{ "id": "b792b32c-50c0-4b7d-927c-8a9a8c436c25", "created_at": "2026-04-29T08:21:58.977563Z", "updated_at": "2026-04-29T10:42:31.357162Z", "deleted_at": null, "sha1_hash": "4d310db9ae970b9a8cd3ea413b0d8e3d7d446146", "title": "Buckeye cyberespionage group shifts gaze from US to Hong Kong", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 95458, "plain_text": "Buckeye cyberespionage group shifts gaze from US to Hong Kong\r\nBy By\r\nPublished: 2016-09-06 · Archived: 2026-04-29 07:00:32 UTC\r\nBuckeye (also known as APT3, Gothic Panda, UPS Team, and TG-0110) is a cyberespionage group that is\r\nbelieved to have been operating for well over half a decade. Traditionally, the group attacked organizations in the\r\nUS as well as other targets. However, Buckeye’s focus appears to have changed as of June 2015, when the group\r\nbegan compromising political entities in Hong Kong. Since March 2016, the group has appeared to mostly focus\r\non organizations in Hong Kong, sending malicious emails to targets as recently as August 4, and attempting to\r\nspread within compromised networks in order to steal information.\r\nUsing the combined threat intelligence of Symantec and Blue Coat Systems, we have built a clear and concise\r\npicture of how Buckeye has evolved its tactics in recent years. This has allowed us to further enhance our\r\nprotection capabilities against the group’s campaigns.\r\nBackground\r\nSymantec has observed Buckeye activity dating back to 2009, involving attacks on various organizations in\r\nseveral regions. Buckeye used a remote access Trojan (Backdoor.Pirpi) in attacks against a US organization’s\r\nnetwork in 2009. The group delivered Backdoor.Pirpi through malicious attachments or links in convincing spear-phishing emails. Symantec has identified additional tools used by the group, which will be discussed later.\r\nBuckeye has been known to exploit zero-day vulnerabilities in the past, such as CVE-2010-3962 in an campaign\r\nin 2010 and CVE-2014-1776 in 2014. Although other zero-day attacks have been reported, they have not been\r\nconfirmed by Symantec. All zero-day exploits known, or suspected, to have been used by this group are for\r\nvulnerabilities in Internet Explorer and Flash.\r\nShifting focus of attacks\r\nMore recently, Symantec telemetry has revealed Backdoor.Pirpi connections from compromised computers based\r\nin Hong Kong dating back to August 2015. The infections significantly increased in number towards the end of\r\nMarch 2016 and the beginning of April 2016. Additional investigations discovered related malware samples and\r\ndetermined that targeted organizations were political entities in Hong Kong.\r\nIn at least some of these recent attacks, Buckeye used spear-phishing emails with a malicious .zip attachment. The\r\n.zip archive attached to the email contains a Windows shortcut (.lnk) file with the Microsoft Internet Explorer\r\nlogo. Clicking on the shortcut ultimately leads to Backdoor.Pirpi being downloaded and executed on the affected\r\ncomputer.\r\nWho’s being targeted?\r\nhttps://web.archive.org/web/20160910124439/http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong\r\nPage 1 of 4\n\nFrom 2015 to date, Symantec identified approximately 82 organizations in various regions that had Buckeye tools\r\npresent on their network. However, this is not an accurate picture of the targets of interest to Buckeye. The group\r\ncasts a wide net while trawling for targets but only remains active on the networks of organizations it is interested\r\nin. Symantec determined a more accurate picture of Buckeye’s targets by looking at where Buckeye remained\r\nactive on the network longer than a day, deployed additional tools, and spread onto multiple computers. After\r\nthese filters were applied to our data, we found a total of 17 organizations, located in Hong Kong (13), the US (3),\r\nand the UK (1).\r\nFigure 1. Buckeye victims of interest by region (2015 to date)\r\nIt should be noted that this data goes back to 2015 and that the proportion of targets in Hong Kong from March\r\n2016 would be considerably higher. Up to mid-2015, Buckeye’s traditional targets were varying categories of US\r\norganizations, which match the types of victims seen in the UK. Buckeye interests changed substantially around\r\nJune 2015 when the group began infecting organizations in Hong Kong. Infections in the UK and US ceased\r\nshortly after this time.\r\nFigure 2. Organizations that Buckeye targeted over time, per region\r\nhttps://web.archive.org/web/20160910124439/http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong\r\nPage 2 of 4\n\nMalware and tools\r\nBuckeye uses a number of hacking tools as well as malware. Many of the hacking tools are open source\r\napplications that have been patched or modified in some manner by Buckeye in an attempt to evade detection.\r\nBuckeye uses Backdoor.Pirpi, a remote access Trojan capable of reading, writing, and executing files and\r\nprograms. Backdoor.Pirpi also collects information about the target’s local network, including the domain\r\ncontroller and workstations.\r\nAs mentioned previously, Buckeye also uses a number of hacking tools, including the following:\r\nKeylogger: The keylogger is configured using the command line parameters: NetworkService, Replace, Install,\r\nRegister and Unregister. These parameters install it as a service. The keylogger then records keystrokes in\r\nencrypted files, for example: thumbcache_96.dbx. It also gathers network information such as the MAC address,\r\nIP address, WINS, DHCP server, and gateway.\r\nRemoteCMD: This tool executes commands on remote computers, similar to the PsExec tool. Usage is: %s\r\nshareIp domain [USER INFORMATION|[USER NAME AND PASSWORD]] [/run:[COMMAND]]\r\nThe commands to be passed consist of upload, download, Service (create, delete, start, stop), delete, rename, and\r\nAT\r\nPwDumpVariant: This tool imports lsremora.dll (often downloaded by the attacker as part of the toolset) and\r\nuses the GetHash export of this DLL. On execution, the tool injects itself into lsass.exe and is triggered with the\r\nargument “dig”.\r\nOSinfo: OSInfo is a general purpose, system information gathering tool. It has the following command line\r\nargument help:\r\ninfo  \u003cServer/Domain\u003e [options]\r\n[options]:\r\n  -d Domain\r\n  -o OsInfo\r\n  -t TsInfo\r\n  -n NetuseInfo\r\n  -s ShareInfo ShareDir\r\n  -c Connect Test\r\n  -a Local And Global Group User Info\r\n  -l Local Group User Info\r\n  -g Global Group User Info\r\n  -ga Group Administrators\r\n  -gp Group Power Users\r\n  -gd Group Domain Admins\r\n  -f \u003cinfile\u003e //input server list from infile, OneServerOneLine\r\ninfo \u003c\\\\server\u003e \u003cuser\u003e\r\nhttps://web.archive.org/web/20160910124439/http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong\r\nPage 3 of 4\n\nChromePass: A tool from NirSoft used for recovering passwords stored in the Chrome browser.\r\nLazagne: A compiled Python tool that extracts passwords from various locally installed application classes, such\r\nas web browsers. The full list is: chats, svn, wifi, mails, windows, database, sysadmin, and browsers.\r\nBuckeye seems to target file and print servers, which makes it likely the group is looking to steal documents. This,\r\ncoupled with the group’s use of zero-day exploits in the past, customized tools, and the types of organizations\r\nbeing targeted would suggest that Buckeye is a state-sponsored cyberespionage group.\r\nProtection\r\nSymantec, Norton, and Blue Coat products protect against the activities of this cyberespionage group.\r\nSymantec and Norton products offer the following detections:\r\nAntivirus\r\nBackdoor.Pirpi\r\nBackdoor.Pirpi!dr\r\nBackdoor.Pirpi!gen1\r\nBackdoor.Pirpi!gen2\r\nBackdoor.Pirpi!gen3\r\nBackdoor.Pirpi!gen4\r\nBackdoor.Pirpi.A\r\nBackdoor.Pirpi.B\r\nBackdoor.Pirpi.C\r\nBackdoor.Pirpi.D\r\nDownloader.Pirpi\r\nDownloader.Pirpi!g1\r\nIntrusion prevention system\r\nSystem Infected: Backdoor.Pirpi Activity 3\r\nUpdate–September 14, 2016:\r\nIndicators of compromise\r\nWe have compiled a list of indicators of compromise for the campaigns described in this blog.\r\nSource: https://web.archive.org/web/20160910124439/http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong\r\nhttps://web.archive.org/web/20160910124439/http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://web.archive.org/web/20160910124439/http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" ], "report_names": [ "buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" ], "threat_actors": [ { "id": "13354d3f-3f40-44ec-b42a-3cda18809005", "created_at": "2022-10-25T15:50:23.275272Z", "updated_at": "2026-04-29T10:39:54.815675Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "APT3", "Gothic Panda", "Pirpi", "UPS Team", "Buckeye", "Threat Group-0110", "TG-0110" ], "source_name": "MITRE:APT3", "tools": [ "OSInfo", "schtasks", "PlugX", "LaZagne", "SHOTPUT", "RemoteCMD" ], "source_id": "MITRE", "reports": null }, { "id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4", "created_at": "2023-01-06T13:46:38.269054Z", "updated_at": "2026-04-29T10:39:53.006004Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "GOTHIC PANDA", "Buckeye", "BRONZE MAYFAIR", "Brocade Typhoon", "TG-0110", "Group 6", "Boyusec", "BORON", "Red Sylvan" ], "source_name": "MISPGALAXY:APT3", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cf826655-5fcb-4331-bdc5-5ef267db9d3c", "created_at": "2025-08-07T02:03:24.631402Z", "updated_at": "2026-04-29T10:39:54.567645Z", "deleted_at": null, "main_name": "BRONZE MAYFAIR", "aliases": [ "APT3 ", "Gothic Panda ", "Pirpi", "TG-0110 ", "UPSTeam" ], "source_name": "Secureworks:BRONZE MAYFAIR", "tools": [ "Cookiecutter", "HUC Proxy Malware (Htran)", "Pirpi", "PlugX", "SplitVPN", "UPS", "ctt", "ctx" ], "source_id": "Secureworks", "reports": null }, { "id": "06f622cb-3a78-49cf-9a4c-a6007a69325f", "created_at": "2022-10-25T16:07:23.315239Z", "updated_at": "2026-04-29T10:39:55.150006Z", "deleted_at": null, "main_name": "APT 3", "aliases": [ "APT 3", "Boron", "Brocade Typhoon", "Bronze Mayfair", "Buckeye", "G0022", "Gothic Panda", "Group 6", "Operation Clandestine Fox", "Operation Clandestine Fox, Part Deux", "Operation Clandestine Wolf", "Operation Double Tap", "Red Sylvan", "TG-0110", "UPS Team" ], "source_name": "ETDA:APT 3", "tools": [ "APT3 Keylogger", "Agent.dhwf", "BKDR_HUPIGON", "Backdoor.APT.CookieCutter", "Badey", "Bemstour", "CookieCutter", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EXL", "EternalBlue", "HTran", "HUC Packet Transmit Tool", "Hupigon", "Hupigon RAT", "Kaba", "Korplug", "LaZagne", "MFC Huner", "OSInfo", "Pirpi", "PlugX", "RedDelta", "RemoteCMD", "SHOTPUT", "Sogu", "TIGERPLUG", "TTCalc", "TVT", "Thoper", "Xamtrav", "remotecmd", "shareip", "w32times" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1777450918, "ts_updated_at": 1777459351, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4d310db9ae970b9a8cd3ea413b0d8e3d7d446146.pdf", "text": "https://archive.orkl.eu/4d310db9ae970b9a8cd3ea413b0d8e3d7d446146.txt", "img": "https://archive.orkl.eu/4d310db9ae970b9a8cd3ea413b0d8e3d7d446146.jpg" } }