{ "id": "63182784-ce00-4003-bc97-01a8c7926ccb", "created_at": "2026-04-06T00:13:39.609677Z", "updated_at": "2026-04-10T03:37:26.405703Z", "deleted_at": null, "sha1_hash": "21cdfad30c76154a52afefd82f2f5a033258ba41", "title": "APT 3, Gothic Panda, Buckeye", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 66549, "plain_text": "APT 3, Gothic Panda, Buckeye\r\nArchived: 2026-04-05 18:45:22 UTC\r\nNamesAPT 3 (Mandiant)\r\nGothic Panda (CrowdStrike)\r\nBuckeye (Symantec)\r\nTG-0110 (SecureWorks)\r\nBronze Mayfair (SecureWorks)\r\nUPS Team (Symantec)\r\nGroup 6 (Talos)\r\nRed Sylvan (PWC)\r\nBoron (Microsoft)\r\nBrocade Typhoon (Microsoft)\r\nG0022 (MITRE) Country China SponsorState-sponsored, Ministry of State Security and Internet security\r\nfirm Guangzhou Bo Yu Information Technology Company Limited (“Boyusec”) MotivationInformation theft and\r\nespionage First seen2007 Description(Recorded Future) APT3 (also known as UPS, Gothic Panda, and TG-0110)\r\nis a sophisticated threat group that has been active since at least 2010. APT3 utilizes a broad range of tools and\r\ntechniques including spear-phishing attacks, zero-day exploits, and numerous unique and publicly available\r\nremote access tools (RAT). Victims of APT3 intrusions include companies in the defense, telecommunications,\r\ntransportation, and advanced technology sectors — as well as government departments and bureaus in Hong\r\nKong, the U.S., and several other countries. ObservedSectors: Aerospace, Construction, Defense, High-Tech,\r\nManufacturing, Technology, Telecommunications, Transportation.\r\nCountries: Belgium, Hong Kong, Italy, Luxembourg, Philippines, Sweden, UK, USA, Vietnam. Tools usedAPT3\r\nKeylogger, Bemstour, DoublePulsar, EternalBlue, HTran, Hupigon, LaZagne, OSInfo, Pirpi, PlugX, RemoteCMD,\r\nshareip, TTCalc, w32times and several 0-days for IE, Firefox and Flash. Operations performed2007Hupigon and\r\nPirpi Backdoors\r\n\u003chttps://www.fireeye.com/blog/threat-research/2010/11/ie-0-day-hupigon-joins-the-party.html\u003e Apr\r\n2014Operation “Clandestine Fox”\r\nFireEye Research Labs identified a new Internet Explorer (IE) zero-day exploit used in targeted attacks. The\r\nvulnerability affects IE6 through IE11, but the attack is targeting IE9 through IE11. This zero-day bypasses both\r\nASLR and DEP. Microsoft has assigned CVE-2014-1776 to the vulnerability and released security advisory to\r\ntrack this issue.\r\n\u003chttps://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html\u003e Jun 2014Operation “Clandestine Fox”, Part Deux\r\nWhile Microsoft quickly released a patch to help close the door on future compromises, we have now observed\r\nthe threat actors behind “Operation Clandestine Fox” shifting their point of attack and using a new vector to target\r\ntheir victims: social networking.\r\n\u003chttps://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html\u003e Nov 2014Operation\r\n“Double Tap”\r\nThis actor initiated their most recent campaign on November 19, 2014 targeting multiple organizations. The\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=92ced576-2522-4b79-8645-baa5e84ffee3\r\nPage 1 of 2\n\nattacker leveraged multiple exploits, targeting both CVE-2014-6332 and CVE-2014-4113.\nJun 2015Operation\n“Clandestine Wolf”\nIn the last several weeks, APT3 actors launched a large-scale phishing campaign against organizations in the\nfollowing industries: Aerospace and Defense, Construction and Engineering, High Tech, Telecommunications and\nTransportation.\nMar 2016Variant of the DoublePulsar Backdoor\nBeginning in March 2016, Buckeye began using a variant of DoublePulsar (Backdoor.Doublepulsar), a backdoor\nthat was subsequently released by the Shadow Brokers in 2017. DoublePulsar was delivered to victims using a\ncustom exploit tool (Trojan.Bemstour) that was specifically designed to install DoublePulsar.\nMar 2016Buckeye cyberespionage group shifts gaze from US to\nHong Kong\nCounter\noperationsNov 2017DOJ reveals indictment against Chinese cyber spies that stole U.S. business secrets\nNov 2017U.S. Charges Three Chinese Hackers\nWho Work at Internet Security Firm for Hacking Three Corporations for Commercial Advantage\nInformation MITRE\nATT\u0026CK Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=92ced576-2522-4b79-8645-baa5e84ffee3\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=92ced576-2522-4b79-8645-baa5e84ffee3\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=92ced576-2522-4b79-8645-baa5e84ffee3" ], "report_names": [ "showcard.cgi?u=92ced576-2522-4b79-8645-baa5e84ffee3" ], "threat_actors": [ { "id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5", "created_at": "2022-10-25T16:07:24.561104Z", "updated_at": "2026-04-10T02:00:05.03343Z", "deleted_at": null, "main_name": "Shadow Brokers", "aliases": [], "source_name": "ETDA:Shadow Brokers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "13354d3f-3f40-44ec-b42a-3cda18809005", "created_at": "2022-10-25T15:50:23.275272Z", "updated_at": "2026-04-10T02:00:05.36519Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "APT3", "Gothic Panda", "Pirpi", "UPS Team", "Buckeye", "Threat Group-0110", "TG-0110" ], "source_name": "MITRE:APT3", "tools": [ "OSInfo", "schtasks", "PlugX", "LaZagne", "SHOTPUT", "RemoteCMD" ], "source_id": "MITRE", "reports": null }, { "id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4", "created_at": "2023-01-06T13:46:38.269054Z", "updated_at": "2026-04-10T02:00:02.90356Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "GOTHIC PANDA", "TG-0110", "Buckeye", "Group 6", "Boyusec", "BORON", "BRONZE MAYFAIR", "Red Sylvan", "Brocade Typhoon" ], "source_name": "MISPGALAXY:APT3", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cf826655-5fcb-4331-bdc5-5ef267db9d3c", "created_at": "2025-08-07T02:03:24.631402Z", "updated_at": "2026-04-10T02:00:03.608938Z", "deleted_at": null, "main_name": "BRONZE MAYFAIR", "aliases": [ "APT3 ", "Gothic Panda ", "Pirpi", "TG-0110 ", "UPSTeam" ], "source_name": "Secureworks:BRONZE MAYFAIR", "tools": [ "Cookiecutter", "HUC Proxy Malware (Htran)", "Pirpi", "PlugX", "SplitVPN", "UPS", "ctt", "ctx" ], "source_id": "Secureworks", "reports": null }, { "id": "06f622cb-3a78-49cf-9a4c-a6007a69325f", "created_at": "2022-10-25T16:07:23.315239Z", "updated_at": "2026-04-10T02:00:04.537826Z", "deleted_at": null, "main_name": "APT 3", "aliases": [ "APT 3", "Boron", "Brocade Typhoon", "Bronze Mayfair", "Buckeye", "G0022", "Gothic Panda", "Group 6", "Operation Clandestine Fox", "Operation Clandestine Fox, Part Deux", "Operation Clandestine Wolf", "Operation Double Tap", "Red Sylvan", "TG-0110", "UPS Team" ], "source_name": "ETDA:APT 3", "tools": [ "APT3 Keylogger", "Agent.dhwf", "BKDR_HUPIGON", "Backdoor.APT.CookieCutter", "Badey", "Bemstour", "CookieCutter", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EXL", "EternalBlue", "HTran", "HUC Packet Transmit Tool", "Hupigon", "Hupigon RAT", "Kaba", "Korplug", "LaZagne", "MFC Huner", "OSInfo", "Pirpi", "PlugX", "RedDelta", "RemoteCMD", "SHOTPUT", "Sogu", "TIGERPLUG", "TTCalc", "TVT", "Thoper", "Xamtrav", "remotecmd", "shareip", "w32times" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434419, "ts_updated_at": 1775792246, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/21cdfad30c76154a52afefd82f2f5a033258ba41.pdf", "text": "https://archive.orkl.eu/21cdfad30c76154a52afefd82f2f5a033258ba41.txt", "img": "https://archive.orkl.eu/21cdfad30c76154a52afefd82f2f5a033258ba41.jpg" } }