Campaigns
Back to Campaigns
The Cyber Face of Economic Development

The Cyber Face of Economic Development

GEARSHIFTapt41WinntiBARIUM
Like other Chinese espionage operators, hacker groups, espionage targeting has generally aligned with China's Five-Year economic development plans. The group has established and maintained strategic access to organizations in the healthcare, high-tech, and telecommunications sectors. Activity traces back to 2012 when individual members of APT41 conducted primarily financially motivated operations focused on the video game industry before expanding into likely statesponsored activity.

Indicators of Compromise

updata.microsoft-api.workers.dev
javaupdate.biguserup.workers.dev
trojan.win64.manuscrypt.do
gentle-voice-65e3.bsnl.workers.dev
socialpt2021.club
east.winsproxy.com
d.diragame.com
24893cb6.ns1.extrsports.ru
hdfllmkinoshka.online
2bc1b4ba.ns1.mssetting.com
system.hiv
letwiki.com
security.hiv
corpsolution.net
cloud01.tk
holdmem.dbhubspi.com
ns.time12.cf
down-flash.com
ns.glbaitech.com
toa.mygametoa.com
libxqagv.ns.dns3.cf
m.necemarket.com
st.kinopoisksu.com
delaylink.tk
panel.956956.info
ns1.sunnykkf.xyz
cloud20.tk
newimages.socialpt2021.tk
google.diragame.com
email.yg9.me
extrsports.ru
mb.glbaitech.com
google.vrthcobj.com
mircoupdate.https443.net
mute-pond-371d.zalocdn.workers.dev
tosayoj.com
cdn.ns.time12.cf
work.queryip.cf
microsoftfile.com
tasty-invention.auto.playit.gg
wlbsctrl.ax
ns1.summerpract.biz
fofa.su
ns1.freeemails.shop
summerpract.biz
dev.kinopoisksu.com
jom.diregame.live
sunnykkf.xyz
ysoserial.net
bakercost.gq
cryptojavaden.com
111111.note.down-flash.com
heathyork.com
subnet.milli-seconds.com
freeemails.shop
work.viewdns.ml
tob.mygametob.com
awsprocduction.immigrantlol.com
gadget.newbie.red
blessed.loved.tokyo
account.micrrosoftsonline.com
bot.ibmsupport.net
huanjue123.zs.guizuidc.com
mail.gistal.com
ns2.0pendns.org
psycho.red
shijihulian.com
tibetonline.info
css.google-statics.com
katanya.rame.yah.di.channel.violet.la
mail.whoami.la
ns1.nokiadns.com
find-iphoneid-itunes.com
assistcustody.xyz
lin.0penssl.com
freak.pictures
my.pal.violet.la
ad1.winxps.com
ns1.amd-support.com
bowenpress.org
nss.aresgame.info
mail.devil.tokyo
mlcrosoft.site
senvmeitu.com
teng123.top
toya.co.kr
mail.loved.tokyo
kp.css2.com
godaddydns.com
find-iphone-icloudcn.com
bot.fengzigame.net
linux.css2.com
hijack.css2.com
mail.newbie.red
ipv4.ipv6.la
ns8.0pendns.org
dark.anonshell.com
ftp.appaffect.com
bak.timewalk.me
bowenpress.net
26707.intra.applestunes.com
anonymous.ipv6.red
ns9.amd-support.com
just.a.newbie.red
xgyun.vip
asmc.best
cloud.0pendns.org
jj.fbi123.com
intelrescue.com
mianbeiankj.com
bot.360antivirus.org
ftp.loved.tokyo
ftp.parakaro.co.jp
tyuweb.com
dns.godaddydns.net
linux.cocoss2d.com
no.ip.detect.if.using.ipv6.la
ns1.appledai1y.com
ftp.eggagent.info
schememicrosoft.com
account.outlook-s.com
news.eggdomain.net
like.violet.la
job.yoyakuweb.technology
dns.eggdomain.net
work.getdns.tk
didin.asia
applevswin.com
jj.duola123.com
hidden.ipv6.red
dns.0pengl.com
www.microsoftbooks.dns-dns.com
app.appaffect.com
datalink.one
mzx.jjevil.com
joy.full.bless.christmas
bot.godaddydns.net
bot.itunesupdate.net
account.microsoftssonline.com
loving.and.being.loved.tokyo
colour.of.girls.is.violet.la
lin.0pengl.com
ls.0pendns.org
mail.multicons.net
work.dnsfree.ml
mail.ipv6.la
ns9.nokiadns.com
help.0pengl.com
zalofilescdn.com
accounts.google-acc.com
linux.unitys3d.com
cisco.ipv6.la
33604.intra.applestunes.com
i.loved.tokyo
mircosoftdoc.com
bowenpross.com
bot.eggdomain.net
mail.ipv6.red
gzw.3389.hk
dnslog.mobi
bot.fbi123.com
fk.duola123.com
mail.iphone-android-mobile.com
be.loved.tokyo
mail.bless.christmas
next.parakaro.co.jp
nobody.will.know.whoami.la
down.fengzigame.net
ftp.ssrsec.com
atliassian.com
ftp.ipv6.red
find-iphone-icloudss.com
chinadagitaltimes.net
naotengml.xyz
find-iphone-iclouds.com
work.time12.cf
airsportschina.net
ftp.winter.tokyo
macos.exoticlol.com
free.amd-support.com
jj.aresgame.info
mail.winxps.com
diamond.violet.la
69f319a6-10c4-4792-9caf-ec3b3c4b5314.winxps.com
address.ipv6.la
awsstatics.com
home.ibmsupports.com
bot.1songjiang.info
new.dns-syn.com
hyper.parakaro.co.jp
bot.duola123.com
64.3389.hk
baidusecurity.net
doyan.party
accounts.google-caches.com
ns1.0pendns.org
mail.lycostal.com
dns.360antivirus.org
happy.bless.christmas
cloud.amd-support.com
cute.devil.tokyo
irc.devil.tokyo
find-iphone-icloudids.com
m.unitys3d.com
ns.mircosoftdoc.com
blog.unitys3d.com
shiyuesun.com
defendchain.xyz
chaindefend.bid
enjoy.and.loved.tokyo
115game.com
naoteng.top
news.0pengl.com
cloud.dellassist.com
channel-w.in
mail.violet.la
freesss.net
images.iphone-android-mobile.com
isbigfish.xyz
11116.intra.applestunes.com
aboluewang.com
ertiga.org
bafangqudao.com
ios.0pengl.com
m.css2.com
bot.jjevil.com
vpsgys.com
www.mlcrosoft.site
360.0pengl.com
alienlol.com
huhaifan.com
mail.nteng.xyz
ludicrous.lol
mail.openncheckmail.com
ftp.newbie.red
ftp.devil.tokyo
24287.intra.applestunes.com
by.dns-syn.com
rosemarry.asia
openmd5.com
newsite.parakaro.co.jp
ns1.dellassist.com
udp.jjevil.com
zx.3389.hk
work.cloud01.tk
test.dellassist.com
ssl.0penssl.com
www.eggdns.com
top106.top
www.xunsuhulian.com
sale.ibmsupport.cc
zx.duola123.com
yang.0pendns.org
sc.0pengl.com
www.kuaiwenwang.com
www.twitterproxy.com
minami.cc
www.5tua.com
work.cloud20.tk
sc.dellrescue.com
root.godaddydns.net
sekarang.waktunya.pake.ipv6.red
wsus.kasperskyantivirus.net
uhh.yeah.whoami.la
support.godaddydns.net
mssetting.com
user.xiangyunvps.net
update.fengzigame.net
indialifeshop.com
www.chongzhonglaw.com
office.parakaro.co.jp
smtp.iphone-android-mobile.com
update.nortonantivir.us
cycraft.com
ti.vengo.sul.perizoma.ipv6.la
www.xiangyunvps.com
war.geekgalaxy.com
sky.violet.la
www.xiangyunhulian.com
rk.mtrue.net
www.find-iphone-idicloud.com
deadsec.tw
dns224.com
udp.timewalk.me
tictac.gr
www.xiangyunvps.net
ssl.0pengl.com
percuma.berteman.sama.newbie.red
sc.0penssl.com
war.winxps.com
on-line.connection.violet.la
secret.whoami.la
dnsgogle.com
sdfsd.iphone-android-mobile.com
support.godaddydns.cc
packet.ipv6.la
silent.whoami.la
ns1.extrsports.ru
www.microsofthelp.dns1.us
www.tqvps.com
update.qqantivirus.com
www.laoa8.com
peq.parakaro.co.jp
tjglmy.com
waw.cocoss2d.com
www.hyper.parakaro.co.jp
w.cocoss2d.com
www.duoxiantong.com
notped.com
up.roboscan.net
waw.unitys3d.com
user.xiangyunvps.com
ultra.violet.la
pure.newbie.red
zx.css2.com
www.find-iphone7-icloud.com
exchange.dumb1.com
using.ipv6.la
rus.css2.com
update.css2.com
vps2java.securitytactics.com
www.ttidc.net
update.0pengl.com
ns.cloud20.tk
war.eatuo.com
waw.css2.com
war.webok.net
task.dns-syn.com
rk.mtrue.com
www.iantivirus.us
sc.dns-syn.com
update.360antivirus.net
blog.cobaltstrike.com
ui.threatstream.com
resume.immigrantlol.com
xops.violet.la
ns.mircosoftbox.com
www.daum.xxuz.com
freemusic.xxuz.com
www.yandex.pop-corps.com
www.nthere.ourhobby.com
cpanel.htecnews.net
nted.tg9f6zwkx.icu
yandex.pop-corps.com
www.averyspace.net
economics.onemore1m.com
6czumi0fbg.symantecupd.com
gkonsultan.mrslove.com
www.indiasunsung.com
backup.myftp.info
mn.pop-corps.com
exat.dnset.com
videoservice.dnset.com
wntc.livehost.live
update.flash-installers.com
sidc.everywebsite.us
forums.tripmerry.com
xx0ssd.isasecret.com
ssl.ahnlabinc.com
indrails.com
agent.my-homeip.net
host.adobe-online.com
filename.onedumb.com
www.uacmoscow.com
www.npomail.ocry.com
ordercheck.online
www.pneword.net
describe.toh.info
vsmrcil.casacam.net
ns.cloud01.tk
info.kavlabonline.com
doc.goog1eweb.com
ibarakidoji.mrbasic.com
snoc.hostingupdate.club
www.nmbthg.com
0x3s.com
ntripoli.www1.biz
vb.xxuz.com
svn-dns.ahnlabinc.com
update.pop-corps.com
inthefa.bigmoney.biz
myflbook.myz.info
ias.goog1eweb.com
googlewizard.ocry.com
locker.camdvr.org
cs.colunm.tk
ns2.dns-dropbox.com
mm.portomnail.com
back.rooter.tk
ns2.microsoftsonline.net
letstweet.toh.info
money.moneyhome.biz
soft.mssysinfo.xyz
www.oseupdate.dns-dns.com
micsoftin.us
ixrails.com
ecoronavirus.almostmy.com
flashi.com.cn
mxmail.esmtp.biz
ubuntumax.com
high.micorsoff.com
jquery-cycle.com
escanavupdate.club
update.flash-installer.com
www.shipcardonlinehelp.com
flash.com.cm
microsoft-update.pop-corps.com
npomail.ocry.com
pandorarve.com
6q4qp9trwi.dnslookup.services
www.smartdevoe.com
hotmail.pop-corps.com
www.xindex.ocry.com
dprouds.casacam.net
chinanode.microsoft-update-service.com
ns.rtechs.org
www.googlewizard.ocry.com
ns3.mlcrosoft.site
ns1.dns-dropbox.com
www.ertufg.com
wwwss.mrbasic.com
news.tibetonline.info
video.rtechs.org
rawfuns.com
dnsdhcp.dhcp.biz
download.google-images.ml
bswan.authorizeddns.org
quicdn.com
livehost.live
gold.bigmoney.biz
excharge.sexxxy.biz
hardenvscurry.my-router.de
xx0xx.dnset.com
www.ncdle.net
zeplin.law
www.ibarakidoji.mrbasic.com
www.operatingbox.com
ssl2.ahnlabinc.com
www.gkonsultan.mrslove.com
flash.co.cm
ad.lflink.com
update.facebookdocs.com
jquery-code.ml
abegelkunic.com
blog.reconinfosec.com
update.mypop3.org
daum.xxuz.com
microsoft.update.flash.com.se
images.h1x.com
update.ilastname.com
xindex.ocry.com
symantecupd.com
ns1.colunm.tk
secupdate.kozow.com
www.microsoft-update.pop-corps.com
update.upgradsource.com
apienclave.com
www.mircoupdate.https443.net
dropbox.dns2.us
trojan.win32.cobeacon.bg
pridecdn.com
spoof.zip
gmarket.system-ns.org
ns1.mssetting.com
clients.cleansite.info
hosenw.ns02.info
service.dns22.ml
yolkish.com
websencl.com
google-images.ml
ntpc-co.com
gaiusjuliuscaesar.dynamicdns.biz
lab.symantecsafe.org
arjuna.dynamicdns.biz
my.kankuedu.org
flash.com.se
ptciocl.com
account.heatidc.com
l1nkedin.ns01.biz
newpic.sexxxy.biz
www.comcleanner.info
d89o0gm34t.livehost.live
hostingupdate.club
b.gnisoft.com
www.komdsecko.net
lmgur.me
www.astudycarsceu.net
d89o0gm35t.livehost.live
goods.kankuedu.org
daum.pop-corps.com
koran.junlper.com
ns1.microsoftsonline.net
fornex.uacmoscow.com
www.facegooglebook.mrbasic.com
www.arjuna.dynamicdns.biz
pracute.camdvr.org
cat.moneyhome.biz
dns-c.ahnlabin.com
ggpage.jetos.com
colunm.tk
phonebook.casacam.net
www.cloudvn.info
info.kavalabonline.com
paniesx.com
www.corpsolution.net
files.zip
updateinfo.kozow.com
developman.ocry.com
ns.upgradsource.com
nadvocacy.mrbasic.com
trendiis.sixth.biz
www.wizardprocessor.com
7hln9yr3y6.symantecupd.com
hpcloud.dynserv.org
www.ggpage.jetos.com
nfdkjbfwjakd.ml
facegooglebook.mrbasic.com
waswides.isasecret.com
depth.toh.info
hccadkml89.dnslookup.services
cigy2jft92.kasprsky.info
www.inthefa.bigmoney.biz
ussainc.org
techniciantext.com
giga.gnisoft.com
apisquere.com
ns2.colunm.tk
db311secsd.kasprsky.info
lezone.jetos.com
b-metric.com
help.kavlabonline.com
www.hosenw.ns02.info
xvideo.mrslove.com

APT Groups6

Ice FogChina

<p>

Red WendigoIcefogNomad PandaRedFoxtrotTEMP.TridentDagger PandaATK 23Moshen Dragon
HAFNIUMChina
ATK233RedDev13HafniumG0125Red Dev 13OperationExchangeMarauderSilk TyphoonSilkTyphoonOperation Exchange Marauder
AxiomChina
Bronze OliveAxiomWicked PandaAPT 22Group 72Wicked SpiderBronze ExportWinnti Group
LeviathanChina
Gingham TyphoonITG09TA423TEMP.JumperRed LadonTEMP.PeriscopeISLANDDREAMSGadoliniumMudcarpKryptonite PandaBronze MohawkLeviathanATK 29APT 40
TA428China
Vicious PandaThunderCatsTEMP.HexPKPLUGCamaro DragonEarth PretaPandaStately TaurusHoneyMyteBronze PresidentTA428Bronze DudleyMustang PandaRed Lich
Turla GroupChina
TurlaUNC4210Secret BlizzardVenomous BearITG12SIG23Group 13APT 26BelugasturgeonTAG-0530WaterbugPacifier APTBlack VineBlue PythonPopeyeBronze ExpressSIG15CTG-8875WebMastersIron HunterKryptonATK 13MakersmarkKungFu KittensSIG2JerseyMikesTurbine PandaShell CrewPinkPantherGroup 88SUMMITPensive UrsaWraith

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

Reports & References2

[object Object][object Object]

Observed Countries10

CH (918)
GB (803)
IN (296)
JP (655)
MM (286)
NL (348)
SG (192)
TH (740)
TR (253)
US (599)