{
	"id": "4ab3ecc2-81a1-4362-b5f1-ee556b153cd5",
	"created_at": "2026-04-06T00:12:26.047993Z",
	"updated_at": "2026-04-10T13:12:13.662077Z",
	"deleted_at": null,
	"sha1_hash": "4f16e01c6f07c94e57ab46122d5a672b05c203b2",
	"title": "Chinese hackers linked to months-long attack on Taiwanese financial sector",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 86865,
	"plain_text": "Chinese hackers linked to months-long attack on Taiwanese\r\nfinancial sector\r\nBy Catalin Cimpanu\r\nPublished: 2023-01-17 · Archived: 2026-04-05 21:09:06 UTC\r\nA hacking group affiliated with the Chinese government is believed to have carried out a months-long\r\nattack against Taiwan's financial sector by leveraging a vulnerability in a security software solution used by\r\nroughly 80% of all local financial organizations.\r\nThe attacks are believed to have started at the end of November 2021 and were still taking place this month,\r\naccording to a report shared with The Record today by Taiwanese security firm CyCraft.\r\nThe company attributed the intrusions—which it tracked under the codename of Operation Cache Panda—to a\r\nwell-known Chinese cyber-espionage group known in the cybersecurity industry as APT10.\r\nThe security firm told The Record in an interview earlier today that it couldn't share the name of the product\r\nexploited in the current attacks because of the ongoing law enforcement investigation and because of the efforts to\r\nhave a patch released and installed across the local financial sector.\r\nAPT10 disguised intrusions behind credential stuffing attack\r\nInstead, the company said that the attacks initially went undetected because they were misclassified. \r\nInvestigations into the November 2021 attacks missed the part where hackers exploited the software vulnerability\r\nand only saw a credential stuffing attack that APT10 used as a cover and a way to get access to some trading\r\naccounts, which they used to execute large transactions on the Hong Kong stock market.\r\nBut CyCraft researchers said that the credential stuffing attacks were only used as a cover. In reality, APT10\r\nexploited a vulnerability in the web interface of a security tool, planted a version of the ASPXCSharp web shell,\r\nand then used a tool called Impacket to scan a target company's internal network.\r\nThe attackers then used a technique called reflective code loading to run malicious code on local systems and\r\ninstall a version of the Quasar RAT that allowed the attackers persistent remote access to the infected system using\r\nreverse RDP tunnels.\r\nCyCraft said it was able to uncover the truth behind the November 2021 attacks after one of its customers was hit\r\nin February 2022.\r\n\"Further investigation showed that what was initially presumed to be two separate waves of cyberattacks was\r\nactually one prolonged attack campaign in which the attackers leveraged advanced obfuscation techniques not\r\npreviously observed,\" the company told The Record today.\r\nhttps://therecord.media/chinese-hackers-linked-to-months-long-attack-on-taiwanese-financial-sector/\r\nPage 1 of 3\n\n\"The objective of the attacks does not appear to have been financial gain but rather the exfiltration of brokerage\r\ninformation, PII data, and the disruption of investment during a period of economic growth for Taiwan,\" it added.\r\nThe attacks are not surprising, as Chinese cyberespionage groups have had Taiwan in their sights for years, having\r\nrepeatedly and relentlessly attacked almost all sectors of its local government and economy.\r\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nNo previous article\r\nNo new articles\r\nCatalin Cimpanu\r\nhttps://therecord.media/chinese-hackers-linked-to-months-long-attack-on-taiwanese-financial-sector/\r\nPage 2 of 3\n\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/chinese-hackers-linked-to-months-long-attack-on-taiwanese-financial-sector/\r\nhttps://therecord.media/chinese-hackers-linked-to-months-long-attack-on-taiwanese-financial-sector/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://therecord.media/chinese-hackers-linked-to-months-long-attack-on-taiwanese-financial-sector/"
	],
	"report_names": [
		"chinese-hackers-linked-to-months-long-attack-on-taiwanese-financial-sector"
	],
	"threat_actors": [
		{
			"id": "ec14074c-8517-40e1-b4d7-3897f1254487",
			"created_at": "2023-01-06T13:46:38.300905Z",
			"updated_at": "2026-04-10T02:00:02.918468Z",
			"deleted_at": null,
			"main_name": "APT10",
			"aliases": [
				"Red Apollo",
				"HOGFISH",
				"BRONZE RIVERSIDE",
				"G0045",
				"TA429",
				"Purple Typhoon",
				"STONE PANDA",
				"Menupass Team",
				"happyyongzi",
				"CVNX",
				"Cloud Hopper",
				"ATK41",
				"Granite Taurus",
				"POTASSIUM"
			],
			"source_name": "MISPGALAXY:APT10",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ba9fa308-a29a-4928-9c06-73aafec7624c",
			"created_at": "2024-05-01T02:03:07.981061Z",
			"updated_at": "2026-04-10T02:00:03.750803Z",
			"deleted_at": null,
			"main_name": "BRONZE RIVERSIDE",
			"aliases": [
				"APT10 ",
				"CTG-5938 ",
				"CVNX ",
				"Hogfish ",
				"MenuPass ",
				"MirrorFace ",
				"POTASSIUM ",
				"Purple Typhoon ",
				"Red Apollo ",
				"Stone Panda "
			],
			"source_name": "Secureworks:BRONZE RIVERSIDE",
			"tools": [
				"ANEL",
				"AsyncRAT",
				"ChChes",
				"Cobalt Strike",
				"HiddenFace",
				"LODEINFO",
				"PlugX",
				"PoisonIvy",
				"QuasarRAT",
				"QuasarRAT Loader",
				"RedLeaves"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a",
			"created_at": "2022-10-25T15:50:23.298889Z",
			"updated_at": "2026-04-10T02:00:05.316886Z",
			"deleted_at": null,
			"main_name": "menuPass",
			"aliases": [
				"menuPass",
				"POTASSIUM",
				"Stone Panda",
				"APT10",
				"Red Apollo",
				"CVNX",
				"HOGFISH",
				"BRONZE RIVERSIDE"
			],
			"source_name": "MITRE:menuPass",
			"tools": [
				"certutil",
				"FYAnti",
				"UPPERCUT",
				"SNUGRIDE",
				"P8RAT",
				"RedLeaves",
				"SodaMaster",
				"pwdump",
				"Mimikatz",
				"PlugX",
				"PowerSploit",
				"ChChes",
				"cmd",
				"QuasarRAT",
				"AdFind",
				"Cobalt Strike",
				"PoisonIvy",
				"EvilGrab",
				"esentutl",
				"Impacket",
				"Ecipekac",
				"PsExec",
				"HUI Loader"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434346,
	"ts_updated_at": 1775826733,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4f16e01c6f07c94e57ab46122d5a672b05c203b2.pdf",
		"text": "https://archive.orkl.eu/4f16e01c6f07c94e57ab46122d5a672b05c203b2.txt",
		"img": "https://archive.orkl.eu/4f16e01c6f07c94e57ab46122d5a672b05c203b2.jpg"
	}
}