST for initial access and reconnaissance, employing techniques such as PowerShell scripts and SMB share discovery. UAT-8302 also establishes backdoor","targetSectors":[],"suspectedVictims":[],"refs":["https://blog.talosintelligence.com/uat-8302/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Earth Naga","aliases":[],"description":"Earth Naga is an APT group that has persistently targeted high-value organizations, including government agencies, telecommunications, and military-related manufacturers, primarily in Taiwan and the broader APAC region. They have been linked to the use of Draculoader and ShadowPad C&C infrastructure, demonstrating sophisticated TTPs such as establishing SSH connections through compromised mail ser","targetSectors":[],"suspectedVictims":[],"refs":["https://www.trendmicro.com/en_us/research/25/j/premier-pass-as-a-service.html"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"},{"name":"Shadow-Earth-053","aliases":[],"description":"SHADOW-EARTH-053 is a China-aligned threat group exploiting unpatched Microsoft Exchange Server vulnerabilities, specifically CVE-2021-26855, to conduct cyberespionage against government and defense-linked targets across Asia and Europe. The group primarily deploys ShadowPad malware, utilizing techniques such as credential dumping, tunneling tools, and lateral movement via WMIC. They have also bee","targetSectors":[],"suspectedVictims":[],"refs":["https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html"],"sources":["misp"],"cves":[],"leakSites":[],"country":"CN"}]}