{ "id": "d81d1e34-208d-48b3-9de0-e50dab8c7574", "created_at": "2026-04-06T00:13:20.970618Z", "updated_at": "2026-04-10T03:37:58.694161Z", "deleted_at": null, "sha1_hash": "57320fe25634e4be00de00cdc22c7bd947205685", "title": "APT 17, Deputy Dog, Elderwood, Sneaky Panda", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 80309, "plain_text": "APT 17, Deputy Dog, Elderwood, Sneaky Panda\r\nArchived: 2026-04-05 18:48:38 UTC\r\nHome \u003e List all groups \u003e APT 17, Deputy Dog, Elderwood, Sneaky Panda\r\n APT group: APT 17, Deputy Dog, Elderwood, Sneaky Panda\r\nNames\r\nAPT 17 (Mandiant)\r\nTailgater Team (Symantec)\r\nElderwood (Symantec)\r\nElderwood Gang (Symantec)\r\nSneaky Panda (CrowdStrike)\r\nSIG22 (NSA)\r\nBeijing Group (SecureWorks)\r\nBronze Keystone (SecureWorks)\r\nTG-8153 (SecureWorks)\r\nTEMP.Avengers (FireEye)\r\nDogfish (iDefense)\r\nDeputy Dog (iDefense)\r\nATK 2 (Thales)\r\nG0025 (MITRE)\r\nG0066 (MITRE)\r\nCountry China\r\nSponsor State-sponsored, Jinan bureau of the Chinese Ministry of State Security\r\nMotivation Information theft and espionage\r\nFirst seen 2009\r\nDescription (Symantec) In 2009, Google was attacked by a group using the Hydraq (Aurora) Trojan horse.\r\nSymantec has monitored this group’s activities for the last three years as they have consistently\r\ntargeted a number of industries. Interesting highlights in their method of operations include: the\r\nuse of seemingly an unlimited number of zero-day exploits, attacks on supply chain manufacturers\r\nwho service the target organization, and a shift to “watering hole” attacks (compromising certain\r\nwebsites likely to be visited by the target organization). The targeted industry sectors include, but\r\nare not restricted to; defense, various defense supply chain manufacturers, human rights and non-governmental organizations (NGOs), and IT service providers. These attackers are systematic and\r\nre-use components of an infrastructure we have termed the “Elderwood platform”. The name\r\n“Elderwood” comes from a source code variable used by the attackers. This attack platform\r\nenables them to quickly deploy zero-day exploits. Attacks are deployed through spear phishing\r\nemails and also, increasingly, through Web injections in watering hole attacks.\r\nIt is likely the attackers have gained access to the source code for some widely used applications,\r\nor have thoroughly reverse-engineered the compiled applications in order to discover these\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=58f101e3-5fe8-43d4-8d92-f09987604385\r\nPage 1 of 3\n\nvulnerabilities. The vulnerabilities are used as needed, often within close succession of each other\nif exposure of any of the vulnerabilities is imminent. The scale of the attacks, in terms of the\nnumber of victims and the duration of the attacks, are another indication of the resources available\nto the attackers. Victims are attacked, not for petty crime or theft, but for the wholesale gathering\nof intelligence and intellectual property. The resources required to identify and acquire useful\ninformation—let alone analyze that information—could only be provided by a large criminal\norganization, attackers supported by a nation state, or a nation state itself.\nThis group appears to be closely associated with Hidden Lynx, Aurora Panda and has\ninfrastructure overlap with RedAlpha.\nCould also be related to Axiom, Group 72.\nObserved\nSectors: Defense, Education, Energy, Financial, Government, High-Tech, IT, Media, Mining,\nNGOs and lawyers.\nCountries: Belgium, China, Germany, Indonesia, Italy, Japan, Netherlands, Switzerland, Russia,\nUK, USA.\nTools used\n9002 RAT, BlackCoffee, Briba, Comfoo, DeputyDog, Gh0st RAT, HiKit, Jumpall, Linfo, Naid,\nNerex, Pasam, Poison Ivy, PlugX, Vasport, Wiarp, ZoxRPC and several 0-days for IE.\nOperations performed\n2009\nOperation Aurora\nFirst publicly disclosed by Google on January 12, 2010, in a blog post, the attacks\nbegan in mid-2009 and continued through December 2009.\nThe attack has been aimed at dozens of other organizations, of which Adobe\nSystems, Juniper Networks and Rackspace have publicly confirmed that they were\ntargeted. According to media reports, Yahoo, Symantec, Northrop Grumman,\nMorgan Stanley and Dow Chemical were also among the targets.\nNov 2010\nVisitors to Amnesty International's Hong Kong website are being bombarded with a\nhost of lethal exploits, including one that attacks an unpatched vulnerability in\nMicrosoft's Internet Explorer browser, researchers at security firm Websense said.\nMay 2012\nAmnesty International UK's website was hacked early this week in an assault\nultimately geared towards planting malware onto the PCs of visiting surfers.\nJul 2012\nBreach of Bit9\nBit9, a company that provides software and network security services to the U.S.\ngovernment and at least 30 Fortune 100 firms, has suffered an electronic\ncompromise that cuts to the core of its business: helping clients distinguish known\n“safe” files from computer viruses and other malicious software.\nAug 2013 Operation “DeputyDog”\nTarget: Organizations in Japan\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=58f101e3-5fe8-43d4-8d92-f09987604385\nPage 2 of 3\n\nMethod: Campaign leveraging the then recently announced zero-day CVE-2013-\n3893.\nNov 2013\nOperation “Ephemeral Hydra”\nMethod: Inserting a zero-day exploit into a strategically important website, known to\ndraw visitors that are likely interested in national and international security policy.\nLate 2014\nFireEye Threat Intelligence and Microsoft Threat Intelligence Center discovered a\nChina-based threat group dubbed APT17 using Microsoft’s TechNet blog for its\nCommand-and-Control (CnC) operation.\nAug 2017\nOperation “RAT Cook”\nMethod: Spear-phishing attack using a Game of Thrones lure.\nSep 2017\nCcleaner supply-chain attack\nTalos recently observed a case where the download servers used by software vendor\nto distribute a legitimate software package were leveraged to deliver malware to\nunsuspecting victims. For a period of time, the legitimate signed version of Ccleaner\n5.33 being distributed by Avast also contained a multi-stage malware payload that\nrode on top of the installation of Ccleaner.\nJun 2024\nItalian government agencies and companies in the target of a Chinese APT\nInformation\nMITRE ATT\u0026CK\nLast change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=58f101e3-5fe8-43d4-8d92-f09987604385\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=58f101e3-5fe8-43d4-8d92-f09987604385\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=58f101e3-5fe8-43d4-8d92-f09987604385" ], "report_names": [ "showcard.cgi?u=58f101e3-5fe8-43d4-8d92-f09987604385" ], "threat_actors": [ { "id": "cea5ceec-0f14-4e34-bd0e-4074bc1a707d", "created_at": "2022-10-25T15:50:23.629983Z", "updated_at": "2026-04-10T02:00:05.362084Z", "deleted_at": null, "main_name": "Axiom", "aliases": [ "Group 72" ], "source_name": "MITRE:Axiom", "tools": [ "ZxShell", "gh0st RAT", "Zox", "PlugX", "Hikit", "PoisonIvy", "Derusbi", "Hydraq" ], "source_id": "MITRE", "reports": null }, { "id": "2150d1ac-edf0-46d4-a78a-a8899e45b2b5", "created_at": "2022-10-25T15:50:23.269339Z", "updated_at": "2026-04-10T02:00:05.402835Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "APT17", "Deputy Dog" ], "source_name": "MITRE:APT17", "tools": [ "BLACKCOFFEE" ], "source_id": "MITRE", "reports": null }, { "id": "4b076dcb-516e-42fb-9c8f-f153902cd5e9", "created_at": "2022-10-25T16:07:23.708745Z", "updated_at": "2026-04-10T02:00:04.720108Z", "deleted_at": null, "main_name": "Hidden Lynx", "aliases": [ "Aurora Panda", "Group 8", "Heart Typhoon", "Hidden Lynx", "Operation SMN" ], "source_name": "ETDA:Hidden Lynx", "tools": [ "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "BlackCoffee", "HiKit", "MCRAT.A", "Mdmbot.E", "Moudoor", "Naid", "PNGRAT", "Trojan.Naid", "ZoxPNG", "gresim" ], "source_id": "ETDA", "reports": null }, { "id": "a339e456-3f5a-40e9-b293-233281105e85", "created_at": "2022-10-25T15:50:23.260847Z", "updated_at": "2026-04-10T02:00:05.248583Z", "deleted_at": null, "main_name": "Elderwood", "aliases": [ "Elderwood", "Elderwood Gang", "Beijing Group", "Sneaky Panda" ], "source_name": "MITRE:Elderwood", "tools": [ "PoisonIvy", "Naid", "Briba", "Hydraq", "Linfo", "Nerex", "Vasport", "Wiarp", "Pasam" ], "source_id": "MITRE", "reports": null }, { "id": "9381a9dc-8d8e-453a-9fe5-301136ff0f83", "created_at": "2023-01-06T13:46:38.775762Z", "updated_at": "2026-04-10T02:00:03.096032Z", "deleted_at": null, "main_name": "RedAlpha", "aliases": [ "DeepCliff", "Red Dev 3" ], "source_name": "MISPGALAXY:RedAlpha", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cc8271a3-471f-4b8c-9da6-7d50f8ccabaa", "created_at": "2022-10-25T16:07:24.107066Z", "updated_at": "2026-04-10T02:00:04.868213Z", "deleted_at": null, "main_name": "RedAlpha", "aliases": [ "DeepCliff", "Red Dev 3" ], "source_name": "ETDA:RedAlpha", "tools": [ "AngryRebel", "Bladabindi", "FF-RAT", "Farfli", "FormerFirstRAT", "Gh0st RAT", "Ghost RAT", "Jorik", "Moudour", "Mydoor", "NetHelp Infostealer", "NetHelp Striker", "PCRat", "RedAlpha", "ffrat", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def", "created_at": "2025-08-07T02:03:24.626625Z", "updated_at": "2026-04-10T02:00:03.605175Z", "deleted_at": null, "main_name": "BRONZE KEYSTONE", "aliases": [ "APT17 ", "Aurora Panda ", "DeputyDog ", "Group 72 ", "Hidden Lynx ", "TG-8153 ", "Tailgater Team" ], "source_name": "Secureworks:BRONZE KEYSTONE", "tools": [ "9002", "BlackCoffee", "DeputyDog", "Derusbi", "Gh0stHTTPSDropper", "HiKit", "InternalCMD", "PlugX", "PoisonIvy", "ZxShell" ], "source_id": "Secureworks", "reports": null }, { "id": "5c74936a-79d1-41b8-81eb-01d03c90a26b", "created_at": "2022-10-25T16:07:23.371052Z", "updated_at": "2026-04-10T02:00:04.570621Z", "deleted_at": null, "main_name": "Axiom", "aliases": [ "G0001", "Group 72", "Operation SMN" ], "source_name": "ETDA:Axiom", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "BlackCoffee", "BleDoor", "Chymine", "Darkmoon", "DeputyDog", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PNGRAT", "PlugX", "Poison Ivy", "RbDoor", "RedDelta", "RibDoor", "Roarur", "SPIVY", "Sensocode", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "ZXShell", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "57d2c58d-0445-441f-b94f-99d217b9e3c4", "created_at": "2023-01-06T13:46:38.327743Z", "updated_at": "2026-04-10T02:00:02.930027Z", "deleted_at": null, "main_name": "Beijing Group", "aliases": [ "Elderwood", "Elderwood Gang", "SIG22", "G0066", "SNEAKY PANDA" ], "source_name": "MISPGALAXY:Beijing Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86fd71d3-06dc-4b73-b038-cedea7b83bac", "created_at": "2022-10-25T16:07:23.330793Z", "updated_at": "2026-04-10T02:00:04.545236Z", "deleted_at": null, "main_name": "APT 17", "aliases": [ "APT 17", "ATK 2", "Beijing Group", "Bronze Keystone", "Deputy Dog", "Elderwood", "Elderwood Gang", "G0025", "G0066", "Operation Aurora", "Operation DeputyDog", "Operation Ephemeral Hydra", "Operation RAT Cook", "SIG22", "Sneaky Panda", "TEMP.Avengers", "TG-8153", "Tailgater Team" ], "source_name": "ETDA:APT 17", "tools": [ "9002 RAT", "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "Agent.dhwf", "AngryRebel", "BlackCoffee", "Briba", "Chymine", "Comfoo", "Comfoo RAT", "Darkmoon", "DeputyDog", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Jumpall", "Kaba", "Korplug", "Linfo", "MCRAT.A", "McRAT", "MdmBot", "Mdmbot.E", "Moudour", "Mydoor", "Naid", "Nerex", "PCRat", "PNGRAT", "Pasam", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Naid", "Vasport", "Wiarp", "Xamtrav", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434400, "ts_updated_at": 1775792278, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/57320fe25634e4be00de00cdc22c7bd947205685.pdf", "text": "https://archive.orkl.eu/57320fe25634e4be00de00cdc22c7bd947205685.txt", "img": "https://archive.orkl.eu/57320fe25634e4be00de00cdc22c7bd947205685.jpg" } }