{ "id": "1464dac5-8e32-4789-8691-831135b39313", "created_at": "2026-04-06T00:12:05.814611Z", "updated_at": "2026-04-10T13:12:46.729593Z", "deleted_at": null, "sha1_hash": "3e046aafda21dee8c3fac802ba7a8686a2507c05", "title": "German govt warns of APT27 hackers backdooring business networks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1103593, "plain_text": "German govt warns of APT27 hackers backdooring business networks\r\nBy Sergiu Gatlan\r\nPublished: 2022-01-26 · Archived: 2026-04-05 15:05:15 UTC\r\nThe BfV German domestic intelligence services (short for Bundesamt für Verfassungsschutz) warn of ongoing attacks\r\ncoordinated by the APT27 Chinese-backed hacking group.\r\nThis active campaign is targeting German commercial organizations, with the attackers using the HyperBro remote access\r\ntrojans (RAT) to backdoor their networks.\r\nHyperBro helps the threat actors maintain persistence on the victims' networks by acting as an in-memory backdoor with\r\nremote administration capabilities.\r\nhttps://www.bleepingcomputer.com/news/security/german-govt-warns-of-apt27-hackers-backdooring-business-networks/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/german-govt-warns-of-apt27-hackers-backdooring-business-networks/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nThe agency said the threat group's goal is to steal sensitive information and may also attempt to target their victims'\r\ncustomers in supply chain attacks.\r\n\"The Federal Office for the Protection of the Constitution (BfV) has information about an ongoing cyber espionage\r\ncampaign by the cyber attack group APT27 using the malware variant HYPERBRO against German commercial\r\ncompanies,\" the BfV said.\r\n\"It cannot be ruled out that the actors, in addition to stealing business secrets and intellectual property, also try to infiltrate\r\nthe networks of (corporate) customers or service providers (supply chain attack).\"\r\nThe BfV also published indicators of compromise (IOCs) and YARA rules to help targeted German organizations to check\r\nfor HyperBro infections and connections to APT27 command-and-control (C2) servers.\r\nHyperBro infection chain (BfV)\r\nBreaching networks via Zoho and Exchange servers\r\nAPT27 (also tracked as TG-3390, Emissary Panda, BRONZE UNION, Iron Tiger, and LuckyMouse) is a Chinese-sponsored\r\nthreat group active since at least 2010 and known for its focus on information theft and cyberespionage campaigns.\r\nThe German intelligence agency says APT27 has been exploiting flaws in Zoho AdSelf Service Plus software, an enterprise\r\npassword management solution for Active Directory and cloud apps, since March 2021.\r\nThis aligns with previous reports of Zoho ManageEngine installations being the target of multiple campaigns in 2021,\r\ncoordinated by nation-state hackers using tactics and tooling similar to those employed by APT27.\r\nThey first used an ADSelfService zero-day exploit until mid-September, then switched to an n-day AdSelfService exploit,\r\nand started exploiting a ServiceDesk bug beginning with October 25.\r\nhttps://www.bleepingcomputer.com/news/security/german-govt-warns-of-apt27-hackers-backdooring-business-networks/\r\nPage 3 of 5\n\nZoho ManageEngine campaigns (Unit 42)\r\nIn these attacks, they successfully compromised at least nine organizations from critical sectors worldwide, including\r\ndefense, healthcare, energy, technology, and education, according to Palo Alto Networks researchers.\r\nIn light of these campaigns, the FBI and CISA issued joint advisories (1, 2) warning of APT actors exploiting\r\nManageEngine flaws to drop web shells on the networks of breached critical infrastructure orgs.\r\nAPT27 and other Chinese-backed hacking groups were also linked to attacks exploiting critical ProxyLogon bugs in early\r\nMarch 2021 that allowed them to take over and steal data from unpatched Microsoft Exchange servers worldwide.\r\nUS and allies (the European Union, the United Kingdom, and NATO) officially blamed China in June for last year's\r\nwidespread Microsoft Exchange hacking campaign.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nhttps://www.bleepingcomputer.com/news/security/german-govt-warns-of-apt27-hackers-backdooring-business-networks/\r\nPage 4 of 5\n\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/german-govt-warns-of-apt27-hackers-backdooring-business-networks/\r\nhttps://www.bleepingcomputer.com/news/security/german-govt-warns-of-apt27-hackers-backdooring-business-networks/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/german-govt-warns-of-apt27-hackers-backdooring-business-networks/" ], "report_names": [ "german-govt-warns-of-apt27-hackers-backdooring-business-networks" ], "threat_actors": [ { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434325, "ts_updated_at": 1775826766, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3e046aafda21dee8c3fac802ba7a8686a2507c05.pdf", "text": "https://archive.orkl.eu/3e046aafda21dee8c3fac802ba7a8686a2507c05.txt", "img": "https://archive.orkl.eu/3e046aafda21dee8c3fac802ba7a8686a2507c05.jpg" } }