
Bronze President
Bronze President is a likely Chinese government-sponsored threat group that has been active since at least 2012. It is known for conducting cyber-espionage campaigns targeting organizations and individuals in the Asia-Pacific region and beyond.
Indicators of Compromise
Domains (116)
mktoon.ftp1.bizf1news.vzglagtime.net91ac64d2.netwww1.dotomater.clubhost.microlynconline.comsherence.ruintranet.mrpam.gov.mnhelp.microlynconline.commoneybac.rulutanedukasi.co.idtombstone.kozow.complaydr2.commail.playdr2.comwww.zyber-i.comwww.ciphertechsolutions.comfax.internnetionfax.comserviechelp.changeip.usshareddocs.microft.dynssl.comable.audit.mnnameserver.datacertsecure.info+96 moreHashes (2767)
2ca3052ffcdea2a784a04d74ecbaad0bc18419fb0055e6385633ca35ab3ac70f56d18d90b8d5a5894a5d8e738e567c3f7fb337be1aeb51a19fb0162d8c0cf5bc27f666a2885d4497b1738f6ad9c7125a8bc3c2d9bfa84b7b4802a480fab498a16a1d177c46495df8f4f950f5d73e9cb220988e2aa6f29edf7c358a1f22d3166d38ca81db1765476a354244c6acba50b8f948d2afe23963ecc3a4cbf1f890a7385562d919397cc7543c3b485d9d6ad4d9bc1b25ad098b6484b6a1c4edbd71558103ab0eb3cb7229052d9de7cb8a29bfa0659176952349508e0cd3f7f4c1c2cb8761401f423a003635e5e396be385d38f69566aa141de3030ffe4eaad8afb244a2c22df4b6db425478c50f7305bd1d085e642588e16fb130bced4a69eae0b0fc48c1c93e4935dc70d4f8392615cfe5b99f806e6cd41017abec0d0c8ecc433a0a097c40a68bd4eca0835ec2184a20779b13ca5ec157087bbaa366482d4584cc77c788e3f5848893fb8b3cf3085d951d942ed79cae357984e42a27024e6e5b027ada26a610e97ab4ef9efb1118b377061712acec6db994d6aa1c78a332a8f21803647883c604438e2f64d44675b9132a6705458e19df6dc3402b2b12f473c9aec138d64a289c1539a92dd70cfae281c58838977c0ce3ab7a547cfe239687aae24a704d2445a43591d041cabbbf3dfca6dfbd+2747 moreIPv4 (212)
8.210.16.197103.159.132.7045.77.244.19147.108.89.169135.181.171.945.56.90.12780.66.87.32181.215.246.173184.164.89.17345.32.101.7103.107.104.666.206.18.18686.105.252.21155.94.200.206107.167.64.6154.213.21.20747.75.123.100155.94.200.20988.218.193.247138.124.186.121+192 moreCVEs (5)
CVE-2017-0213CVE-2017-11882CVE-2018-0802CVE-2018-0798CVE-2020-10148APT Groups
TA428
China
Mitigation
<h2 class="pt-3" id="software" style="box-sizing: border-box; margin-top: 0px; margin-bottom: 0.5rem; line-height: 1.2; font-size: 2rem; font-family: Roboto-Light, sans-serif; color: rgb(57, 67, 76); letter-spacing: normal; padding-top: 1rem !important;">Software</h2><table class="table table-bordered table-alternate mt-2" style="box-sizing: border-box; border-collapse: collapse; width: 1367.25px; margin-bottom: 1rem; color: rgb(33, 37, 41); border: 1px solid rgb(223, 223, 223); empty-cells: hide; font-family: Roboto-Regular, sans-serif; font-size: 16px; margin-top: 0.5rem !important; background-color: rgb(242, 242, 242) !important;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box;"><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">ID</th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Name</th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">References</th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Techniques</th></tr></thead><tbody style="box-sizing: border-box; background: white; color: rgb(57, 67, 76);"><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0154" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0154</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0154" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Cobalt Strike</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[1]</a></span></span><span id="scite-ref-2-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[2]</a></span></span><span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.secureworks.com/research/bronze-president-targets-ngos" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-5-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[5]</a></span></span><span id="scite-ref-7-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[7]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1548" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Abuse Elevation Control Mechanism</a>: <a href="https://attack.mitre.org/techniques/T1548/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Bypass User Account Control</a>, <a href="https://attack.mitre.org/techniques/T1548" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Abuse Elevation Control Mechanism</a>: <a href="https://attack.mitre.org/techniques/T1548/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Sudo and Sudo Caching</a>, <a href="https://attack.mitre.org/techniques/T1134" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Access Token Manipulation</a>: <a href="https://attack.mitre.org/techniques/T1134/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Token Impersonation/Theft</a>, <a href="https://attack.mitre.org/techniques/T1134" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Access Token Manipulation</a>: <a href="https://attack.mitre.org/techniques/T1134/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Parent PID Spoofing</a>, <a href="https://attack.mitre.org/techniques/T1134" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Access Token Manipulation</a>: <a href="https://attack.mitre.org/techniques/T1134/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Make and Impersonate Token</a>, <a href="https://attack.mitre.org/techniques/T1087" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Account Discovery</a>: <a href="https://attack.mitre.org/techniques/T1087/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Account</a>, <a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">DNS</a>, <a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>, <a href="https://attack.mitre.org/techniques/T1197" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">BITS Jobs</a>, <a href="https://attack.mitre.org/techniques/T1185" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Browser Session Hijacking</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Visual Basic</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">PowerShell</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/007" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">JavaScript</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Python</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a>, <a href="https://attack.mitre.org/techniques/T1543" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create or Modify System Process</a>: <a href="https://attack.mitre.org/techniques/T1543/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Service</a>, <a href="https://attack.mitre.org/techniques/T1132" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Encoding</a>: <a href="https://attack.mitre.org/techniques/T1132/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Standard Encoding</a>, <a href="https://attack.mitre.org/techniques/T1005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data from Local System</a>, <a href="https://attack.mitre.org/techniques/T1001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Obfuscation</a>: <a href="https://attack.mitre.org/techniques/T1001/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Protocol Impersonation</a>, <a href="https://attack.mitre.org/techniques/T1030" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Transfer Size Limits</a>, <a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Asymmetric Cryptography</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Symmetric Cryptography</a>, <a href="https://attack.mitre.org/techniques/T1203" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exploitation for Client Execution</a>, <a href="https://attack.mitre.org/techniques/T1068" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exploitation for Privilege Escalation</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1564" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hide Artifacts</a>: <a href="https://attack.mitre.org/techniques/T1564/010" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Argument Spoofing</a>, <a href="https://attack.mitre.org/techniques/T1562" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Impair Defenses</a>: <a href="https://attack.mitre.org/techniques/T1562/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Disable or Modify Tools</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Timestomp</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1056" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Input Capture</a>: <a href="https://attack.mitre.org/techniques/T1056/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Keylogging</a>, <a href="https://attack.mitre.org/techniques/T1112" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Modify Registry</a>, <a href="https://attack.mitre.org/techniques/T1026" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Multiband Communication</a>, <a href="https://attack.mitre.org/techniques/T1106" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Native API</a>, <a href="https://attack.mitre.org/techniques/T1046" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Network Service Discovery</a>, <a href="https://attack.mitre.org/techniques/T1135" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Network Share Discovery</a>, <a href="https://attack.mitre.org/techniques/T1095" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Non-Application Layer Protocol</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>: <a href="https://attack.mitre.org/techniques/T1027/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal from Tools</a>, <a href="https://attack.mitre.org/techniques/T1137" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Office Application Startup</a>: <a href="https://attack.mitre.org/techniques/T1137/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Office Template Macros</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Security Account Manager</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">LSASS Memory</a>, <a href="https://attack.mitre.org/techniques/T1069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Permission Groups Discovery</a>: <a href="https://attack.mitre.org/techniques/T1069/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Groups</a>, <a href="https://attack.mitre.org/techniques/T1069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Permission Groups Discovery</a>: <a href="https://attack.mitre.org/techniques/T1069/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Local Groups</a>, <a href="https://attack.mitre.org/techniques/T1057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Discovery</a>, <a href="https://attack.mitre.org/techniques/T1055" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Injection</a>: <a href="https://attack.mitre.org/techniques/T1055/012" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Hollowing</a>, <a href="https://attack.mitre.org/techniques/T1055" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Injection</a>: <a href="https://attack.mitre.org/techniques/T1055/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Dynamic-link Library Injection</a>, <a href="https://attack.mitre.org/techniques/T1055" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Injection</a>, <a href="https://attack.mitre.org/techniques/T1572" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Protocol Tunneling</a>, <a href="https://attack.mitre.org/techniques/T1090" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Proxy</a>: <a href="https://attack.mitre.org/techniques/T1090/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Internal Proxy</a>, <a href="https://attack.mitre.org/techniques/T1090" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Proxy</a>: <a href="https://attack.mitre.org/techniques/T1090/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Fronting</a>, <a href="https://attack.mitre.org/techniques/T1012" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Query Registry</a>, <a href="https://attack.mitre.org/techniques/T1620" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Reflective Code Loading</a>, <a href="https://attack.mitre.org/techniques/T1021" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote Services</a>: <a href="https://attack.mitre.org/techniques/T1021/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">SSH</a>, <a href="https://attack.mitre.org/techniques/T1021" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote Services</a>: <a href="https://attack.mitre.org/techniques/T1021/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">SMB/Windows Admin Shares</a>, <a href="https://attack.mitre.org/techniques/T1021" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote Services</a>: <a href="https://attack.mitre.org/techniques/T1021/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Distributed Component Object Model</a>, <a href="https://attack.mitre.org/techniques/T1021" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote Services</a>: <a href="https://attack.mitre.org/techniques/T1021/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote Desktop Protocol</a>, <a href="https://attack.mitre.org/techniques/T1021" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote Services</a>: <a href="https://attack.mitre.org/techniques/T1021/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Remote Management</a>, <a href="https://attack.mitre.org/techniques/T1018" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote System Discovery</a>, <a href="https://attack.mitre.org/techniques/T1029" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Transfer</a>, <a href="https://attack.mitre.org/techniques/T1113" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Screen Capture</a>, <a href="https://attack.mitre.org/techniques/T1518" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Software Discovery</a>, <a href="https://attack.mitre.org/techniques/T1553" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Subvert Trust Controls</a>: <a href="https://attack.mitre.org/techniques/T1553/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Code Signing</a>, <a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Binary Proxy Execution</a>: <a href="https://attack.mitre.org/techniques/T1218/011" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Rundll32</a>, <a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a>, <a href="https://attack.mitre.org/techniques/T1049" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Connections Discovery</a>, <a href="https://attack.mitre.org/techniques/T1007" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Service Discovery</a>, <a href="https://attack.mitre.org/techniques/T1569" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Services</a>: <a href="https://attack.mitre.org/techniques/T1569/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Service Execution</a>, <a href="https://attack.mitre.org/techniques/T1550" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Use Alternate Authentication Material</a>: <a href="https://attack.mitre.org/techniques/T1550/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Pass the Hash</a>, <a href="https://attack.mitre.org/techniques/T1078" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Valid Accounts</a>: <a href="https://attack.mitre.org/techniques/T1078/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Local Accounts</a>, <a href="https://attack.mitre.org/techniques/T1078" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Valid Accounts</a>: <a href="https://attack.mitre.org/techniques/T1078/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Accounts</a>, <a href="https://attack.mitre.org/techniques/T1047" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Management Instrumentation</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><br></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0013" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0013</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0013" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">PlugX</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-1-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[1]</a></span></span><span id="scite-ref-2-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[2]</a></span></span><span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.secureworks.com/research/bronze-president-targets-ngos" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-8-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.avira.com/en/blog/new-wave-of-plugx-targets-hong-kong" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[8]</a></span></span><span id="scite-ref-5-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[5]</a></span></span><span id="scite-ref-6-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[6]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">DNS</a>, <a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Boot or Logon Autostart Execution</a>: <a href="https://attack.mitre.org/techniques/T1547/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Registry Run Keys / Startup Folder</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a>, <a href="https://attack.mitre.org/techniques/T1543" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create or Modify System Process</a>: <a href="https://attack.mitre.org/techniques/T1543/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Service</a>, <a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Symmetric Cryptography</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1564" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hide Artifacts</a>: <a href="https://attack.mitre.org/techniques/T1564/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hidden Files and Directories</a>, <a href="https://attack.mitre.org/techniques/T1574" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hijack Execution Flow</a>: <a href="https://attack.mitre.org/techniques/T1574/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">DLL Search Order Hijacking</a>, <a href="https://attack.mitre.org/techniques/T1574" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hijack Execution Flow</a>: <a href="https://attack.mitre.org/techniques/T1574/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">DLL Side-Loading</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1056" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Input Capture</a>: <a href="https://attack.mitre.org/techniques/T1056/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Keylogging</a>, <a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerading</a>: <a href="https://attack.mitre.org/techniques/T1036/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Match Legitimate Name or Location</a>, <a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerading</a>: <a href="https://attack.mitre.org/techniques/T1036/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerade Task or Service</a>, <a href="https://attack.mitre.org/techniques/T1112" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Modify Registry</a>, <a href="https://attack.mitre.org/techniques/T1026" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Multiband Communication</a>, <a href="https://attack.mitre.org/techniques/T1106" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Native API</a>, <a href="https://attack.mitre.org/techniques/T1135" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Network Share Discovery</a>, <a href="https://attack.mitre.org/techniques/T1095" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Non-Application Layer Protocol</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Discovery</a>, <a href="https://attack.mitre.org/techniques/T1012" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Query Registry</a>, <a href="https://attack.mitre.org/techniques/T1113" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Screen Capture</a>, <a href="https://attack.mitre.org/techniques/T1049" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Connections Discovery</a>, <a href="https://attack.mitre.org/techniques/T1127" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Trusted Developer Utilities Proxy Execution</a>: <a href="https://attack.mitre.org/techniques/T1127/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MSBuild</a>, <a href="https://attack.mitre.org/techniques/T1497" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Virtualization/Sandbox Evasion</a>: <a href="https://attack.mitre.org/techniques/T1497/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Checks</a>, <a href="https://attack.mitre.org/techniques/T1102" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Service</a>: <a href="https://attack.mitre.org/techniques/T1102/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Dead Drop Resolver</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><br></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0662" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">S0662</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0662" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">RCSession</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.secureworks.com/research/bronze-president-targets-ngos" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1548" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Abuse Elevation Control Mechanism</a>: <a href="https://attack.mitre.org/techniques/T1548/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Bypass User Account Control</a>, <a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Boot or Logon Autostart Execution</a>: <a href="https://attack.mitre.org/techniques/T1547/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Registry Run Keys / Startup Folder</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a>, <a href="https://attack.mitre.org/techniques/T1005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data from Local System</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>, <a href="https://attack.mitre.org/techniques/T1574" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hijack Execution Flow</a>: <a href="https://attack.mitre.org/techniques/T1574/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">DLL Side-Loading</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File Deletion</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1056" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Input Capture</a>: <a href="https://attack.mitre.org/techniques/T1056/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Keylogging</a>, <a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerading</a>, <a href="https://attack.mitre.org/techniques/T1112" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Modify Registry</a>, <a href="https://attack.mitre.org/techniques/T1106" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Native API</a>, <a href="https://attack.mitre.org/techniques/T1095" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Non-Application Layer Protocol</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Discovery</a>, <a href="https://attack.mitre.org/techniques/T1055" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Injection</a>: <a href="https://attack.mitre.org/techniques/T1055/012" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Hollowing</a>, <a href="https://attack.mitre.org/techniques/T1113" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Screen Capture</a>, <a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Binary Proxy Execution</a>: <a href="https://attack.mitre.org/techniques/T1218/007" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Msiexec</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1033" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Owner/User Discovery</a></td></tr></tbody></table>