{ "id": "922e5e56-65d7-4e3c-ade7-f06a90da5887", "created_at": "2026-04-06T00:10:27.282067Z", "updated_at": "2026-04-10T03:38:09.6975Z", "deleted_at": null, "sha1_hash": "1a5c458e5fe8d5becdc641de07ce00c716d32c6c", "title": "Potential for China Cyber Response to Heightened U.S.–China Tensions | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 268714, "plain_text": "Potential for China Cyber Response to Heightened U.S.–China\r\nTensions | CISA\r\nPublished: 2020-10-20 · Archived: 2026-04-05 22:20:07 UTC\r\nSummary\r\nThis Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT\u0026CK®) framework.\r\nSee the ATT\u0026CK for Enterprise framework for all referenced threat actor techniques.\r\nNote: on October 20, 2020, the National Security Agency (NSA) released a cybersecurity advisory providing\r\ninformation on publicly known vulnerabilities exploited by Chinese state-sponsored cyber actors to target\r\ncomputer networks holding sensitive intellectual property, economic, political, and military information. This\r\nAlert has been updated to include information on vulnerabilities exploited by Chinese state-sponsored actors (see\r\nTable 4).\r\nIn light of heightened tensions between the United States and China, the Cybersecurity and Infrastructure Security\r\nAgency (CISA) is providing specific Chinese government and affiliated cyber threat actor tactics, techniques, and\r\nprocedures (TTPs) and recommended mitigations to the cybersecurity community to assist in the protection of our\r\nNation’s critical infrastructure. In addition to the recommendations listed in the Mitigations section of this Alert,\r\nCISA recommends organizations take the following actions.\r\n1. Adopt a state of heightened awareness. Minimize gaps in personnel availability, consistently consume\r\nrelevant threat intelligence, and update emergency call trees.\r\n2. Increase organizational vigilance. Ensure security personnel monitor key internal security capabilities\r\nand can identify anomalous behavior. Flag any known Chinese indicators of compromise (IOCs) and TTPs\r\nfor immediate response.\r\n3. Confirm reporting processes. Ensure personnel know how and when to report an incident. The well-being\r\nof an organization’s workforce and cyber infrastructure depends on awareness of threat activity. Consider\r\nreporting incidents to CISA to help serve as part of CISA’s early warning system (see the Contact\r\nInformation section below).\r\n4. Exercise organizational incident response plans. Ensure personnel are familiar with the key steps they\r\nneed to take during an incident. Do they have the accesses they need? Do they know the processes? Are\r\nvarious data sources logging as expected? Ensure personnel are positioned to act in a calm and unified\r\nmanner.\r\nTechnical Details\r\nChina Cyber Threat Profile\r\nChina has a history of using national military and economic resources to leverage offensive cyber tactics in\r\npursuing its national interests. The “Made in China 2025” 10-year plan outlines China’s top-level policy priorities.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-275a\r\nPage 1 of 21\n\n[1],[2 ] China may seek to target the following industries deemed critical to U.S. national and economic\r\ninterests: new energy vehicles, next generation information technology (IT), biotechnology, new materials,\r\naerospace, maritime engineering and high-tech ships, railway, robotics, power equipment, and agricultural\r\nmachinery.[3 ] China has exercised its increasingly sophisticated capabilities to illegitimately obtain U.S.\r\nintellectual property (IP), suppress both social and political perspectives deemed dangerous to China, and harm\r\nregional and international opponents.\r\nThe U.S. Intelligence Community and various private sector threat intelligence organizations have identified the\r\nChinese People’s Liberation Army (PLA) and Ministry of State Security (MSS) as driving forces behind Chinese\r\nstate-sponsored cyberattacks–either through contractors in the Chinese private sector or by the PLA and MSS\r\nentities themselves. China continues to engage in espionage-related activities that include theft of sensitive\r\ninformation such as innovation capital, IP, and personally identifiable information (PII). China has demonstrated a\r\nwillingness to push the boundaries of their activities to secure information critical to advancing their economic\r\nprowess and competitive advantage.\r\nChinese Cyber Activity\r\nAccording to open-source reporting, offensive cyber operations attributed to the Chinese government targeted, and\r\ncontinue to target, a variety of industries and organizations in the United States, including healthcare, financial\r\nservices, defense industrial base, energy, government facilities, chemical, critical manufacturing (including\r\nautomotive and aerospace), communications, IT, international trade, education, videogaming, faith-based\r\norganizations, and law firms.\r\nAdditionally, numerous Department of Justice (DOJ) indictments over several years provide evidence to suggest\r\nChinese threat actors continuously seek to illegally obtain and exfiltrate U.S. IP. Their targets also include western\r\ncompanies with operations inside China.\r\nPublic reporting that associates Chinese actors with a range of high-profile attacks and offensive cyber activity\r\nincludes:\r\nFebruary 2013 – Cyber Threat Intelligence Researchers Link Advanced Persistent Threat (APT) 1 to\r\nChina: a comprehensive report publicly exposed APT1 as part of China’s military cyber operations and a\r\nmulti-year effort that exfiltrated IP from roughly 141 companies spanning 20 major industries.[4 ] APT1\r\nestablished access to the victims’ networks and methodically exfiltrated IP across a large range of\r\nindustries identified in China’s 12th 5-Year Plan. A year later, the DOJ indicted Chinese cyber threat actors\r\nassigned to PLA Unit 61398 for the first time (also highlighted in the report).[5]\r\nApril 2017 – Chinese APTs Targeting IP in 12 Countries: CISA announced Chinese state-backed APTs\r\ncarried out a multi-year campaign of cyber-enabled IP theft that targeted global technology service\r\nproviders and their customers. The threat actors leveraged stolen administrative credentials (local and\r\ndomain) and placed sophisticated malware on critical systems in an effort to steal the IP and sensitive data\r\nof companies located in at least 12 countries.[6]\r\nDecember 2018 – Chinese Cyber Threat Actors Indicted for Compromising Managed Service\r\nProviders (MSPs): DOJ indicted two Chinese cyber threat actors believed to be associated with APT10,\r\nwho targeted MSPs and their large customer base through phishing and spearphishing campaigns aimed at\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-275a\r\nPage 2 of 21\n\nexfiltrating sensitive business data and, possibly, PII.[7] CISA also briefed stakeholders on Chinese APT\r\ngroups who targeted MSPs and their customers to steal data and further operationalize commercial and\r\neconomic espionage.[8]\r\nFebruary 2020 – China’s Military Indicted for 2017 Equifax Hack: DOJ indicted members of China’s\r\nPLA for stealing large amounts of PII and IP. The Chinese cyber threat actors exploited a vulnerability in\r\nthe company’s dispute resolution website to enter the network, conduct reconnaissance, upload malware,\r\nand steal credentials to extract the targeted data. The breach impacted roughly half of all American citizens\r\nand stole Equifax’s trade secrets.[9]\r\nMay 2020 – China Targets COVID-19 Research Organizations: the Federal Bureau of Investigation\r\n(FBI) and CISA reported the targeting and compromise of U.S. organizations conducting COVID-19-\r\nrelated research by cyber actors affiliated with China.[10] Large-scale password spraying campaigns were\r\na commonly observed tactic in illicitly obtaining IP related to vaccines, treatments, and testing from\r\nnetworks and personnel affiliated with COVID-19-related research.[11],[12]\r\nCommon TTPs of Publicly Known Chinese Threat Actors\r\nThe section below provides common, publicly known, TTPs employed by Chinese threat actors, which map to the\r\nMITRE ATT\u0026CK framework. Where possible, the tables include actions for detection and mitigation. This section\r\nis not exhaustive and does not detail all TTPs or detection and mitigation actions.   \r\nPRE-ATT\u0026CK TTPs\r\nChinese threat actors commonly use the techniques listed in table 1 to achieve reconnaissance (Technical\r\nInformation Gathering [TA0015 ]), staging (Stage Capabilities [TA0026 ]), and testing (Test Capabilities\r\n[TA0025 ]) before executing an attack. PRE-ATT\u0026CK techniques can be difficult to detect and mitigate,\r\nhowever, defenders should be aware of the use of these techniques.\r\nTable 1: Chinese threat actor PRE-ATT\u0026CK techniques\r\nTechnique Description\r\nAcquire and/or Use 3rd Party\r\nSoftware Services [T1330 ]\r\nStaging and launching attacks from software as a service solutions that\r\ncannot be easily tied back to the APT\r\nCompromise 3rd Party\r\nInfrastructure to Support Delivery\r\n[T1334 ]\r\nCompromising infrastructure owned by other parties to facilitate\r\nattacks (instead of directly purchasing infrastructure)\r\nDomain Registration Hijacking\r\n[T1326 ]\r\nChanging the registration of a domain name without the permission of\r\nits original registrant and then using the legitimate domain as a launch\r\npoint for malicious purposes\r\nAcquire Open-Source Intelligence\r\n(OSINT) Data Sets and\r\nInformation [T1247 ]\r\nGathering data and information from publicly available sources,\r\nincluding public-facing websites of the target organization\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-275a\r\nPage 3 of 21\n\nTechnique Description\r\nConduct Active Scanning [T1254\r\n]\r\nGathering information on target systems by scanning the systems for\r\nvulnerabilities. Adversaries are likely using tools such as Shodan to\r\nidentify vulnerable devices connected to the internet\r\nAnalyze Architecture and\r\nConfiguration Posture [T1288 ]\r\nAnalyzing technical scan results to identify architectural flaws,\r\nmisconfigurations, or improper security controls in victim networks\r\nUpload, Install, and Configure\r\nSoftware/Tools [T1362 ]\r\nPlacing malware on systems illegitimately for use during later stages of\r\nan attack to facilitate exploitability and gain remote access\r\nEnterprise ATT\u0026CK TTPs\r\nChinese threat actors often employ publicly known TTPs against enterprise networks. To orchestrate attacks, they\r\nuse commonly implemented security testing tools and frameworks, such as:\r\nCobalt Strike and Beacon\r\nMimikatz\r\nPoisonIvy\r\nPowerShell Empire\r\nChina Chopper Web Shell\r\nTable 2 lists common, publicly known, TTPs used by Chinese threat actors against enterprise networks and\r\nprovides options for detection and mitigation based on the MITRE ATT\u0026CK framework.\r\nTable 2: Common Chinese threat actor techniques, detection, and mitigation\r\nTechnique / Sub-Technique\r\nDetection Mitigation\r\nObfuscated Files or\r\nInformation [T1027\r\n]\r\nDetect obfuscation by analyzing\r\nsignatures of modified files.\r\nFlag common syntax used in\r\nobfuscation.\r\nUse antivirus/antimalware\r\nsoftware to analyze commands\r\nafter processing.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-275a\r\nPage 4 of 21\n\nTechnique / Sub-Technique\r\nDetection Mitigation\r\nPhishing:\r\nSpearphishing\r\nAttachment\r\n[T1566.001 ] and\r\nSpearphishing Link\r\n[T1566.002 ]\r\nUse network intrusion detection\r\nsystems (NIDS) and email\r\ngateways to detect suspicious\r\nattachments in email entering\r\nthe network.\r\nUse detonation chambers to\r\ninspect email attachments in\r\nisolated environments.\r\nQuarantine suspicious files with\r\nantivirus solutions.\r\nUse network intrusion prevention\r\nsystems to scan and remove\r\nmalicious email attachments.\r\nTrain users to identify phishing\r\nemails and notify IT.\r\nSystem Network\r\nConfiguration\r\nDiscovery [T1016\r\n]\r\nMonitor for processes and\r\ncommand-line arguments that\r\ncould be used by an adversary to\r\ngather system and network\r\ninformation.\r\nThis technique is difficult to\r\nmitigate with preventative\r\ncontrols; organizations should\r\nfocus on detecting and responding\r\nto malicious activity to limit\r\nimpact.\r\nCommand and\r\nScripting\r\nInterpreter:\r\nWindows Command\r\nShell [T1059.003 ]\r\nIdentify normal scripting\r\nbehavior on the system then\r\nmonitor processes and\r\ncommand-line arguments for\r\nsuspicious script execution\r\nbehavior.\r\nOnly permit execution of signed\r\nscripts.\r\nDisable any unused shells or\r\ninterpreters.\r\nUser Execution:\r\nMalicious File\r\n[T1204.002 ]\r\nMonitor execution of command-line arguments for applications\r\n(including compression\r\napplications) that may be used\r\nby an adversary to execute a\r\nuser interaction.\r\nSet antivirus software to detect\r\nmalicious documents and files\r\ndownloaded and installed on\r\nendpoints.\r\nUse execution prevention to\r\nprevent the running of executables\r\ndisguised as other files.\r\nTrain users to identify phishing\r\nattacks and other malicious events\r\nthat may require user interaction.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-275a\r\nPage 5 of 21\n\nTechnique / Sub-Technique\r\nDetection Mitigation\r\nBoot or Logon\r\nAutostart Execution:\r\nRegistry Run Keys /\r\nStartup Folder\r\n[T1547.001 ]\r\nMonitor the start folder for\r\nadditions and changes.\r\nMonitor registry for changes to\r\nrun keys that do not correlate to\r\nknown patches or software\r\nupdates.\r\nThis technique is difficult to\r\nmitigate with preventative\r\ncontrols; organizations should\r\nfocus on detecting and responding\r\nto malicious activity to limit\r\nimpact.\r\nCommand and\r\nScripting\r\nInterpreter:\r\nPowerShell\r\n[T1059.001 ]\r\nEnable PowerShell logging.\r\nMonitor for changes in\r\nPowerShell execution policy as\r\na method of identifying\r\nmalicious use of PowerShell.\r\nMonitor for PowerShell\r\nexecution generally in\r\nenvironments where PowerShell\r\nis not typically used.\r\nSet PowerShell execution policy\r\nto execute only signed scripts.\r\nDisable PowerShell if not needed\r\nby the system.\r\nDisable WinRM service to help\r\nprevent use of PowerShell for\r\nremote execution.\r\nRestrict PowerShell execution\r\npolicy to administrators.\r\nHijack Execution\r\nFlow: DLL Side-Loading [T1574.002\r\n]\r\nTrack Dynamic Link Library\r\n(DLL) metadata, and compare\r\nDLLs that are loaded at process\r\nexecution time against previous\r\nexecutions to detect usual\r\ndifferences unrelated to\r\npatching.\r\nUse the program sxstrace.exe\r\nto check manifest files for side-loading vulnerabilities in software.\r\nUpdate software regularly\r\nincluding patches for DLL side-loading vulnerabilities.\r\nIngress Tool\r\nTransfer [T1105 ]\r\nMonitor for unexpected file\r\ncreation or files transfer into the\r\nnetwork from external systems,\r\nwhich may be indicative of\r\nattackers staging tools in the\r\ncompromised environment.\r\nAnalyze network traffic for\r\nunusual data flows (i.e., a client\r\nsending much more data than it\r\nreceives from a server).\r\nUse network intrusion detection\r\nand prevention systems to identify\r\ntraffic for specific adversary\r\nmalware or unusual data transfer\r\nover protocols such as File\r\nTransfer Protocol.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-275a\r\nPage 6 of 21\n\nTechnique / Sub-Technique\r\nDetection Mitigation\r\nRemote System\r\nDiscovery [T1018\r\n]\r\nMonitor processes and\r\ncommand-line arguments for\r\nactions that could be taken to\r\ngather system and network\r\ninformation.\r\nIn cloud environments, usage of\r\ncommands and application\r\nprogram interfaces (APIs) to\r\nrequest information about\r\nremote systems combined with\r\nadditional unexpected\r\ncommands may be a sign of\r\nmalicious use.\r\nThis technique is difficult to\r\nmitigate with preventative\r\ncontrols; organizations should\r\nfocus on detecting and responding\r\nto malicious activity to limit\r\nimpact.\r\nSoftware\r\nDeployment Tools\r\n[T1072 ]\r\nIdentify the typical use pattern\r\nof third-party deployment\r\nsoftware, then monitor for\r\nirregular deployment activity.\r\nIsolate critical network systems\r\naccess using group policies, multi-factor authentication (MFA), and\r\nfirewalls.\r\nPatch deployment systems\r\nregularly.\r\nUse unique and limited credentials\r\nfor access to deployment systems.\r\nBrute Force:\r\nPassword Spraying\r\n[T1110.003 ]\r\nMonitor logs for failed\r\nauthentication attempts to valid\r\naccounts.\r\nUse MFA.\r\nSet account lockout policies after\r\na certain number of failed login\r\nattempts.\r\nNetwork Service\r\nScanning [T1046 ]\r\nUse NIDS to identify scanning\r\nactivity.\r\nClose unnecessary ports and\r\nservices.\r\nSegment network to protect\r\ncritical servers and devices.\r\nEmail Collection\r\n[T1114 ]\r\nMonitor processes and\r\ncommand-line arguments for\r\nEncrypt sensitive emails.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-275a\r\nPage 7 of 21\n\nTechnique / Sub-Technique\r\nDetection Mitigation\r\nactions that could be taken to\r\ngather local email files.\r\nAudit auto-forwarding email rules\r\nregularly.\r\nUse MFA for public-facing\r\nwebmail servers.\r\nProxy: External\r\nProxy [T1090.002\r\n]\r\nAnalyze network data for\r\nuncommon data flows, such as a\r\nclient sending significantly more\r\ndata than it receives from an\r\nexternal server.\r\nUse NIDS and prevention systems\r\nto identify traffic for specific\r\nadversary malware using network\r\nsignatures.\r\nDrive-by\r\nCompromise [T1189\r\n]\r\nUse Firewalls and proxies to\r\ninspect URLs for potentially\r\nknown-bad domains or\r\nparameters.\r\nMonitor network intrusion\r\ndetection systems (IDS) to\r\ndetect malicious scripts, and\r\nmonitor endpoints for abnormal\r\nbehavior.\r\nIsolate and sandbox impacted\r\nsystems and applications to restrict\r\nthe spread of malware.\r\nLeverage security applications to\r\nidentify malicious behavior during\r\nexploitation.\r\nRestrict web-based content\r\nthrough ad-blockers and script\r\nblocking extensions.\r\nServer Software\r\nComponent: Web\r\nShell [T1505.003 ]\r\nAnalyze authentication logs,\r\nfiles, netflow/enclave netflow,\r\nand leverage process monitoring\r\nto discover anomalous activity.\r\nPatch vulnerabilities in internet\r\nfacing applications.\r\nLeverage file integrity monitoring\r\nto identify file changes.\r\nConfigure server to block access\r\nto the web accessible directory\r\nthrough principle of least\r\nprivilege.\r\nApplication Layer\r\nProtocol: File\r\nTransfer Protocols\r\n[T1071.002 ] and\r\nDNS [T1071.004 ]\r\nAnalyze network data for\r\nuncommon data flows (e.g., a\r\nclient sending significantly more\r\ndata than it receives from a\r\nserver).\r\nLeverage NIDS and NIPS using\r\nnetwork signatures to identify\r\ntraffic for specific adversary\r\nmalware.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-275a\r\nPage 8 of 21\n\nTechnique / Sub-Technique\r\nDetection Mitigation\r\nAnalyze packet contents to\r\ndetect application layer\r\nprotocols that do not follow the\r\nexpected protocol standards\r\nregarding syntax, structure, or\r\nany other variable adversaries\r\ncould leverage to conceal data.\r\nAdditional APT Activity\r\nThe TTPs listed above have been repeatedly used across the spectrum of Chinese threat actors. The mitigations\r\nreferenced in this alert can help reduce vulnerability to these TTPs; however, defenders should also maintain\r\nheightened awareness of threats actors that are more innovative in their approach, making it difficult to detect and\r\nrespond to compromise. Publicly reported examples[13 ] include:\r\nAPT3 (known as UPS Team) is known for deploying zero-day attacks that target Internet Explorer,\r\nFirefox, and Adobe Flash Player. The group’s custom implants and changing Command and Control (C2)\r\ninfrastructure make them difficult to track. APT3 exploits use Rivest Cypher 4 (RC4) encryption to\r\ncommunicate and bypass address space layout randomization (ASLR)/Data Execution Prevention (DEP)\r\nby using Return Oriented Programming (ROP) chains.[14 ]\r\nAPT10 (known as MenuPass Group) has established accessed to victim networks through compromised\r\nservice providers, making it difficult for network defenders to identify the malicious traffic.\r\nAPT19 (known as Codoso and Deep Panda) is known for developing custom Rich Text Format (RTF) and\r\nmacro-enabled Microsoft Office documents for both implants and payloads. The group has backdoored\r\nsoftware, such as software serial generators, and has an elite use of PowerShell for C2 over Hyper Text\r\nTransfer Protocol (HTTP)/Hyper Text Transfer Protocol Secure (HTTPS).[15 ]\r\nAPT40 (known as Leviathan) has targeted external infrastructure with success, including internet-facing\r\nrouters and virtual private networks.\r\nAPT41 (known as Double Dragon) has exploited vulnerabilities in Citrix NetScaler/ADC, Cisco routers,\r\nand Zoho ManageEngine Desktop Central to compromise victims.[16 ]\r\nMitigations\r\nRecommended Actions\r\nThe following list provides actionable technical recommendations for IT security professionals to reduce their\r\norganization’s overall vulnerability. These recommendations are not exhaustive; rather they focus on the actions\r\nthat will greatly reduce stakeholders’ attack surface.\r\n1. Patch systems and equipment promptly and diligently. Establishing and consistently maintaining a\r\nthorough patching cycle continues to be the best defense against adversary TTPs. Focus on patching\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-275a\r\nPage 9 of 21\n\ncritical and high vulnerabilities that allow for remote code execution or denial-of-service on externally-facing (i.e., internet) equipment. Certain vulnerabilities—including CVE-2012-0158 in Microsoft products\r\n[17], CVE-2019-19781 in Citrix devices [18], and CVE-2020-5902 in BIG-IP Traffic Management User\r\nInterface [19]—have presented APTs with prime targets to gain initial access. Chinese APTs often use\r\nexisting exploit code to target routinely exploited vulnerabilities [20], which present an opportunistic attack\r\nthat requires limited resources. See table 3 for patch information on CVEs that have been routinely\r\nexploited by Chinese APTs. See table 4 for patch information on vulnerabilities that the National Security\r\nAgency (NSA) has stated are actively used by Chinese state-sponsored cyber actors.\r\nTable 3: Patch information for vulnerabilities routinely exploited by Chinese APT actors\r\nVulnerability Vulnerable Products Patch Information\r\nCVE-2012-\r\n0158\r\nMicrosoft Office 2003 SP3, 2007 SP2\r\nand SP3, and 2010 Gold and SP1; Office\r\n2003 Web Components SP3; SQL Server\r\n2000 SP4, 2005 SP4, and 2008 SP2, SP3,\r\nand R2; BizTalk Server 2002 SP1;\r\nCommerce Server 2002 SP4, 2007 SP2,\r\nand 2009 Gold and R2; Visual FoxPro 8.0\r\nSP1 and 9.0 SP2; and Visual Basic 6.0\r\nMicrosoft Security Bulletin MS12-027:\r\nVulnerability in Windows Common\r\nControls Could Allow Remote Code\r\nExecution\r\nCVE-2020-\r\n5902\r\nBig-IP devices (LTM, AAM,\r\nAdvanced WAF, AFM, Analytics,\r\nAPM, ASM, DDHD, DNS, FPS,\r\nGTM, Link Controller, PEM,\r\nSSLO, CGNAT)\r\nF5 Security Advisory: K52145254:\r\nTMUI RCE vulnerability CVE-2020-\r\n5902\r\nCVE-2019-\r\n19781\r\nCitrix Application Delivery\r\nController\r\nCitrix Gateway\r\nCitrix SDWAN WANOP\r\nCitrix blog post: firmware updates for\r\nCitrix ADC and Citrix Gateway\r\nversions 11.1 and 12.0\r\nCitrix blog post: security updates for\r\nCitrix SD-WAN WANOP release\r\n10.2.6 and 11.0.3\r\nCitrix blog post: firmware updates for\r\nCitrix ADC and Citrix Gateway\r\nversions 12.1 and 13.0\r\nCitrix blog post: firmware updates for\r\nCitrix ADC and Citrix Gateway\r\nversion 10.5\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-275a\r\nPage 10 of 21\n\nVulnerability Vulnerable Products Patch Information\r\nCVE-2019-\r\n11510\r\nPulse Connect Secure 9.0R1 -\r\n9.0R3.3, 8.3R1 - 8.3R7, 8.2R1 -\r\n8.2R12, 8.1R1 - 8.1R15\r\nPulse Policy Secure 9.0R1 -\r\n9.0R3.1, 5.4R1 - 5.4R7, 5.3R1 -\r\n5.3R12, 5.2R1 - 5.2R12, 5.1R1 -\r\n5.1R15\r\nPulse Secure Out-of-Cycle Advisory:\r\nMultiple vulnerabilities resolved in\r\nPulse Connect Secure / Pulse Policy\r\nSecure 9.0RX\r\nCVE-2019-\r\n16920\r\nD-Link products DIR-655C, DIR-866L, DIR-652, DHP-1565, DIR-855L, DAP-1533, DIR-862L,\r\nDIR-615, DIR-835, and DIR-825\r\nD-Link Security Advisory: DAP-1533\r\nRv Ax, DGL-5500 Rv Ax, DHP-1565\r\nRv Ax, DIR-130 Rv Ax, DIR-330 Rv\r\nAx, DIR-615 Rv Ix, (non-US) DIR-652\r\nRv Bx, DIR-655 Rv Cx, DIR-825 Rv\r\nCx, DIR-835 Rv Ax, DIR-855L Rv Ax,\r\n(non-US) DIR-862 Rv Ax, DIR-866L\r\nRv Ax :: CVE-2019-16920 ::\r\nUnauthenticated Remote Code\r\nExecution (RCE) Vulnerability\r\nCVE-2019-\r\n16278\r\nNostromo 1.9.6 and below\r\nNostromo 1.9.6 Directory Traversal/\r\nRemote Command Execution\r\nNostromo 1.9.6 Remote Code\r\nExecution\r\nCVE-2019-\r\n1652\r\nCisco Small Business RV320 and\r\nRV325 Dual Gigabit WAN VPN\r\nRouters\r\nCisco Security Advisory: Cisco Small\r\nBusiness RV320 and RV325 Routers\r\nCommand Injection Vulnerability\r\nCVE-2019-\r\n1653\r\nCisco Small Business RV320 and\r\nRV325 Dual Gigabit WAN VPN\r\nRouters\r\nCisco Security Advisory: Cisco Small\r\nBusiness RV320 and RV325 Routers\r\nInformation Disclosure Vulnerability\r\nCVE-2020-\r\n10189\r\nZoho ManageEngine Desktop\r\nCentral before 10.0.474\r\nManageEngine Desktop Central remote\r\ncode execution vulnerability (CVE-2020-10189)\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-275a\r\nPage 11 of 21\n\nTable 4: Patch information for NSA listed vulnerabilities used by Chinese state-sponsored cyber actors [21]\r\nVulnerability Vulnerable Products Patch Information\r\nCVE-2020-\r\n8193\r\nCitrix ADC and Citrix Gateway\r\nversions before 13.0-58.30, 12.1-57.18,\r\n12.0-63.21, 11.1-64.14 and 10.5-70.18\r\nCitrix SDWAN WAN-OP versions\r\nbefore 11.1.1a, 11.0.3d and 10.2.7\r\nCitrix Security Bulletin\r\nCTX276688\r\nCVE-2020-\r\n8195\r\nCitrix ADC and Citrix Gateway\r\nversions before 13.0-58.30, 12.1-57.18,\r\n12.0-63.21, 11.1-64.14 and 10.5-70.18\r\nCitrix SDWAN WAN-OP versions\r\nbefore 11.1.1a, 11.0.3d and 10.2.7\r\nCitrix Security Bulletin\r\nCTX276688\r\nCVE-2020-\r\n8196\r\nCitrix ADC and Citrix Gateway\r\nversions before 13.0-58.30, 12.1-57.18,\r\n12.0-63.21, 11.1-64.14 and 10.5-70.18\r\nCitrix SDWAN WAN-OP versions\r\nbefore 11.1.1a, 11.0.3d and 10.2.7\r\nCitrix Security Bulletin\r\nCTX276688\r\nCVE-2019-\r\n0708 Windows 7 for 32-bit Systems Service\r\nPack 1\r\nWindows 7 for x64-based Systems\r\nService Pack 1\r\nWindows Server 2008 for 32-bit\r\nSystems Service Pack 2\r\nWindows Server 2008 for 32-bit\r\nSystems Service Pack 2 (Server Core\r\ninstallation)\r\nWindows Server 2008 for Itanium-Based Systems Service Pack 2\r\nWindows Server 2008 for x64-based\r\nSystems Service Pack 2\r\nWindows Server 2008 for x64-based\r\nSystems Service Pack 2 (Server Core\r\ninstallation)\r\nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1\r\nMicrosoft Security Advisory for\r\nCVE-2019-0708\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-275a\r\nPage 12 of 21\n\nVulnerability Vulnerable Products Patch Information\r\nWindows Server 2008 R2 for x64-\r\nbased Systems Service Pack 1\r\nWindows Server 2008 R2 for x64-\r\nbased Systems Service Pack 1 (Server\r\nCore installation)\r\nCVE-2020-\r\n15505\r\nMobileIron Core \u0026 Connector versions\r\n10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1,\r\n10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0\r\nand 10.6.0.0\r\nSentry versions 9.7.2 and earlier, and\r\n9.8.0;\r\nMonitor and Reporting Database\r\n(RDB) version 2.0.0.1 and earlier\r\nMobileIron Blog: MobileIron\r\nSecurity Updates Available\r\nCVE-2020-\r\n1350 Windows Server 2008 for 32-bit\r\nSystems Service Pack 2\r\nWindows Server 2008 for 32-bit\r\nSystems Service Pack 2 (Server Core\r\ninstallation)\r\nWindows Server 2008 for x64-based\r\nSystems Service Pack 2\r\nWindows Server 2008 for x64-based\r\nSystems Service Pack 2 (Server Core\r\ninstallation)\r\nWindows Server 2008 R2 for x64-\r\nbased Systems Service Pack 1\r\nWindows Server 2008 R2 for x64-\r\nbased Systems Service Pack 1 (Server\r\nCore installation)\r\nWindows Server 2012\r\nWindows Server 2012 (Server Core\r\ninstallation)\r\nWindows Server 2012 R2\r\nWindows Server 2012 R2 (Server Core\r\ninstallation)\r\nWindows Server 2016\r\nWindows Server 2016 (Server Core\r\ninstallation)\r\nMicrosoft Security Advisory for\r\nCVE-2020-1350\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-275a\r\nPage 13 of 21\n\nVulnerability Vulnerable Products Patch Information\r\nWindows Server 2019\r\nWindows Server 2019 (Server Core\r\ninstallation)\r\nWindows Server, version 1903 (Server\r\nCore installation)\r\nWindows Server, version 1909 (Server\r\nCore installation)\r\nWindows Server, version 2004 (Server\r\nCore installation)\r\nCVE-2020-\r\n1472\r\nWindows Server 2008 R2 for x64-\r\nbased Systems Service Pack 1\r\nWindows Server 2008 R2 for x64-\r\nbased Systems Service Pack 1 (Server\r\nCore installation)\r\nWindows Server 2012\r\nWindows Server 2012 (Server Core\r\ninstallation)\r\nWindows Server 2012 R2\r\nWindows Server 2016\r\nWindows Server 2019\r\nWindows Server 2019 (Server Core\r\ninstallation)\r\nWindows Server, version 1903  (Server\r\nCore installation)\r\nWindows Server, version 1909  (Server\r\nCore installation)\r\nWindows Server, version 2004   (Server\r\nCore installation)\r\nMicrosoft Security Advisory for\r\nCVE-2020-1472\r\nCVE-2020-\r\n1040 Windows Server 2008 R2 for x64-\r\nbased Systems Service Pack 1\r\nWindows Server 2008 R2 for x64-\r\nbased Systems Service Pack 1 (Server\r\nCore installation)\r\nWindows Server 2012\r\nWindows Server 2012 (Server Core\r\ninstallation)\r\nWindows Server 2012 R2\r\nMicrosoft Security Advisory for\r\nCVE-2020-1040\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-275a\r\nPage 14 of 21\n\nVulnerability Vulnerable Products Patch Information\r\nWindows Server 2012 R2 (Server Core\r\ninstallation)\r\nWindows Server 2016\r\nWindows Server 2016 (Server Core\r\ninstallation)\r\nCVE-2018-\r\n6789\r\nExim before 4.90.1\r\nExim page for CVE-2020-6789\r\nExim patch information for CVE-2020-6789\r\nCVE-2020-\r\n0688\r\nMicrosoft Exchange Server 2010\r\nService Pack 3 Update Rollup 30\r\nMicrosoft Exchange Server 2013\r\nCumulative Update 23\r\nMicrosoft Exchange Server 2016\r\nCumulative Update 14\r\nMicrosoft Exchange Server 2016\r\nCumulative Update 15\r\nMicrosoft Exchange Server 2019\r\nCumulative Update 3\r\nMicrosoft Exchange Server 2019\r\nCumulative Update 4\r\nMicrosoft Security Advisory for\r\nCVE-2020-0688\r\nCVE-2018-\r\n4939\r\nColdFusion Update 5 and earlier\r\nversions\r\nColdFusion 11 Update 13 and earlier\r\nversions\r\nAdobe Security Bulletin APSB18-\r\n14\r\nCVE-2015-\r\n4852\r\nOracle WebLogic Server 10.3.6.0,\r\n12.1.2.0, 12.1.3.0, and 12.2.1.0\r\nOracle Critical Patch Update\r\nAdvisory - October 2016\r\nCVE-2020-\r\n2555\r\nOracle Coherence product of Oracle\r\nFusion Middleware Middleware;\r\nversions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0\r\nand 12.2.1.4.0.\r\nOracle Critical Patch Update\r\nAdvisory - January 2020\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-275a\r\nPage 15 of 21\n\nVulnerability Vulnerable Products Patch Information\r\nCVE-2019-\r\n3396\r\nAtlassian Confluence Server before\r\nversion 6.6.12, from version 6.7.0\r\nbefore 6.12.3, from version 6.13.0\r\nbefore 6.13.3), and from version 6.14.0\r\nbefore 6.14.2\r\nJira Atlassian Confluence Sever\r\nand Data Center: Remote code\r\nexecution via Widget Connector\r\nmacro - CVE-2019-3396\r\nCVE-2019-\r\n11580\r\nAtlassian Crowd and Crowd Data\r\nCenter from version 2.1.0 before 3.0.5,\r\nfrom version 3.1.0 before 3.1.6, from\r\nversion 3.2.0 before 3.2.8, from version\r\n3.3.0 before 3.3.5, and from version\r\n3.4.0 before 3.4.4\r\nJira Atlassian Crowd: Crowd -\r\npdkinstall development plugin\r\nincorrectly enabled - CVE-2019-\r\n11580\r\nCVE-2020-\r\n10189\r\nZoho ManageEngine Desktop Central\r\nbefore 10.0.474\r\nManageEngine Desktop Central\r\nremote code execution\r\nvulnerability (CVE-2020-10189)\r\nCVE-2019-\r\n18935\r\nProgress Telerik UI for ASP.NET\r\nAJAX through 2019.3.1023\r\nTelerik: ASP.NET AJAX: Allows\r\nJavaScriptSerializer\r\nDeserialization\r\nCVE-2020-\r\n0601 Windows 10 for 32-bit Systems\r\nWindows 10 for x64-based Systems\r\nWindows 10 Version 1607 for 32-bit\r\nSystems\r\nWindows 10 Version 1607 for x64-\r\nbased Systems\r\nWindows 10 Version 1709 for 32-bit\r\nSystems\r\nWindows 10 Version 1709 for ARM64-\r\nbased Systems\r\nWindows 10 Version 1709 for x64-\r\nbased Systems\r\nWindows 10 Version 1803 for 32-bit\r\nSystems\r\nMicrosoft Security Advisory for\r\nCVE-2020-0601\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-275a\r\nPage 16 of 21\n\nVulnerability Vulnerable Products Patch Information\r\nWindows 10 Version 1803 for ARM64-\r\nbased Systems\r\nWindows 10 Version 1803 for x64-\r\nbased Systems\r\nWindows 10 Version 1809 for 32-bit\r\nSystems\r\nWindows 10 Version 1809 for ARM64-\r\nbased Systems\r\nWindows 10 Version 1809 for x64-\r\nbased Systems\r\nWindows 10 Version 1903 for 32-bit\r\nSystems\r\nWindows 10 Version 1903 for ARM64-\r\nbased Systems\r\nWindows 10 Version 1903 for x64-\r\nbased Systems\r\nWindows 10 Version 1909 for 32-bit\r\nSystems\r\nWindows 10 Version 1909 for ARM64-\r\nbased Systems\r\nWindows 10 Version 1909 for x64-\r\nbased Systems\r\nWindows Server 2016\r\nWindows Server 2016 (Server Core\r\ninstallation)\r\nWindows Server 2019\r\nWindows Server 2019 (Server Core\r\ninstallation)\r\nWindows Server, version 1803 (Server\r\nCore Installation)\r\nWindows Server, version 1903 (Server\r\nCore installation)\r\nWindows Server, version 1909 (Server\r\nCore installation)\r\nCVE-2019-\r\n0803 Windows 10 for 32-bit Systems\r\nWindows 10 for x64-based Systems\r\nWindows 10 Version 1607 for 32-bit\r\nSystems\r\nMicrosoft Security Advisory for\r\nCVE-2019-0803\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-275a\r\nPage 17 of 21\n\nVulnerability Vulnerable Products Patch Information\r\nWindows 10 Version 1607 for x64-\r\nbased Systems\r\nWindows 10 Version 1703 for 32-bit\r\nSystems\r\nWindows 10 Version 1703 for x64-\r\nbased Systems\r\nWindows 10 Version 1709 for 32-bit\r\nSystems\r\nWindows 10 Version 1709 for ARM64-\r\nbased Systems\r\nWindows 10 Version 1709 for x64-\r\nbased Systems\r\nWindows 10 Version 1803 for 32-bit\r\nSystems\r\nWindows 10 Version 1803 for ARM64-\r\nbased Systems\r\nWindows 10 Version 1803 for x64-\r\nbased Systems\r\nWindows 10 Version 1809 for 32-bit\r\nSystems\r\nWindows 10 Version 1809 for ARM64-\r\nbased Systems\r\nWindows 10 Version 1809 for x64-\r\nbased Systems\r\nWindows 7 for 32-bit Systems Service\r\nPack 1\r\nWindows 7 for x64-based Systems\r\nService Pack 1\r\nWindows 8.1 for 32-bit systems\r\nWindows 8.1 for x64-based systems\r\nWindows RT 8.1\r\nWindows Server 2008 for 32-bit\r\nSystems Service Pack 2\r\nWindows Server 2008 for 32-bit\r\nSystems Service Pack 2 (Server Core\r\ninstallation)\r\nWindows Server 2008 for Itanium-Based Systems Service Pack 2\r\nWindows Server 2008 for x64-based\r\nSystems Service Pack\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-275a\r\nPage 18 of 21\n\nVulnerability Vulnerable Products Patch Information\r\nWindows Server 2008 for x64-based\r\nSystems Service Pack 2 (Server Core\r\ninstallation)\r\nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1\r\nWindows Server 2008 R2 for x64-\r\nbased Systems Service Pack 1\r\nWindows Server 2008 R2 for x64-\r\nbased Systems Service Pack 1 (Server\r\nCore installation)\r\nWindows Server 2012\r\nWindows Server 2012 (Server Core\r\ninstallation)\r\nWindows Server 2012 R2\r\nWindows Server 2012 R2 (Server Core\r\ninstallation)\r\nWindows Server 2016\r\nWindows Server 2016 (Server Core\r\ninstallation)\r\nWindows Server 2019\r\nWindows Server 2019 (Server Core\r\ninstallation)\r\nWindows Server, version 1803 (Server\r\nCore Installation)\r\nCVE-2017-\r\n6327\r\nSymantec Messaging Gateway before\r\n10.6.3-267\r\nBroadcom Security Updates\r\nDetial for CVE-2017-6327 and\r\nCVE-2017-6328\r\nCVE-2020-\r\n3118 ASR 9000 Series Aggregation Services\r\nRouters\r\nCarrier Routing System (CRS)\r\nIOS XRv 9000 Router\r\nNetwork Convergence System (NCS)\r\n540 Series Routers\r\nNCS 560 Series Routers\r\nNCS 1000 Series Routers\r\nNCS 5000 Series Routers\r\nNCS 5500 Series Routers\r\nCisco Security Advisory cisco-sa-20200205-iosxr-cdp-rce\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-275a\r\nPage 19 of 21\n\nVulnerability Vulnerable Products Patch Information\r\nNCS 6000 Series Routers\r\nCVE-2020-\r\n8515\r\nDrayTek Vigor2960 1.3.1_Beta,\r\nVigor3900 1.4.4_Beta, and Vigor300B\r\n1.3.3_Beta, 1.4.2.1_Beta, and\r\n1.4.4_Beta devices\r\nDraytek Security Advisory:\r\nVigor3900 / Vigor2960 /\r\nVigor300B Router Web\r\nManagement Page Vulnerability\r\n(CVE-2020-8515)\r\n2. Implement rigorous configuration management programs. Audit configuration   management programs\r\nto ensure they can track and mitigate emerging threats. Review system configurations for\r\nmisconfigurations and security weaknesses. Implementing a robust configuration and patch management\r\nprogram hinders sophisticated APT operations by limiting the effectiveness of opportunistic attacks.\r\n \r\n3. Disable unnecessary ports, protocols, and services. Review network security device logs and determine\r\nwhether to shut off unnecessary ports and protocols. Monitor common ports and protocols for C2 activity.\r\nTurn off or disable any unnecessary services or functionality within devices (e.g., universal plug and play\r\n[UPnP], PowerShell).\r\n \r\n4. Enhance monitoring of network and email traffic. Review network signatures and indicators for focused\r\noperations activities, monitor for new phishing themes, and adjust email rules accordingly. Follow best\r\npractices of restricting attachments via email. Ensure that log information is aggregated and correlated to\r\nenable maximum detection capabilities, with a focus on monitoring for account misuse.\r\n \r\n5. Use protection capabilities to stop malicious activity. Implement antivirus software and other endpoint\r\nprotection capabilities to automatically detect and prevent malicious files from executing. Use network\r\nintrusion detection and prevention systems to identify and prevent commonly employed adversarial\r\nmalware and limit nefarious data transfers.\r\nContact Information\r\nCISA encourages recipients of this report to contribute any additional information that they may have related to\r\nthis threat. For any questions related to this report, please contact CISA at:\r\n1-888-282-0870 (From outside the United States: +1-703-235-8832)\r\nCentral@cisa.dhs.gov (UNCLASS)\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code,\r\nsoftware vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA homepage at\r\nhttp://www.us-cert.cisa.gov/.\r\nReferences\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-275a\r\nPage 20 of 21\n\n[1] White House Publication: How China’s Economic Aggression Threatens the Technologies and Intellectual\r\nProperty of the United States and the World\r\n[2] Congressional Research Services: 'Made in China 2025' Industrial Policies: Issues for Congress\r\n[3] Council on Foreign Relations: Is ‘Made in China 2025’ a Threat to Global Trade\r\n[4] Mandiant: APT1 Exposing One of China’s Cyber Espionage Units\r\n[8] CISA Awareness Briefing: Chinese Cyber Activity Targeting Managed Service Providers\r\n[11] CISA Alert AA20-126A: APT Groups Target Healthcare and Essential Services\r\n[13] FireEye Advanced Persistent Threat Groups\r\n[14] MITRE ATT\u0026CK: APT3\r\n[15] MITRE ATT\u0026CK: APT19\r\n[16] MITRE ATT\u0026CK: APT41\r\nRevisions\r\nOctober 1, 2020: Initial Version|October 20, 2020: Recommended Actions Section Updated\r\nSource: https://us-cert.cisa.gov/ncas/alerts/aa20-275a\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-275a\r\nPage 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://us-cert.cisa.gov/ncas/alerts/aa20-275a" ], "report_names": [ "aa20-275a" ], "threat_actors": [ { "id": "1f3cf3d1-4764-4158-a216-dd6352e671bb", "created_at": "2022-10-25T15:50:23.837615Z", "updated_at": "2026-04-10T02:00:05.322197Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "APT19", "Codoso", "C0d0so0", "Codoso Team", "Sunshop Group" ], "source_name": "MITRE:APT19", "tools": [ "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "dabb6779-f72e-40ca-90b7-1810ef08654d", "created_at": "2022-10-25T15:50:23.463113Z", "updated_at": "2026-04-10T02:00:05.369301Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "APT1", "Comment Crew", "Comment Group", "Comment Panda" ], "source_name": "MITRE:APT1", "tools": [ "Seasalt", "ipconfig", "Cachedump", "PsExec", "GLOOXMAIL", "Lslsass", "PoisonIvy", "WEBC2", "Mimikatz", "gsecdump", "Pass-The-Hash Toolkit", "Tasklist", "xCmd", "pwdump" ], "source_id": "MITRE", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "13354d3f-3f40-44ec-b42a-3cda18809005", "created_at": "2022-10-25T15:50:23.275272Z", "updated_at": "2026-04-10T02:00:05.36519Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "APT3", "Gothic Panda", "Pirpi", "UPS Team", "Buckeye", "Threat Group-0110", "TG-0110" ], "source_name": "MITRE:APT3", "tools": [ "OSInfo", "schtasks", "PlugX", "LaZagne", "SHOTPUT", "RemoteCMD" ], "source_id": "MITRE", "reports": null }, { "id": "64ca1755-3883-4173-8e0a-6e5cf92faafd", "created_at": "2022-10-25T15:50:23.636456Z", "updated_at": "2026-04-10T02:00:05.389234Z", "deleted_at": null, "main_name": "Deep Panda", "aliases": [ "Deep Panda", "Shell Crew", "KungFu Kittens", "PinkPanther", "Black Vine" ], "source_name": "MITRE:Deep Panda", "tools": [ "Mivast", "StreamEx", "Sakula", "Tasklist", "Derusbi" ], "source_id": "MITRE", "reports": null }, { "id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4", "created_at": "2023-01-06T13:46:38.269054Z", "updated_at": "2026-04-10T02:00:02.90356Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "GOTHIC PANDA", "TG-0110", "Buckeye", "Group 6", "Boyusec", "BORON", "BRONZE MAYFAIR", "Red Sylvan", "Brocade Typhoon" ], "source_name": "MISPGALAXY:APT3", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0639667a-fb3f-43d9-a38c-6c123fd19c7f", "created_at": "2022-10-25T16:07:23.335869Z", "updated_at": "2026-04-10T02:00:04.547702Z", "deleted_at": null, "main_name": "APT 19", "aliases": [ "APT 19", "Bronze Firestone", "C0d0so0", "Checkered Typhoon", "Codoso", "Deep Panda", "G0009", "G0073", "Operation Kingslayer", "Red Pegasus", "Sunshop Group", "TG-3551" ], "source_name": "ETDA:APT 19", "tools": [ "Agentemis", "C0d0so0", "Cobalt Strike", "CobaltStrike", "Derusbi", "EmPyre", "EmpireProject", "Fire Chili", "PowerShell Empire", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "cf826655-5fcb-4331-bdc5-5ef267db9d3c", "created_at": "2025-08-07T02:03:24.631402Z", "updated_at": "2026-04-10T02:00:03.608938Z", "deleted_at": null, "main_name": "BRONZE MAYFAIR", "aliases": [ "APT3 ", "Gothic Panda ", "Pirpi", "TG-0110 ", "UPSTeam" ], "source_name": "Secureworks:BRONZE MAYFAIR", "tools": [ "Cookiecutter", "HUC Proxy Malware (Htran)", "Pirpi", "PlugX", "SplitVPN", "UPS", "ctt", "ctx" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d", "created_at": "2025-08-07T02:03:24.595597Z", "updated_at": "2026-04-10T02:00:03.740023Z", "deleted_at": null, "main_name": "BRONZE FIRESTONE", "aliases": [ "APT19 ", "C0d0s0", "Checkered Typhoon ", "Chlorine ", "Deep Panda ", "Pupa ", "TG-3551 " ], "source_name": "Secureworks:BRONZE FIRESTONE", "tools": [ "9002", "Alice's Rabbit Hole", "Cobalt Strike", "Derusbi", "PlugX", "PoisonIvy", "PowerShell Empire", "Trojan Briba", "Zuguo" ], "source_id": "Secureworks", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "06f622cb-3a78-49cf-9a4c-a6007a69325f", "created_at": "2022-10-25T16:07:23.315239Z", "updated_at": "2026-04-10T02:00:04.537826Z", "deleted_at": null, "main_name": "APT 3", "aliases": [ "APT 3", "Boron", "Brocade Typhoon", "Bronze Mayfair", "Buckeye", "G0022", "Gothic Panda", "Group 6", "Operation Clandestine Fox", "Operation Clandestine Fox, Part Deux", "Operation Clandestine Wolf", "Operation Double Tap", "Red Sylvan", "TG-0110", "UPS Team" ], "source_name": "ETDA:APT 3", "tools": [ "APT3 Keylogger", "Agent.dhwf", "BKDR_HUPIGON", "Backdoor.APT.CookieCutter", "Badey", "Bemstour", "CookieCutter", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EXL", "EternalBlue", "HTran", "HUC Packet Transmit Tool", "Hupigon", "Hupigon RAT", "Kaba", "Korplug", "LaZagne", "MFC Huner", "OSInfo", "Pirpi", "PlugX", "RedDelta", "RemoteCMD", "SHOTPUT", "Sogu", "TIGERPLUG", "TTCalc", "TVT", "Thoper", "Xamtrav", "remotecmd", "shareip", "w32times" ], "source_id": "ETDA", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434227, "ts_updated_at": 1775792289, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1a5c458e5fe8d5becdc641de07ce00c716d32c6c.pdf", "text": "https://archive.orkl.eu/1a5c458e5fe8d5becdc641de07ce00c716d32c6c.txt", "img": "https://archive.orkl.eu/1a5c458e5fe8d5becdc641de07ce00c716d32c6c.jpg" } }