{
	"id": "2a1e9333-b58c-46bb-9d47-268ad1e21d87",
	"created_at": "2026-04-06T00:07:28.528716Z",
	"updated_at": "2026-04-10T13:12:46.378158Z",
	"deleted_at": null,
	"sha1_hash": "0597409660936739bbbe6c2158821998646147da",
	"title": "Project CameraShy Closing The Aperture On China’s Unit 78020",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 30586,
	"plain_text": "Project CameraShy Closing The Aperture On China’s Unit 78020\r\nArchived: 2026-04-05 16:55:32 UTC\r\nChina is aggressively claiming territory deeper into the South China Sea, threatening economic and political\r\nstability in the Southeast Asia and beyond. The territorial activity is accompanied by high-tempo cyber espionage\r\nand malware attacks, malicious attachments and spear phishing, directed at Southeast Asian military, diplomatic,\r\nand economic targets.\r\nThreatConnect®, in partnership with Defense Group Inc., has attributed the targeted cyber espionage\r\ninfrastructure activity associated with the “Naikon” Advanced Persistent Threat (APT) group to a specific unit of\r\nthe Chinese People’s Liberation Army (PLA). Our assessment is based on technical analysis of Naikon threat\r\nactivity and native language research on a PLA officer within Unit 78020.\r\nProject CameraShy takes readers through our intelligence analysis, pivot by pivot, as we connect the dots using\r\nthe Diamond Model of Intrusion Analysis.\r\nGet Asset\r\nSource: https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/\r\nhttps://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/"
	],
	"report_names": [
		"threatconnect-discovers-chinese-apt-activity-in-europe"
	],
	"threat_actors": [
		{
			"id": "b69484be-98d1-49e6-aed1-a28dbf65176a",
			"created_at": "2022-10-25T16:07:23.886782Z",
			"updated_at": "2026-04-10T02:00:04.779029Z",
			"deleted_at": null,
			"main_name": "Naikon",
			"aliases": [
				"G0019",
				"Hellsing",
				"ITG06",
				"Lotus Panda",
				"Naikon",
				"Operation CameraShy"
			],
			"source_name": "ETDA:Naikon",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"AR",
				"ARL",
				"Agent.dhwf",
				"Aria-body",
				"Aria-body loader",
				"Asset Reconnaissance Lighthouse",
				"BackBend",
				"Creamsicle",
				"Custom HDoor",
				"Destroy RAT",
				"DestroyRAT",
				"Flashflood",
				"FoundCore",
				"Gemcutter",
				"HDoor",
				"JadeRAT",
				"Kaba",
				"Korplug",
				"LOLBAS",
				"LOLBins",
				"LadonGo",
				"Lecna",
				"Living off the Land",
				"NBTscan",
				"Naikon",
				"NetEagle",
				"Neteagle_Scout",
				"NewCore RAT",
				"Orangeade",
				"PlugX",
				"Quarks PwDump",
				"RARSTONE",
				"RainyDay",
				"RedDelta",
				"RoyalRoad",
				"Sacto",
				"Sandboxie",
				"ScoutEagle",
				"Shipshape",
				"Sisfader",
				"Sisfader RAT",
				"Sogu",
				"SslMM",
				"Sys10",
				"TIGERPLUG",
				"TVT",
				"TeamViewer",
				"Thoper",
				"WinMM",
				"Xamtrav",
				"XsFunction",
				"ZRLnk",
				"nbtscan",
				"nokian",
				"norton",
				"xsControl",
				"xsPlus"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a2912fc0-c34e-4e4b-82e9-665416c8fe32",
			"created_at": "2023-04-20T02:01:50.979595Z",
			"updated_at": "2026-04-10T02:00:02.913011Z",
			"deleted_at": null,
			"main_name": "Naikon",
			"aliases": [
				"BRONZE STERLING",
				"G0013",
				"PLA Unit 78020",
				"OVERRIDE PANDA",
				"Camerashy",
				"BRONZE GENEVA",
				"G0019",
				"Naikon"
			],
			"source_name": "MISPGALAXY:Naikon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9f1ce7e3-77cd-4af0-bedb-1643f55c9baf",
			"created_at": "2022-10-25T15:50:23.31611Z",
			"updated_at": "2026-04-10T02:00:05.370146Z",
			"deleted_at": null,
			"main_name": "Naikon",
			"aliases": [
				"Naikon"
			],
			"source_name": "MITRE:Naikon",
			"tools": [
				"ftp",
				"netsh",
				"WinMM",
				"Systeminfo",
				"RainyDay",
				"RARSTONE",
				"HDoor",
				"Sys10",
				"SslMM",
				"PsExec",
				"Tasklist",
				"Aria-body"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "578e92ed-3eda-45ef-b4bb-b882ec3dbb62",
			"created_at": "2025-08-07T02:03:24.604463Z",
			"updated_at": "2026-04-10T02:00:03.798481Z",
			"deleted_at": null,
			"main_name": "BRONZE GENEVA",
			"aliases": [
				"APT30 ",
				"BRONZE STERLING ",
				"CTG-5326 ",
				"Naikon ",
				"Override Panda ",
				"RADIUM ",
				"Raspberry Typhoon"
			],
			"source_name": "Secureworks:BRONZE GENEVA",
			"tools": [
				"Lecna Downloader",
				"Nebulae",
				"ShadowPad"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434048,
	"ts_updated_at": 1775826766,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0597409660936739bbbe6c2158821998646147da.pdf",
		"text": "https://archive.orkl.eu/0597409660936739bbbe6c2158821998646147da.txt",
		"img": "https://archive.orkl.eu/0597409660936739bbbe6c2158821998646147da.jpg"
	}
}