Search Again
Mirage
Summary of Actor:Mirage is a sophisticated cyber espionage group believed to be linked to China's People's Liberation Army (PLA). The group's primary focus is on intelligence gathering, targeting sectors like aerospace and defense. They employ a variety of tactics and tools, including custom malware.
General Features:Mirage is known for its advanced persistent threat (APT) capabilities, leveraging custom malware, spear-phishing, and strategic web compromises to infiltrate targeted organizations.
Related Other Groups: APT15,PLA Unit 61486
Indicators of Attack (IoA):
- Spear-phishing emails with malicious attachments
- Use of strategic web compromises (watering hole attacks)
- Command and control (C2) communications to known malicious domains
Recent Activities and Trends:
- Latest Campaigns : Recent campaigns have focused on compromising organizations within the defense sector, using updated versions of their custom malware.
- Emerging Trends : There has been an observed increase in the group's use of cloud services for command and control (C2) communications, as well as a shift towards targeting supply chain partners of major aerospace companies.
Nylon Typhoon
Bronze Palace
Ke3chang
Nickel
GREF
+13
Target Countries
Bulgaria
Malaysia
Germany
Switzerland
Poland
+52
Target Sectors
Air Transportation
Manufacturing
Public Administration
Space & Defense
Energy & Utilities
+6
Associated Malware/Software
win.ketrum
win.tidepool
Systeminfo
spwebmember
win.okrum
+17
️Related CVEs
ATT&CK IDs:
T1018 - Remote System Discovery
T1555
T1003.003
T1518
T1078.002 - Domain Accounts
+167
| Tactic | Id | Technique | |||
|---|---|---|---|---|---|
| Collection | T1114 | Email Collection |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1213 | Data from Information Repositories |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1005 | Data from Local System |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1119 | Automated Collection |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1074 | Data Staged |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1056 | Input Capture |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1115 | Clipboard Data |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1530 | Data from Cloud Storage |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1560 | Archive Collected Data |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1113 | Screen Capture |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1008 | Fallback Channels |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1102 | Web Service |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1071 | Application Layer Protocol |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1095 | Non-Application Layer Protocol |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1090 | Proxy |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1571 | Non-Standard Port |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1001 | Data Obfuscation |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1105 | Ingress Tool Transfer |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1539 | Steal Web Session Cookie |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1003 | OS Credential Dumping |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1056 | Input Capture |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1040 | Network Sniffing |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1552 | Unsecured Credentials |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1081 | Credentials in Files |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1503 | Credentials from Web Browsers |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1558 | Steal or Forge Kerberos Tickets |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1555 | Credentials from Password Stores |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1140 | Deobfuscate/Decode Files or Information |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1085 | Rundll32 |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1553 | Subvert Trust Controls |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1036 | Masquerading |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1548 | Abuse Elevation Control Mechanism |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1130 | Install Root Certificate |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1497 | Virtualization/Sandbox Evasion |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1038 | DLL Search Order Hijacking |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1222 | File and Directory Permissions Modification |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1218 | System Binary Proxy Execution |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1562 | Impair Defenses |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1070 | Indicator Removal |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1055 | Process Injection |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1112 | Modify Registry |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1027 | Obfuscated Files or Information |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1170 | Mshta |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1134 | Access Token Manipulation |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1010 | Application Window Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1049 | System Network Connections Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1016 | System Network Configuration Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1082 | System Information Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1007 | System Service Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1069 | Permission Groups Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1497 | Virtualization/Sandbox Evasion |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1217 | Browser Information Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1120 | Peripheral Device Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1018 | Remote System Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1057 | Process Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1518 | Software Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1087 | Account Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1083 | File and Directory Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1124 | System Time Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1012 | Query Registry |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1201 | Password Policy Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1040 | Network Sniffing |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1033 | System Owner/User Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1614 | System Location Discovery |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1106 | Native API |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1085 | Rundll32 |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1047 | Windows Management Instrumentation |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1204 | User Execution |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1059 | Command and Scripting Interpreter |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1569 | System Services |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1170 | Mshta |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1129 | Shared Modules |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1048 | Exfiltration Over Alternative Protocol |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1020 | Automated Exfiltration |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1011 | Exfiltration Over Other Network Medium |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1489 | Service Stop |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1490 | Inhibit System Recovery |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1496 | Resource Hijacking |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1495 | Firmware Corruption |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1133 | External Remote Services |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1566 | Phishing |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1190 | Exploit Public-Facing Application |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1199 | Trusted Relationship |
Sub Techniques |
Detections |
Mitigations |
| Lateral Movement | T1021 | Remote Services |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1133 | External Remote Services |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1038 | DLL Search Order Hijacking |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1543 | Create or Modify System Process |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1112 | Modify Registry |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1060 | Registry Run Keys / Startup Folder |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1137 | Office Application Startup |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1547 | Boot or Logon Autostart Execution |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1548 | Abuse Elevation Control Mechanism |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1038 | DLL Search Order Hijacking |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1055 | Process Injection |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1543 | Create or Modify System Process |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1547 | Boot or Logon Autostart Execution |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1134 | Access Token Manipulation |
Sub Techniques |
Detections |
Mitigations |
| Reconnaissance | T1592 | Gather Victim Host Information |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1587 | Develop Capabilities |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1588 | Obtain Capabilities |
Sub Techniques |
Detections |
Mitigations |
Total Count : 241
http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments
https://or10nlabs.tech/reverse-engineering-the-new-mustang-panda-plugx-downloader/
https://www.mandiant.com/resources/insights/apt-groups
https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report
https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor
https://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Detecting-SOGU-with-Google-Security-Operations/ba-p/758777
https://www.trendmicro.com/en_us/research/21/a/xdr-investigation-uncovers-plugx-unique-technique-in-apt-attack.html
https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/
https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/
https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf
https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/
https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023
https://www.secureworks.com/research/threat-profiles/bronze-express
https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf
https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html
https://www.nortonlifelock.com/sites/default/files/2021-10/OPERATION%20EXORCIST%20White%20Paper.pdf
https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/
https://go.recordedfuture.com/hubfs/reports/cta-cn-2025-0109.pdf
https://www.welivesecurity.com/fr/2022/03/25/mustang-pandas-hodur-nouveau-korplug/
https://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/
https://www.welivesecurity.com/en/eset-research/badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps/
https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf
https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/
https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
https://archive.is/LJFEF
https://www.trendmicro.com/en_us/research/24/c/earth-krahang.html
https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/
https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html
https://www.contextis.com/en/blog/dll-search-order-hijacking
https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf
https://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/
https://www.youtube.com/watch?v=-7Swd1ZetiQ
https://redalert.nshc.net/2022/04/14/hacking-activity-of-sectorb-group-in-2021/
https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/
https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-handle-stack-strings/
https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/
https://www.recordedfuture.com/china-linked-ta428-threat-group
https://securelist.com/apt-trends-report-q3-2020/99204/
https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/
https://www.ncsc.gov.uk/files/NCSC-Advisory-BADBAZAAR-and-MOONSHINE-technical-analysis-and-mitigations.pdf
https://www.lac.co.jp/lacwatch/people/20171218_001445.html
https://go.contextis.com/rs/140-OCV-459/images/White%20Paper_PlugX%20-%20Payload%20Extraction.pdf
https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/
https://securelist.com/cycldek-bridging-the-air-gap/97157/
https://securelist.com/time-of-death-connected-medicine/84315/
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
https://unit42.paloaltonetworks.com/thor-plugx-variant/
https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/
https://www.cfr.org/interactive/cyber-operations/mirage
https://news.sophos.com/en-us/2023/03/09/border-hopping-plugx-usb-worm/
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf
https://www.secureworks.com/research/threat-profiles/bronze-firestone
https://www.youtube.com/watch?v=E2_DTQJjDYc
https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop
https://www.youtube.com/watch?v=qEwBGGgWgOM
https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/
https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf
https://attack.mitre.org/groups/G0001/
https://unit42.paloaltonetworks.com/unsigned-dlls/
https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=110ed515-11db-4bf1-af41-a66f513ecf70
https://www.macnica.net/file/security_report_20160613.pdf
http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html
https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets
https://www.youtube.com/watch?v=r1zAVX_HnJg
https://www.trendmicro.com/fr_fr/research/25/b/updated-shadowpad-malware-leads-to-ransomware-deployment.html
https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/carderbee-software-supply-chain-certificate-abuse
https://www.us-cert.gov/ncas/alerts/TA17-117A
https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/
https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html
http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html
https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader
https://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/
https://www.recordedfuture.com/redecho-targeting-indian-power-sector/
https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf
https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf
https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/
https://cyberandramen.net/2022/01/06/a-gulp-of-plugx/
https://unit42.paloaltonetworks.com/plugx-variants-in-usbs/
https://web.archive.org/web/20210925164035/https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/
https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_2_LT4.pdf
https://pan-unit42.github.io/playbook_viewer/?pb=playful-taurus
https://www.zdnet.com/article/chinese-state-hackers-target-hong-kong-catholic-church/
https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/
https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt
https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf
https://therecord.media/indonesian-intelligence-agency-compromised-in-suspected-chinese-hack/
https://hitcon.org/2024/CMT/slides/Sailing_the_Seven_SEAs_Deep_Dive_into_Polaris_Arsenal_and_Intelligence_Insights.pdf
https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/
https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/
https://unit42.paloaltonetworks.com/operation-diplomatic-specter/
https://blog.polyswarm.io/carderbee-targets-hong-kong-in-supply-chain-attack
https://web.archive.org/web/20191214125833/https://contextis.com/media/downloads/AVIVORE_An_overview.pdf
https://www.youtube.com/watch?v=IRh6R8o1Q7U
https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-loader
https://unit42.paloaltonetworks.com/atoms/shallowtaurus/
https://go.recordedfuture.com/hubfs/reports/cta-2024-1209.pdf
https://www.youtube.com/watch?v=C_TmANnbS2k
https://mahmoudzohdy.github.io/posts/re/plugx/
https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc-phan2.html
https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia
https://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia
https://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware
https://www.secureworks.com/blog/bronze-president-targets-russian-speakers-with-updated-plugx
https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/
https://www.bleepingcomputer.com/news/security/new-mustang-panda-hacking-campaign-targets-diplomats-isps/
https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf
https://www.ncsc.gov.uk/files/NCSC-Advisory-BADBAZAAR-and-MOONSHINE-guidance.pdf
https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/
https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf
http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/
https://github.com/Still34/landing/blob/master/assets/slides/2024-08-Sailing%20the%20Seven%20SEAs.pdf
https://blog.talosintelligence.com/dragon-rank-seo-poisoning/
https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt
https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf
https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html
https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/
https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
https://www.trendmicro.com/en_my/research/18/h/supply-chain-attack-operation-red-signature-targets-south-korean-organizations.html
https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia
https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor
https://www.darkreading.com/threat-intelligence/chinese-apt-bronze-president-spy-campaign-russian-military
https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs
https://therecord.media/redecho-group-parks-domains-after-public-exposure/
https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape
https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html
https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-
https://blog.xorhex.com/blog/mustangpandaplugx-2/
https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf
https://www.contextis.com/en/blog/avivore
https://unit42.paloaltonetworks.com/playful-taurus/
https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-rat-extracting-the-config/
https://www.computerweekly.com/news/252471769/New-threat-group-behind-Airbus-cyber-attacks-claim-researchers
https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html
https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=18989a3d-e984-40a9-8fd6-ed6f6b318272
https://www.secureworks.com/research/threat-profiles/bronze-riverside
https://go.recordedfuture.com/hubfs/reports/cta-2022-1223.pdf
https://csirt-cti.net/2024/01/23/stately-taurus-targets-myanmar/
https://go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf
https://www.orangecyberdefense.com/global/blog/cert-news/meet-nailaolocker-a-ransomware-distributed-in-europe-by-shadowpad-and-plugx-backdoors
https://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html
https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf
https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/
https://attack.mitre.org/groups/G0135/
https://www.secureworks.com/research/threat-profiles/bronze-keystone
https://attack.mitre.org/groups/G0096
https://www.secureworks.com/research/threat-profiles/bronze-woodland
https://blogs.blackberry.com/en/2022/10/mustang-panda-abuses-legitimate-apps-to-target-myanmar-based-victims
https://blog.vincss.net/2022/05/re027-china-based-apt-mustang-panda-might-have-still-continued-their-attack-activities-against-organizations-in-Vietnam.html
https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html
https://www.bitdefender.com/blog/labs/backdoor-diplomacy-wields-new-tools-in-fresh-middle-east-campaign/
https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/
https://www.splunk.com/en_us/blog/security/unmasking-the-enigma-a-historical-dive-into-the-world-of-plugx-malware.html
https://threatpost.com/chinese-apt-combines-fresh-hodur-rat-with-complex-anti-detection/179084/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://www.security.com/threat-intelligence/chinese-espionage-ransomware
https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20ShadowPad%20-%20A%20Masterpiece%20of%20Privately%20Sold%20Malware%20in%20Chinese%20Espionage%20-%20Yi-Jhen%20Hsieh%20&%20Joey%20Chen.pdf
https://www.cybereason.com/blog/threat-analysis-report-plugx-rat-loader-evolution
https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/
https://raw.githubusercontent.com/m4now4r/Presentations/main/MustangPanda%20-%20Enemy%20at%20the%20gate_final.pdf
https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf
https://www.secureworks.com/research/threat-profiles/bronze-overbrook
https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/
https://attack.mitre.org/groups/G0004/
https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi
https://www.uscc.gov/sites/default/files/2022-02/Adam_Kozy_Testimony.pdf
https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html
https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_8_yi-chin_yu-tung_en.pdf
https://blog.vincss.net/re027-china-based-apt-mustang-panda-might-still-have-continued-their-attack-activities-against-organizations-in-vietnam/
https://github.com/cert-orangecyberdefense/cti/tree/main/green_nailao
https://www.secureworks.com/research/threat-profiles/bronze-president
https://blog.xorhex.com/blog/mustangpandaplugx-1/
http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html
https://kienmanowar.wordpress.com/2023/01/09/quicknote-another-nice-plugx-sample/
https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf
http://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang/
https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf
https://www.secureworks.com/research/threat-profiles/bronze-olive
https://www.justice.gov/opa/pr/justice-department-and-fbi-conduct-international-operation-delete-malware-used-china-backed
https://www.youtube.com/watch?v=6SDdUVejR2w
https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf
https://engineers.ffri.jp/entry/2022/11/30/141346
https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/
https://blog.vincss.net/vi/re012-2-phan-tich-ma-doc-loi-dung-dich-covid-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-nguyen-xuan-phuc-phan-2-2/
https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/
https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf
https://www.secureworks.com/research/threat-profiles/bronze-union
https://community.rsa.com/thread/185439
https://www.secureworks.com/research/bronze-president-targets-ngos
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/flea-backdoor-microsoft-graph-apt15
https://blog.vincss.net/vi/re012-1-phan-tich-ma-doc-loi-dung-dich-covid-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-nguyen-xuan-phuc-phan-1-2/
https://twitter.com/stvemillertime/status/1261263000960450562
https://github.com/nccgroup/Royal_APT
https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/
https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a
https://www.mandiant.com/resources/blog/infected-usb-steal-secrets
https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf
https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe/
https://asec.ahnlab.com/en/49097/
https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html
https://www.secureworks.com/blog/bronze-president-targets-government-officials
https://web.archive.org/web/20200424035112/https://go.contextis.com/rs/140-OCV-459/images/White%20Paper_PlugX%20-%20Payload%20Extraction.pdf
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
https://www.ncsc.gov.uk/news/ncsc-partners-share-guidance-for-communities-at-high-risk-of-digital-surveillance
https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf
https://www.secureworks.com/research/threat-profiles/bronze-palace
https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/
https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf
https://risky.biz/whatiswinnti/
https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf
https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf
https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/
https://www.secureworks.com/research/threat-profiles/bronze-atlas
https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage
https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/
https://twitter.com/xorhex/status/1399906601562165249?s=20
https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
https://www.mmcert.org.mm/en/file-download/download/public/374
https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader
https://www.trendmicro.com/en_us/research/25/b/updated-shadowpad-malware-leads-to-ransomware-deployment.html
https://tracker.h3x.eu/info/290
https://www.lookout.com/threat-intelligence/article/badbazaar-surveillanceware-apt15
https://blog.xorhex.com/blog/reddeltaplugxchangeup/
https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/
https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html
https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_7_hara_nakajima_kawakami_en.pdf
https://securelist.com/apt-trends-report-q2-2020/97937/
https://www.anomali.com/blog/covid-19-themes-are-being-utilized-by-threat-actors-of-varying-sophistication
https://hunt.io/blog/unmasking-adversary-infrastructure-how-certificates-and-redirects-exposed-earth-baxia-and-plugx-activity
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage
Copyright © 2025 SOCRadar Cyber Intelligence Inc.
All rights
reserved.
