{ "id": "3c79feca-ae7d-44e0-b99a-0f3b44d1cf6e", "created_at": "2026-04-06T00:12:08.301539Z", "updated_at": "2026-04-10T03:36:06.87977Z", "deleted_at": null, "sha1_hash": "500775ea85be6e7d6730f0f358cbbc4fc74d81a9", "title": "Chinese Hackers Carried Out Country-Level Watering Hole Attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 381375, "plain_text": "Chinese Hackers Carried Out Country-Level Watering Hole\r\nAttack\r\nBy The Hacker News\r\nPublished: 2018-06-14 ยท Archived: 2026-04-05 18:52:05 UTC\r\nCybersecurity researchers have uncovered an espionage campaign that has targeted a national data center of an\r\nunnamed central Asian country in order to conduct watering hole attacks.\r\nThe campaign is believed to be active covertly since fall 2017 but was spotted in March by security researchers\r\nfrom Kaspersky Labs, who have attributed these attacks to a Chinese-speaking threat actor group called\r\nLuckyMouse.\r\nLuckyMouse, also known as Iron Tiger, EmissaryPanda, APT 27 and Threat Group-3390, is the same group of\r\nChinese hackers who was found targeting Asian countries with Bitcoin mining malware early this year.\r\nThe group has been active since at least 2010 and was behind many previous attack campaigns resulting in the\r\ntheft of massive amounts of data from the directors and managers of US-based defense contractors.\r\nThis time the group chose a national data center as its target from an unnamed country in Central Asia in an\r\nattempt to gain \"access to a wide range of government resources at one fell swoop.\"\r\nhttps://thehackernews.com/2018/06/chinese-watering-hole-attack.html\r\nPage 1 of 3\n\nAccording to the researchers, the group injected malicious JavaScript code into the official government websites\r\nassociated with the data center in order to conduct watering hole attacks.\r\nAlthough LuckyMouse has been spotted using a widely used Microsoft Office vulnerability (CVE-2017-11882) to\r\nweaponize Office documents in the past, researchers have no proofs of this technique being used in this particular\r\nattack against the data center.\r\nThe initial attack vector used in the attack against the data center is unclear, but researchers believe LuckyMouse\r\npossibly had conducted watering hole or phishing attacks to compromise accounts belonging to employees at the\r\nnational data center.\r\nThe attack against the data center eventually infected the targeted system with a piece of malware called\r\nHyperBro, a Remote Access Trojan (RAT) deployed to maintain persistence in the targeted system and for remote\r\nadministration.\r\n\"There were traces of HyperBro in the infected data center from mid-November 2017. Shortly after that\r\ndifferent users in the country started being redirected to the malicious domain update.iaacstudio[.]com\r\nas a result of the waterholing of government websites,\" the researchers said in a blog post published\r\ntoday.\r\n\"These events suggest that the data center infected with HyperBro and the waterholing campaign are\r\nconnected.\"\r\nAs a result of the waterholing attack, the compromised government websites redirected the country's visitors to\r\neither penetration testing suite Browser Exploitation Framework (BeEF) that focuses on the web browser, or the\r\nScanBox reconnaissance framework, which perform the same tasks as a keylogger.\r\nhttps://thehackernews.com/2018/06/chinese-watering-hole-attack.html\r\nPage 2 of 3\n\nThe main command and control (C\u0026C) server used in this attack is hosted on an IP address which belongs to a\r\nUkrainian ISP, specifically to a MikroTik router running a firmware version released in March 2016.\r\nResearchers believe the Mikrotik router was explicitly hacked for the campaign in order to process the HyperBro\r\nmalware's HTTP requests without detection.\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2018/06/chinese-watering-hole-attack.html\r\nhttps://thehackernews.com/2018/06/chinese-watering-hole-attack.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://thehackernews.com/2018/06/chinese-watering-hole-attack.html" ], "report_names": [ "chinese-watering-hole-attack.html" ], "threat_actors": [ { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434328, "ts_updated_at": 1775792166, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/500775ea85be6e7d6730f0f358cbbc4fc74d81a9.pdf", "text": "https://archive.orkl.eu/500775ea85be6e7d6730f0f358cbbc4fc74d81a9.txt", "img": "https://archive.orkl.eu/500775ea85be6e7d6730f0f358cbbc4fc74d81a9.jpg" } }