Campaigns
APT5 Smashes Citrix's Networks

APT5 Smashes Citrix's Networks

CitrixManganeseAPT5
APT5 is a sophisticated cyber espionage group that is believed to be based in China and has been active since at least 2007. The group primarily targets high-tech and telecommunications firms across the US, Europe, and Asia, using advanced malware and zero-day exploits to gain unauthorized access to networks and steal sensitive information.

Indicators of Compromise

office-updates.info
local0.info
css-ethz.ch
bnt2.live
profilepic.site
gettogether.quest
nco2.live

APT Groups1

Pitty PandaChina
Pitty PandaPittyTiger

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

DomainIDNameUse
EnterpriseT1588.002Obtain CapabilitiesTool

PittyTiger has obtained and used tools such as Mimikatz and gsecdump.[1]

EnterpriseT1078Valid Accounts

PittyTiger attempts to obtain legitimate credentials during operations.[1]

IDNameReferencesTechniques
S0032gh0st RAT[1][2]Boot or Logon Autostart ExecutionRegistry Run Keys / Startup FolderCommand and Scripting InterpreterCreate or Modify System ProcessWindows ServiceData EncodingStandard EncodingDeobfuscate/Decode Files or InformationDynamic ResolutionFast Flux DNSEncrypted ChannelEncrypted ChannelSymmetric CryptographyHijack Execution FlowDLL Side-LoadingIndicator RemovalFile DeletionIndicator RemovalClear Windows Event LogsIngress Tool TransferInput CaptureKeyloggingModify RegistryNative APINon-Application Layer ProtocolProcess DiscoveryProcess InjectionQuery RegistryScreen CaptureShared ModulesSystem Binary Proxy ExecutionRundll32System Information DiscoverySystem ServicesService Execution
S0008gsecdump[1]OS Credential DumpingLSA SecretsOS Credential DumpingSecurity Account Manager
S0010Lurid[2]Archive Collected DataEncrypted ChannelSymmetric Cryptography
S0002Mimikatz[1]Access Token ManipulationSID-History InjectionAccount ManipulationBoot or Logon Autostart ExecutionSecurity Support ProviderCredentials from Password StoresCredentials from Password StoresWindows Credential ManagerCredentials from Password StoresCredentials from Web BrowsersOS Credential DumpingSecurity Account ManagerOS Credential DumpingLSASS MemoryOS Credential DumpingLSA SecretsOS Credential DumpingDCSyncRogue Domain ControllerSteal or Forge Authentication CertificatesSteal or Forge Kerberos TicketsSilver TicketSteal or Forge Kerberos TicketsGolden TicketUnsecured CredentialsPrivate KeysUse Alternate Authentication MaterialPass the TicketUse Alternate Authentication MaterialPass the Hash
S0012PoisonIvy[2]Application Window DiscoveryBoot or Logon Autostart ExecutionRegistry Run Keys / Startup FolderBoot or Logon Autostart ExecutionActive SetupCommand and Scripting InterpreterWindows Command ShellCreate or Modify System ProcessWindows ServiceData from Local SystemData StagedLocal Data StagingEncrypted ChannelSymmetric CryptographyIngress Tool TransferInput CaptureKeyloggingModify RegistryObfuscated Files or InformationProcess InjectionDynamic-link Library InjectionRootkit

Observed Countries11

BN (760)
ID (506)
KH (326)
LA (453)
MM (784)
MY (450)
PH (355)
SG (632)
TH (655)
US (470)
VN (539)