{ "id": "28b9e99f-dc59-4e33-a29c-ca3919a83f41", "created_at": "2026-04-06T00:06:21.312765Z", "updated_at": "2026-04-10T03:36:25.89417Z", "deleted_at": null, "sha1_hash": "094f083d74b39fca931e8ec97dbef1a46089c4af", "title": "Stone Panda, APT 10, menuPass", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 112155, "plain_text": "Stone Panda, APT 10, menuPass\r\nArchived: 2026-04-05 14:23:21 UTC\r\nHome \u003e List all groups \u003e Stone Panda, APT 10, menuPass\r\n APT group: Stone Panda, APT 10, menuPass\r\nNames\r\nStone Panda (CrowdStrike)\r\nAPT 10 (Mandiant)\r\nmenuPass Team (Symantec)\r\nmenuPass (Palo Alto)\r\nRed Apollo (PWC)\r\nCVNX (BAE Systems)\r\nPotassium (Microsoft)\r\nHogfish (iDefense)\r\nHappyyongzi (FireEye)\r\nCicada (Symantec)\r\nBronze Riverside (SecureWorks)\r\nCTG-5938 (SecureWorks)\r\nATK 41 (Thales)\r\nTA429 (Proofpoint)\r\nITG01 (IBM)\r\nGranite Taurus (Palo Alto)\r\nEarth Kasha (Trend Micro)\r\nCuckoo Spear (Cybereason)\r\nPurple Typhoon (Microsoft)\r\nG0045 (MITRE)\r\nG0093 (MITRE)\r\nCountry China\r\nSponsor\r\nState-sponsored, Tianjin bureau of the Chinese Ministry of State Security, Huaying\r\nHaitai\r\nMotivation Information theft and espionage\r\nFirst seen 2006\r\nDescription menuPass is a threat group that appears to originate from China and has been active\r\nsince approximately 2009. The group has targeted healthcare, defense, aerospace, and\r\ngovernment sectors, and has targeted Japanese victims since at least 2014. In 2016\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=2aa9ca75-fa1b-422e-9677-02983934f983\r\nPage 1 of 6\n\nand 2017, the group targeted managed IT service providers, manufacturing and\nmining companies, and a university.\nAlso see Operation LiberalFace, MirrorFace and Twisted Panda.\nObserved\nSectors: Aerospace, Defense, Energy, Financial, Government, Healthcare, High-Tech,\nIT, Media, NGOs, Pharmaceutical, Telecommunications and MSPs.\nCountries: Australia, Belgium, Brazil, Canada, China, Finland, France, Germany,\nHong Kong, India, Israel, Italy, Japan, Montenegro, Netherlands, Norway,\nPhilippines, Singapore, South Africa, South Korea, Sweden, Switzerland, Taiwan,\nThailand, Turkey, UAE, UK, USA, Vietnam.\nTools used\nAnel, BloodHound, certutil, ChChes, China Chopper, Cobalt Strike, Derusbi,\nDILLJUICE, DILLWEED, Ecipekac, Emdivi, EvilGrab RAT, Gh0st RAT, HTran,\nImpacket, Invoke the Hash, LODEINFO, Mimikatz, MiS-Type, nbtscan,\nNOOPDOOR, P8RAT, PlugX, Poison Ivy, Poldat, PowerSploit, PowerView, PsExec,\nPsList, pwdump, Quarks PwDump, QuasarRAT, RedLeaves, Rubeus, SharpSploit,\nSodaMaster, SNUGRIDE, Trochilus RAT, WinRAR, WmiExec, Living off the Land.\nOperations performed\nSep 2016\nSpear-phishing attack\nMethod: The attackers spoofed several sender email addresses to send\nspear-phishing emails, most notably public addresses associated with\nthe Sasakawa Peace Foundation and The White House.\nTarget: Japanese academics working in several areas of science, along\nwith Japanese pharmaceutical and a US-based subsidiary of a Japanese\nmanufacturing organizations.\n2016\nOperation “Cloud Hopper”\nThe campaign, which we refer to as Operation Cloud Hopper, has\ntargeted managed IT service providers (MSPs), allowing APT10\nunprecedented potential access to the intellectual property and sensitive\ndata of those MSPs and their clients globally. A number of Japanese\norganizations have also been directly targeted in a separate,\nsimultaneous campaign by the same actor\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=2aa9ca75-fa1b-422e-9677-02983934f983\nPage 2 of 6\n\n2016/2017\nLeveraging its global footprint, FireEye has detected APT10 activity\nacross six continents in 2016 and 2017. APT10 has targeted or\ncompromised manufacturing companies in India, Japan and Northern\nEurope; a mining company in South America; and multiple IT service\nproviders worldwide. We believe these companies are a mix of final\ntargets and organizations that could provide a foothold in a final target.\nFeb 2017\nOperation “TradeSecret”\nThe National Foreign Trade Council (NFTC) website was allegedly\ninfiltrated by Chinese nation-state threat actors, according to a new\nreport from Fidelis Cybersecurity. The attack against the NFTC site has\nbeen dubbed ‘Operation TradeSecret’ by Fidelis and is seen as an\nattempt to gain insight into individuals closely associated with U.S\ntrade policy activities.\n2017\nOperation “ChessMaster”\nTake for instance the self-named ChessMaster, a campaign targeting\nJapanese academe, technology enterprises, media outfits, managed\nservice providers, and government agencies. It employs various\npoisoned pawns in the form of malware-laden spear-phishing emails\ncontaining decoy documents.\n2017\nOperation “Soft Cell”\nEarlier this year, Cybereason identified an advanced, persistent attack\ntargeting telecommunications providers that has been underway for\nyears, soon after deploying into the environment.\nThe threat actor was attempting to steal all data stored in the active\ndirectory, compromising every single username and password in the\norganization, along with other personally identifiable information,\nbilling data, call detail records, credentials, email servers, geo-location\nof users, and more.\nNov 2017 Targeted Norwegian MSP and US Companies in Sustained Campaign\nA sustained cyberespionage campaign targeting at least three\ncompanies in the United States and Europe was uncovered by\nRecorded Future and Rapid7 between November 2017 and September\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=2aa9ca75-fa1b-422e-9677-02983934f983\nPage 3 of 6\n\n2018.\n2018\nOperation “New Battle”\nThis report provides a technical overview of the bespoke RedLeaves\nimplants leveraged by the actor in their “new battle” campaign.\nJul 2018\nAttack on the Japanese media sector\nIn July 2018, FireEye devices detected and blocked what appears to be\nAPT10 (menuPass) activity targeting the Japanese media sector.\nJan 2019\nBreach of Airbus\nMar 2019\nOperation “A41APT”\nApr 2019\nIn April 2019, enSilo detected what it believes to be new activity by\nChinese cyber espionage group APT10. The variants discovered by\nenSilo are previously unknown and deploy malware that is unique to\nthe threat actor.\nOct 2019\nJapan-Linked Organizations Targeted in Long-Running and\nSophisticated Attack Campaign\nFeb 2021\nChinese hackers target Indian vaccine makers SII, Bharat Biotech, says\nsecurity firm\nApr 2021 Operation “Cuckoo Spear”\nCUCKOO SPEAR Part 1: Analyzing NOOPDOOR from an IR\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=2aa9ca75-fa1b-422e-9677-02983934f983\nPage 4 of 6\n\nPerspective\nNov 2021\nOperation “Cache Panda”\nA hacking group affiliated with the Chinese government is believed to\nhave carried out a months-long attack against Taiwan’s financial sector\nby leveraging a vulnerability in a security software solution used by\nroughly 80% of all local financial organizations.\nFeb 2022\nCicada: Chinese APT Group Widens Targeting in Recent Espionage\nActivity\nEarly 2023\nSpot the Difference: Earth Kasha's New LODEINFO Campaign And\nThe Correlation Analysis With The APT10 Umbrella\nJun 2024\nGuess Who’s Back - The Return of ANEL in the Recent Earth Kasha\nSpear-phishing Campaign in 2024\nMar 2025\nEarth Kasha Updates TTPs in Latest Campaign Targeting Taiwan and\nJapan\nCounter operations\nDec 2018\nChinese Hackers Indicted\nJul 2020\nEU imposes the first ever sanctions against cyber-attacks\nInformation https://apt.etda.or.th/cgi-bin/showcard.cgi?u=2aa9ca75-fa1b-422e-9677-02983934f983\nPage 5 of 6\n\nMITRE ATT\u0026CK\nPlaybook Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=2aa9ca75-fa1b-422e-9677-02983934f983\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=2aa9ca75-fa1b-422e-9677-02983934f983\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=2aa9ca75-fa1b-422e-9677-02983934f983" ], "report_names": [ "showcard.cgi?u=2aa9ca75-fa1b-422e-9677-02983934f983" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d54276c-2f4f-4458-905f-d96510584627", "created_at": "2022-10-25T16:07:24.352336Z", "updated_at": "2026-04-10T02:00:04.951012Z", "deleted_at": null, "main_name": "Twisted Panda", "aliases": [], "source_name": "ETDA:Twisted Panda", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e47e5bc6-9823-48b4-b4c8-44d213853a3d", "created_at": "2023-11-17T02:00:07.588367Z", "updated_at": "2026-04-10T02:00:03.453612Z", "deleted_at": null, "main_name": "MirrorFace", "aliases": [ "Earth Kasha" ], "source_name": "MISPGALAXY:MirrorFace", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "48782737-377b-47b4-aff0-87424208a643", "created_at": "2023-01-06T13:46:38.569144Z", "updated_at": "2026-04-10T02:00:03.02685Z", "deleted_at": null, "main_name": "Blue Termite", "aliases": [ "Cloudy Omega", "Emdivi" ], "source_name": "MISPGALAXY:Blue Termite", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "af2a195b-fed2-4e2c-9443-13e9b08a02ae", "created_at": "2022-12-27T17:02:23.458269Z", "updated_at": "2026-04-10T02:00:04.813897Z", "deleted_at": null, "main_name": "Operation LiberalFace", "aliases": [ "MirrorFace", "Operation AkaiRyū", "Operation LiberalFace" ], "source_name": "ETDA:Operation LiberalFace", "tools": [ "Anel", "AsyncRAT", "LODEINFO", "MirrorStealer", "UpperCut", "lena" ], "source_id": "ETDA", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "3b8b4ed7-e8cc-4a3a-b14d-c8ebf87c0f9c", "created_at": "2023-01-06T13:46:39.062729Z", "updated_at": "2026-04-10T02:00:03.200784Z", "deleted_at": null, "main_name": "Operation Soft Cell", "aliases": [], "source_name": "MISPGALAXY:Operation Soft Cell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "9faf32b7-0221-46ac-a716-c330c1f10c95", "created_at": "2022-10-25T16:07:23.652281Z", "updated_at": "2026-04-10T02:00:04.702108Z", "deleted_at": null, "main_name": "Gallium", "aliases": [ "Alloy Taurus", "G0093", "Granite Typhoon", "Phantom Panda" ], "source_name": "ETDA:Gallium", "tools": [ "Agentemis", "BlackMould", "CHINACHOPPER", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Gen:Trojan.Heur.PT", "Gh0stCringe RAT", "HTran", "HUC Packet Transmit Tool", "LaZagne", "Mimikatz", "NBTscan", "PingPull", "Plink", "Poison Ivy", "PsExec", "PuTTY Link", "QuarkBandit", "Quasar RAT", "QuasarRAT", "Reshell", "SPIVY", "SinoChopper", "SoftEther VPN", "Sword2033", "WCE", "WinRAR", "Windows Credential Editor", "Windows Credentials Editor", "Yggdrasil", "cobeacon", "nbtscan", "netcat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433981, "ts_updated_at": 1775792185, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/094f083d74b39fca931e8ec97dbef1a46089c4af.pdf", "text": "https://archive.orkl.eu/094f083d74b39fca931e8ec97dbef1a46089c4af.txt", "img": "https://archive.orkl.eu/094f083d74b39fca931e8ec97dbef1a46089c4af.jpg" } }