{ "id": "641424ca-3fb4-4fc6-b3b7-5389f24a168c", "created_at": "2026-04-06T00:06:40.715835Z", "updated_at": "2026-04-10T13:12:43.679835Z", "deleted_at": null, "sha1_hash": "56431f3e820e255605aa40ba4927121fff1ddd50", "title": "German government warns of APT27 activity targeting local companies", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 111205, "plain_text": "German government warns of APT27 activity targeting local\r\ncompanies\r\nBy Catalin Cimpanu\r\nPublished: 2023-01-17 · Archived: 2026-04-05 15:24:07 UTC\r\nThe German government said on Tuesday that a Chinese cyberespionage group known as APT27 has repeatedly\r\nattacked German companies over the past few months using vulnerabilities in software like Microsoft Exchange\r\nand Zoho SelfService.\r\nThe attacks, which have been taking place since at least March 2021, have aimed to install a version of the\r\nHyperBro malware inside corporate networks for the purpose of intelligence collection from infected hosts, the\r\nFederal Office for the Protection of the Constitution (BfV) said in a press release.\r\n\"It cannot be ruled out that the actors, in addition to stealing business secrets and intellectual property, are also\r\ntrying to infiltrate the networks of (corporate) customers or service providers (supply chain attack),\" the BfV\r\nadded.\r\nAPT27 leveraged Microsoft Exchange and Zoho bugs\r\nAccording to the agency, APT27, also known as Emissary Panda, has used the following exploits as a way to get a\r\nfoothold inside companies that failed to patch their internet-exposed servers:\r\nCVE-2021-40539 - Zoho Manage Engine ADSelfService Plus\r\nCVE-2021-26855 - Microsoft Exchange\r\nCVE-2021-26857 - Microsoft Exchange\r\nCVE-2021-26858 - Microsoft Exchange\r\nCVE-2021-27065 - Microsoft Exchange\r\nAll of the above are well-known vulnerabilities previously exploited by other Chinese hacking groups. For\r\nexample, the four Exchange bugs, also known as ProxyLogon, were also used by a group known as\r\nHafnium, according to Microsoft.\r\nThe Zoho vulnerability is also the exact same one that was used to breach the Port of Houston authority last\r\nyear and which was also heavily abused through the fall and winter, according to CISA.\r\nIn the case of the attacks against German companies, the BfV said that the final payload was HyperBro, a malware\r\nstrain seen in attacks as far back as 2018, typically used by APT27, and which can grant the group full control\r\nover infected systems.\r\nhttps://therecord.media/german-government-warns-of-apt27-activity-targeting-local-companies/\r\nPage 1 of 3\n\nThe BfV reports [PDF, TXT] contains indicators of compromise that both German and non-German organizations\r\nand their security teams could use to set up protective measures.\r\nThe recent report fits in a general trend that has been shaping up in recent years, where Chinese hackers have\r\noften targeted large German companies, from where they are believed to have stolen intellectual property and\r\nother business information.\r\nPast victims include software company TeamViewer, steel producer ThyssenKrupp, pharmaceutical giant Bayer,\r\nand many others.\r\nGerman authorities have warned the local business sector about Chinese cyber-espionage since at least 2018.\r\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/german-government-warns-of-apt27-activity-targeting-local-companies/\r\nPage 2 of 3\n\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/german-government-warns-of-apt27-activity-targeting-local-companies/\r\nhttps://therecord.media/german-government-warns-of-apt27-activity-targeting-local-companies/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://therecord.media/german-government-warns-of-apt27-activity-targeting-local-companies/" ], "report_names": [ "german-government-warns-of-apt27-activity-targeting-local-companies" ], "threat_actors": [ { "id": "7c969685-459b-4c93-a788-74108eab6f47", "created_at": "2023-01-06T13:46:39.189751Z", "updated_at": "2026-04-10T02:00:03.241102Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "Red Dev 13", "Silk Typhoon", "MURKY PANDA", "ATK233", "G0125", "Operation Exchange Marauder" ], "source_name": "MISPGALAXY:HAFNIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2704d770-43b4-4bc4-8a5a-05df87416848", "created_at": "2022-10-25T15:50:23.306305Z", "updated_at": "2026-04-10T02:00:05.296581Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "HAFNIUM", "Operation Exchange Marauder", "Silk Typhoon" ], "source_name": "MITRE:HAFNIUM", "tools": [ "Tarrask", "ASPXSpy", "Impacket", "PsExec", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "529c1ae9-4579-4245-86a6-20f4563a695d", "created_at": "2022-10-25T16:07:23.702006Z", "updated_at": "2026-04-10T02:00:04.71708Z", "deleted_at": null, "main_name": "Hafnium", "aliases": [ "G0125", "Murky Panda", "Red Dev 13", "Silk Typhoon" ], "source_name": "ETDA:Hafnium", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434000, "ts_updated_at": 1775826763, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/56431f3e820e255605aa40ba4927121fff1ddd50.pdf", "text": "https://archive.orkl.eu/56431f3e820e255605aa40ba4927121fff1ddd50.txt", "img": "https://archive.orkl.eu/56431f3e820e255605aa40ba4927121fff1ddd50.jpg" } }