Campaigns
Bronze President

Bronze President

PlugXTA428ORatCobalt StrikeRC Session
Bronze President is a likely Chinese government-sponsored threat group that has been active since at least 2012. It is known for conducting cyber-espionage campaigns targeting organizations and individuals in the Asia-Pacific region and beyond.

Indicators of Compromise

mktoon.ftp1.biz
f1news.vzglagtime.net
91ac64d2.net
www1.dotomater.club
host.microlynconline.com
sherence.ru
intranet.mrpam.gov.mn
help.microlynconline.com
moneybac.ru
lutanedukasi.co.id
tombstone.kozow.com
playdr2.com
mail.playdr2.com
www.zyber-i.com
www.ciphertechsolutions.com
fax.internnetionfax.com
serviechelp.changeip.us
shareddocs.microft.dynssl.com
able.audit.mn
nameserver.datacertsecure.info
govi-altai.ecustoms-mn.com
lllllllllll.loseyourip.com
9f78281a.org
b.popmonster.ru
ybcps4.freeddns.org
fuckeryoumm.nmb.bet
www.myanmarnewsonline.org
check.datacertsecure.info
9f78281a.net
ve0.popmonster.ru
home.microlynconline.com
www3.vpkimplus.com
gazar.ecustoms-mn.com
kamikirim.my.id
datetime.datetime.now
ecustoms-mn.com
microsite-manager.com
nubia.tsagagaar.com
oss.chrome-upgrade.com
doc.redstrpela.net
hacktool.win64.agent.hk
installcb.online
alex.dnset.com
server.dotomater.club
mod.mmgpms.com
backdoor.win32.agentb.ca
mtanews.vzglagtime.net
oemprint.cat
91ac64d2.com
lib.hostareas.com
news.vzglagtime.net
xre.popmonster.ru
backdoor.win32.agentb.cc
toon.mrbasic.com
custom.songuulcomiss.com
able.tog.mn
microft.dynssl.com
kdr.zarkada.ru
6b4s.popmonster.ru
go.vegispaceshop.org
pop.playdr2.com
elienceso.kozow.com
images.myanmarnewsonline.org
d802f446.com
48b2137f.com
d802f446.org
web.microlynconline.com
9356.popmonster.ru
ns2.gamepoer7.com
developer.firefoxapi.com
gamepoer7.com
niigem.olloo-news.com
ksbyz.jelikob.ru
update.flashplayeractivex.info
nmcustoms.https443.org
www2.defensysminck.net
mashupdatabase.com
ns9.mcafee-update.com
gogonews.organiccrap.com
flashplayeractivex.info
lck.gigabitdate.com
www1.nppnavigator.net
rt.ftp1.biz
trojan.win64.dllhijacker.km
48b2137f.org
tsagagaar.com
www.atomicmatryoshka.com
news.flashplayeractivex.info
api.microft.dynssl.com
www2.sdelanasnou.com
48b2137f.net
web.miscrosaft.com
d802f446.net
ftp.microft.dynssl.com
aircraft.tsagagaar.com
findanswer123.tk
www.omgod.org
upespr.com
download.hilifimyanmar.com
chdsjjkrazomg.dhcp.biz
rootkiter.com
bamo.ocry.com
blogdirve.com
info.ntcprotek.com
update.hilifimyanmar.com
m.watercaltropinfo.com
9f78281a.com
91ac64d2.org
tech.songuulcomiss.com
video.nicblainfo.net
txt.mm-film.com
olloo-news.com
datacertsecure.info
www.watercaltropinfo.com
e-office.dbm.mn
vzglagtime.net

APT Groups1

TA428China
Vicious PandaThunderCatsTEMP.HexPKPLUGCamaro DragonEarth PretaPandaStately TaurusHoneyMyteBronze PresidentTA428Bronze DudleyMustang PandaRed Lich

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

IDNameReferencesTechniques
S0154Cobalt Strike[1][2][3][5][7]Abuse Elevation Control MechanismBypass User Account ControlAbuse Elevation Control MechanismSudo and Sudo CachingAccess Token ManipulationToken Impersonation/TheftAccess Token ManipulationParent PID SpoofingAccess Token ManipulationMake and Impersonate TokenAccount DiscoveryDomain AccountApplication Layer ProtocolWeb ProtocolsApplication Layer ProtocolDNSApplication Layer ProtocolBITS JobsBrowser Session HijackingCommand and Scripting InterpreterVisual BasicCommand and Scripting InterpreterPowerShellCommand and Scripting InterpreterJavaScriptCommand and Scripting InterpreterPythonCommand and Scripting InterpreterWindows Command ShellCreate or Modify System ProcessWindows ServiceData EncodingStandard EncodingData from Local SystemData ObfuscationProtocol ImpersonationData Transfer Size LimitsDeobfuscate/Decode Files or InformationEncrypted ChannelAsymmetric CryptographyEncrypted ChannelSymmetric CryptographyExploitation for Client ExecutionExploitation for Privilege EscalationFile and Directory DiscoveryHide ArtifactsProcess Argument SpoofingImpair DefensesDisable or Modify ToolsIndicator RemovalTimestompIngress Tool TransferInput CaptureKeyloggingModify RegistryMultiband CommunicationNative APINetwork Service DiscoveryNetwork Share DiscoveryNon-Application Layer ProtocolObfuscated Files or InformationObfuscated Files or InformationIndicator Removal from ToolsOffice Application StartupOffice Template MacrosOS Credential DumpingSecurity Account ManagerOS Credential DumpingLSASS MemoryPermission Groups DiscoveryDomain GroupsPermission Groups DiscoveryLocal GroupsProcess DiscoveryProcess InjectionProcess HollowingProcess InjectionDynamic-link Library InjectionProcess InjectionProtocol TunnelingProxyInternal ProxyProxyDomain FrontingQuery RegistryReflective Code LoadingRemote ServicesSSHRemote ServicesSMB/Windows Admin SharesRemote ServicesDistributed Component Object ModelRemote ServicesRemote Desktop ProtocolRemote ServicesWindows Remote ManagementRemote System DiscoveryScheduled TransferScreen CaptureSoftware DiscoverySubvert Trust ControlsCode SigningSystem Binary Proxy ExecutionRundll32System Network Configuration DiscoverySystem Network Connections DiscoverySystem Service DiscoverySystem ServicesService ExecutionUse Alternate Authentication MaterialPass the HashValid AccountsLocal AccountsValid AccountsDomain AccountsWindows Management Instrumentation

S0013PlugX[1][2][3][8][5][6]Application Layer ProtocolDNSApplication Layer ProtocolWeb ProtocolsBoot or Logon Autostart ExecutionRegistry Run Keys / Startup FolderCommand and Scripting InterpreterWindows Command ShellCreate or Modify System ProcessWindows ServiceDeobfuscate/Decode Files or InformationEncrypted ChannelSymmetric CryptographyFile and Directory DiscoveryHide ArtifactsHidden Files and DirectoriesHijack Execution FlowDLL Search Order HijackingHijack Execution FlowDLL Side-LoadingIngress Tool TransferInput CaptureKeyloggingMasqueradingMatch Legitimate Name or LocationMasqueradingMasquerade Task or ServiceModify RegistryMultiband CommunicationNative APINetwork Share DiscoveryNon-Application Layer ProtocolObfuscated Files or InformationProcess DiscoveryQuery RegistryScreen CaptureSystem Network Connections DiscoveryTrusted Developer Utilities Proxy ExecutionMSBuildVirtualization/Sandbox EvasionSystem ChecksWeb ServiceDead Drop Resolver

S0662RCSession[3]Abuse Elevation Control MechanismBypass User Account ControlApplication Layer ProtocolWeb ProtocolsBoot or Logon Autostart ExecutionRegistry Run Keys / Startup FolderCommand and Scripting InterpreterWindows Command ShellData from Local SystemEncrypted ChannelHijack Execution FlowDLL Side-LoadingIndicator RemovalFile DeletionIngress Tool TransferInput CaptureKeyloggingMasqueradingModify RegistryNative APINon-Application Layer ProtocolObfuscated Files or InformationProcess DiscoveryProcess InjectionProcess HollowingScreen CaptureSystem Binary Proxy ExecutionMsiexecSystem Information DiscoverySystem Owner/User Discovery

Observed Countries16

AF (33)
AU (204)
BY (942)
CA (906)
GE (37)
HK (538)
IN (92)
JP (410)
MM (702)
MN (686)
NZ (996)
PH (646)
RU (620)
SG (886)
UA (501)
US (194)