{ "id": "e06fd2c7-2c76-46ac-8ca7-df93a7fe531d", "created_at": "2026-04-06T00:07:06.529821Z", "updated_at": "2026-04-10T13:12:25.862339Z", "deleted_at": null, "sha1_hash": "2b2dcdbdd804a1d4266b1aa7bbe9e19eaa6e6563", "title": "Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 68972, "plain_text": "Japan-Linked Organizations Targeted in Long-Running and\r\nSophisticated Attack Campaign\r\nBy About the Author\r\nArchived: 2026-04-05 13:53:33 UTC\r\nA large-scale attack campaign is targeting multiple Japanese companies, including subsidiaries located in as many\r\nas 17 regions around the globe in a likely intelligence-gathering operation.\r\nCompanies in multiple sectors are targeted in this campaign, including those operating in the automotive,\r\npharmaceutical, and engineering sector, as well as managed service providers (MSPs).\r\nThe scale and sophistication of this attack campaign indicates that it is the work of a large and well-resourced\r\ngroup, with Symantec, a division of Broadcom (NASDAQ: AVGO), discovering enough evidence to attribute it to\r\nCicada (aka APT10, Stone Panda, Cloud Hopper). Cicada has been involved in espionage-type operations since\r\n2009, and U.S. government officials have linked the activities of APT10, which we track as Cicada, to the Chinese\r\ngovernment.\r\nCicada has historically been known to target Japan-linked organizations, and has also targeted MSPs in the past.\r\nThe group is using living-off-the-land tools as well as custom malware in this attack campaign, including a custom\r\nmalware - Backdoor.Hartip - that Symantec has not seen being used by the group before. Among the machines\r\ncompromised during this attack campaign were domain controllers and file servers, and there was evidence of\r\nfiles being exfiltrated from some of the compromised machines.\r\nThe attackers extensively use DLL side-loading in this campaign, and were also seen leveraging the ZeroLogon\r\nvulnerability that was patched in August 2020.\r\nHow was this campaign discovered?\r\nThis campaign was first discovered by Symantec when suspicious DLL side-loading activity on one of our\r\ncustomer’s networks triggered an alert in our Cloud Analytics technology, which is available in Symantec\r\nEndpoint Security Complete (SESC). This activity was then reviewed by our Threat Hunter analysts before being\r\npassed on to our investigations team for further analysis.\r\nCloud Analytics leverages artificial intelligence in order to comb through Symantec’s vast data and spot patterns\r\nassociated with targeted attacks. It is capable of automatically flagging incidents that would otherwise have taken\r\nthousands of hours of analyst time to identify. The initial Cloud Analytics alert allowed our threat hunting team to\r\nidentify further victims of this activity, build a more complete picture of this campaign, and attribute this activity\r\nto Cicada. It also allowed us to update and create new protections to ensure our customers are protected from this\r\nactivity.\r\nVictims\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage\r\nPage 1 of 6\n\nThis campaign has been ongoing since at least mid-October 2019, right up to the beginning of October 2020, with\r\nthe attack group active on the networks of some of its victims for close to a year. The campaign is very wide-ranging, with victims in a large number of regions worldwide.\r\nFigure 1. Locations of some of the companies targeted in this campaign; most of those targeted\r\nhave links to Japan or Japanese organizations\r\nFigure 1. Locations of some of the companies targeted in this campaign; most of those targeted have\r\nlinks to Japan or Japanese organizations\r\nThe companies hit are, in the main, large, well-known organizations, many of which have links to Japan or\r\nJapanese companies, which is one of the main factors tying the victims together. Cicada has been known to have a\r\nstrong focus on Japanese organizations in previous attack campaigns. As is clear from the map in Figure 1, South\r\nand East Asia are strong areas of focus for the attackers in this campaign. It is unusual to see a reportedly Chinese-government-linked group attacking companies within China’s borders but, like many of the companies targeted in\r\nthis campaign, the target in that instance is a subsidiary of a Japanese organization.\r\nWe also saw similar loaders on all the victim networks. These are among the main factors linking these victims\r\ntogether, with all of them coming from a wide variety of sectors, including:\r\nAutomotive, with some manufacturers and organizations involved in supplying parts to the motor industry\r\nalso targeted, indicating that this is a sector of strong interest to the attackers\r\nClothing\r\nConglomerates\r\nElectronics\r\nEngineering\r\nGeneral Trading Company\r\nGovernment\r\nIndustrial Products\r\nManaged Service Providers\r\nManufacturing\r\nPharmaceutical\r\nProfessional Services\r\nThe amount of time the attackers spent on the networks of victims varied, with the attackers spending a significant\r\namount of time on the networks of some victims, while spending just days on other victim networks. In some\r\ncases, too, the attackers spent some time on a network but then the activity would cease, but start again some\r\nmonths later.\r\nTactics, tools, and procedures\r\nWe observed the attackers using a wide variety of living-off-the-land, dual-use, and publicly available tools and\r\ntechniques in these attacks, including:\r\nNetwork Reconnaissance – gathering information from machines on the network.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage\r\nPage 2 of 6\n\nCredential Theft – stealing user names and passwords, potentially to provide them with further access to\r\nthe victim network.\r\nRAR archiving – files are transferred to staging servers before exfiltration. They may be encrypted or\r\ncompressed, to make them easier to extract.\r\nCertutil – a command-line utility that can be exploited and used for various malicious purposes, such as to\r\ndecode information, to download files, and to install browser root certificates.\r\nAdfind – a command-line tool that can be used to perform Active Directory queries.\r\nCsvde – can be used to extract Active Directory files and data.\r\nNtdsutil – can be used as a credential-dumping tool.\r\nWMIExec – can be used for lateral movement and to execute commands remotely.\r\nPowerShell - a powerful interactive command-line interface and scripting environment included in the\r\nWindows operating system. It can be used to find information and execute code, and is frequently abused\r\nby malicious actors.\r\nThe threat actors also use a legitimate cloud file-hosting service for exfiltration.\r\nThe attackers also use DLL side-loading at multiple stages during the attack, including using it to load\r\nBackdoor.Hartip. DLL side-loading occurs when attackers are able to replace a legitimate library with a malicious\r\none, allowing them to load malware into legitimate processes. Attackers use DLL side-loading to try and hide their\r\nactivity by making it look legitimate, and it also helps them avoid detection by security software. It is a tactic that\r\nis commonly used by APT groups and has often been observed being used by nation-state backed actors.\r\nMonitoring networks for unusual activity, as Symantec’s Cloud Analytics technology does, is key for detecting\r\nthis kind of malicious activity.\r\nThe attackers were also seen deploying a tool capable of exploiting the ZeroLogon vulnerability (CVE-2020-\r\n1472). The critical elevation-of-privilege vulnerability was first disclosed and patched on August 11, 2020, and\r\ncan allow attackers to spoof a domain controller account and then potentially use it to steal domain credentials,\r\ntake over the domain, and completely compromise all Active Directory identity services. It has been exploited by\r\nmultiple malicious actors since its disclosure, leading both Microsoft and the Department of Homeland Security’s\r\n(DHS) Cybersecurity and Infrastructure Security Agency (CISA) to issue warnings to Windows users to patch the\r\nissue as quickly as possible.\r\nLinks to Cicada\r\nThe scale and sophistication of this attack campaign indicate that it is the work of a large and well-resourced\r\ngroup, such as a nation-state actor, with Symantec discovering enough evidence to attribute it with medium\r\nconfidence to Cicada.\r\nSymantec analysts have linked this activity to Cicada due to the use of previously seen obfuscation techniques and\r\nshellcode on loader DLLs.\r\nActivity seen in one of the victim organizations has various trait similarities with previously seen Cicada activity\r\nthat was described in a blog by Cylance in 2019, including:\r\nThird-stage DLL has an export named \"FuckYouAnti\"\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage\r\nPage 3 of 6\n\nThird-stage DLL uses CppHostCLR technique to inject and execute the .NET loader assembly\r\n.NET Loader is obfuscated with ConfuserEx v1.0.0\r\nFinal payload is QuasarRAT – an open-source backdoor used by Cicada in the past\r\nIn another affected organization, the loaders deploying Backdoor.Hartip overlap in the obfuscation and shellcode\r\nused, making us confident it is the same actor in both organizations.\r\nSimilarities between activity in both organizations\r\nSide-loading DLL\r\nC++ usage\r\nAPI call sequence\r\nGetModuleFileName -\u003e lstrcat -\u003e CreateFile -\u003e ReadFile\r\nLoad next-stage payload from another file\r\nObfuscation: lots of garbage OutputDebugString, _time64, srand, rand API calls\r\nFigure 2. Image showing links between Cicada and two victim organizations in this campaign\r\nFigure 2. Image showing links between Cicada and two victim organizations in this campaign\r\nThese similarities leave us confident that this is the same group carrying out this activity in both organizations,\r\nand that this group is Cicada. Historically, Cicada has been seen using custom DLL loaders to decrypt and execute\r\nits final payload, as is observed in these attacks. We also saw similar loaders as those used in these two\r\norganizations used on other victim networks.\r\nThe scale of the operations also points to a group of Cicada’s size and capabilities. The targeting of multiple large\r\norganizations in different geographies at the same time would require a lot of resources and skills that are\r\ngenerally only seen in nation-state backed groups. The link all the victims have to Japan also points towards\r\nCicada, which has been known to target Japanese organizations in the past.\r\nThe targeting of MSPs is also a hallmark of Cicada’s activity. Successfully compromising an MSP can give\r\nattackers high-level access to multiple companies without them having to compromise the individual companies’\r\nnetworks.\r\nWe have also seen Cicada utilizing some of the same publicly available tools – such as WMIExec – in the past.\r\nThe attackers also take various steps to reduce the chances of their activity being spotted – including searching for\r\nsecurity software on victim machines using WMIC, and using PowerShell to clear event logs to hide their activity\r\nonce they are finished on victim machines. This kind of activity is the hallmark of sophisticated and experienced\r\nthreat actors.\r\nAll of these facts point to Cicada being the perpetrator of these wide-ranging and sophisticated attacks.\r\nIntelligence gathering and stealing information has generally been the motivation behind Cicada’s attacks in the\r\npast, and that would appear to be the case in this attack campaign too. We observed the attackers archiving some\r\nfolders of interest in these attacks, including in one organization folders relating to human resources (HR), audit\r\nand expense data, and meeting memos.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage\r\nPage 4 of 6\n\nConclusion\r\nJapan-linked organizations need to be on alert as it is clear they are a key target of this sophisticated and well-resourced group, with the automotive industry seemingly a key target in this attack campaign. However, with the\r\nwide range of industries targeted by these attacks, Japanese organizations in all sectors need to be aware that they\r\nare at risk of this kind of activity.\r\nCicada clearly still has access to a lot of resources and skills to allow it to carry out a sophisticated and wide-ranging campaign like this, so the group remains highly dangerous. Its use of a tool to exploit the recently\r\ndisclosed ZeroLogon vulnerability and a custom backdoor that has not been observed by Symantec before show\r\nthat it continues to evolve its tools and tactics to actively target its victims.\r\nThe group’s use of techniques such as DLL side-loading and a wide array of living-off-the-land tools underline the\r\nneed for organizations to have a comprehensive security solution in place to detect this kind of suspicious activity\r\nbefore actors like Cicada have the chance to deploy malware or steal information from their networks.\r\nProtection/Mitigation\r\nThis activity was first discovered thanks to an alert triggered by our Cloud Analytics technology, which is\r\navailable in Symantec Endpoint Security Complete (SESC).\r\nIndicators of Compromise (IoCs)\r\n8b6ad87e408e38fc1db868da6e643f616dac59fbae08382c4a7dd4ea119ea057\r\nd5e38ac1187c607e701f506c4015bde94be6c485d566d004d810d7565c188743\r\n26460aa2df29f766cb5712ebca44cb3365ebfdb5cae0b2ec36ef1e3568911d6a\r\ncdec58a57381bb8c1e374efb0bf1897d89d1e096d2b704820893859d9f08d086\r\nea9d994de91389280b334f2af991baa49ca613a6bf898d7bb25f88cc66488f5c\r\n3f5b623222c755d59052fab9e096c9d2b9a47d06b3a5de62fb9a66750af4efc4\r\n27873e3d4ec3a0e7d66bee8bda4d65cc8fcefbdca2c8d5c049372a63ff0bc2ed\r\ncf3ae16b01f7eb129e0e7387ac7feb61ecfce5db0d7494b3962c02c681f504d4\r\n578ea26729b43fd976365a6700c80950e0b71a39e67bfff715423d60ae6bfab9\r\n03ab1588acaabdb509e9db7cfe1e60522bc8baa13bbd35160b4bde7d1b6402ef\r\n4a08eb0eb1f4ebb54bceabbebcb7da48238f0278ae5421326ee65ec7951e4239\r\n178.73.210.238\r\n188.119.112.225\r\n213.252.246.245\r\n45.14.224.93\r\n45.67.230.134\r\n81.7.7.159\r\n95.179.143.32\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage\r\nPage 5 of 6\n\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE", "ETDA" ], "origins": [ "web" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage" ], "report_names": [ "cicada-apt10-japan-espionage" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434026, "ts_updated_at": 1775826745, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2b2dcdbdd804a1d4266b1aa7bbe9e19eaa6e6563.pdf", "text": "https://archive.orkl.eu/2b2dcdbdd804a1d4266b1aa7bbe9e19eaa6e6563.txt", "img": "https://archive.orkl.eu/2b2dcdbdd804a1d4266b1aa7bbe9e19eaa6e6563.jpg" } }