{ "id": "39607720-4aa9-4fd5-a079-4cf780f35a86", "created_at": "2026-04-06T00:16:05.542652Z", "updated_at": "2026-04-10T13:12:28.578294Z", "deleted_at": null, "sha1_hash": "6008e62621febf404aad57f6056b17c545658931", "title": "Pro-PRC DRAGONBRIDGE Influence Campaign Leverages New TTPs to Aggressively Target U.S. Interests, Including Midterm Elections", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 8855749, "plain_text": "Pro-PRC DRAGONBRIDGE Influence Campaign Leverages New\r\nTTPs to Aggressively Target U.S. Interests, Including Midterm\r\nElections\r\nBy Mandiant\r\nPublished: 2022-10-26 · Archived: 2026-04-05 17:59:31 UTC\r\nWritten by: Mandiant Intelligence\r\nMandiant has recently observed DRAGONBRIDGE, an influence campaign we assess with high confidence to be\r\noperating in support of the political interests of the People’s Republic of China (PRC), aggressively targeting the\r\nUnited States by seeking to sow division both between the U.S. and its allies and within the U.S. political system\r\nitself. Recent narratives include:\r\nClaims that the China-nexus threat group APT41 is instead a U.S. government-backed actor.\r\nAggressive attempts to discredit the U.S. democratic process, including attempts to discourage Americans\r\nfrom voting in the 2022 U.S. midterm elections.\r\nAllegations that the U.S. was responsible for the Nord Stream gas pipeline explosions.\r\nDRAGONBRIDGE’s attempts to adapt or apply tactics in novel ways demonstrate a continued interest in\r\nexperimentation and creativity in its efforts to achieve desired objectives. Examples of this include:\r\nNuanced Impersonation of Cyber Actors: The campaign was found impersonating Intrusion Truth, a\r\ngroup known to target China-nexus cyber threat actors, to leverage the outlet’s reputation to promote\r\nDRAGONBRIDGE’s own cyber-related narratives.\r\nPlagiarism and Alteration of News Articles: DRAGONBRIDGE altering news articles to create\r\nfabricated content that falsely attributed APT41 as a U.S. government-backed actor, then subsequently\r\npromoting that content across social media, forums, and blogs, demonstrates a more sophisticated\r\nadaptation of the campaign’s earlier use of simple plagiarism.\r\nPersonas Posing as Members of Target Audience: The campaign also expanded its use of personas\r\nposing as Americans by using first-person pronouns, which we observed previously in its targeting of\r\ncommercial companies, to promote politically themed content.\r\nDRAGONBRIDGE’s aggressiveness, prolificacy, and persistence demonstrate the intent and resilience of the\r\nactors behind the campaign. Despite the limited impact of the campaign’s operations, it continues to spend\r\nsignificant resources to pursue and sustain multiple operations simultaneously.\r\nWhile we have previously observed DRAGONBRIDGE themes involving alleged malicious U.S. cyber\r\nactivity, fabrications regarding APT41 as American in origin appears to be an escalation in the degree of\r\nimplied U.S. operations.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/prc-dragonbridge-influence-elections/\r\nPage 1 of 9\n\nSimilarly, we have seen DRAGONBRIDGE criticize American society via narratives regarding racial strife\r\nand social injustice. However, its targeting of the U.S. political system through attempts to discourage\r\nAmericans from voting shows a willingness to use increasingly aggressive rhetoric.\r\nAs with DRAGONBRIDGE activity we have previously observed, the campaign continues to fail to garner\r\nsignificant engagement by seemingly real individuals, and its effectiveness remains encumbered by poor\r\nexecution.\r\nAccounts Plagiarized, Altered Mainstream News Articles to Attribute APT41 to\r\nU.S. Government-Backed Actor\r\nMandiant identified what we assess with high confidence to be DRAGONBRIDGE accounts promoting English-and Chinese-language content that falsely attributed APT41 as a U.S. government-backed actor (Figure 1).\r\nAccounts plagiarized, altered, and otherwise mischaracterized news reporting and research from Mandiant and\r\nother cybersecurity organizations to support their allegations. Such narratives appear to be a continuation of\r\nthemes alleging malicious U.S. cyber activity that we have seen DRAGONBRIDGE promote since at least April\r\n2022.\r\nDRAGONBRIDGE accounts plagiarized and altered an article published by the Hong Kong-based news\r\noutlet, Sing Tao Daily, regarding a blog post published by Mandiant on APT41 in March 2022 to falsely\r\nallege that the “U.S. hacking group APT41” had compromised the networks of “at least six countries” the\r\nprevious year.\r\nMandiant’s blog post reported on APT41’s compromise of at least six U.S. state government\r\nnetworks. Alterations made to the Sing Tao article included direct replacements of words like\r\n“China” with “U.S.,” “[U.S.] states” with “countries,” and \"Department of Justice\" with \"each\r\ncountry\" (Figure 2).\r\nSimilarly, other accounts plagiarized paragraphs from mainstream news articles regarding research on\r\nAPT41 activity, followed by a paragraph on alleged cyber threat activity by the National Security Agency.\r\nDRAGONBRIDGE also plagiarized and altered a Radio Free Asia news article to promote the claim that in July\r\n2021, the French Government warned against a cyber attack allegedly conducted by the “U.S. hacking group\r\nAPT31.” We note that Mandiant tracks APT31 as a separate China-nexus cyber espionage actor.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/prc-dragonbridge-influence-elections/\r\nPage 2 of 9\n\nFigure 1: DRAGONBRIDGE accounts alleging that various U.S. government agencies “developed” or funded\r\nAPT41\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/prc-dragonbridge-influence-elections/\r\nPage 3 of 9\n\nFigure 2: DRAGONBRIDGE accounts plagiarized and altered an article published by the Hong Kong-based news\r\noutlet Sing Tao Daily (top) to promote the fabricated narrative that APT41 is a U.S. government-backed actor by\r\nreplacing select words and phrases (bottom)\r\nImpersonation of Intrusion Truth, Group Known to Target China-Nexus Cyber Threat Actors\r\nSuspected DRAGONBRIDGE activity promoting false content related to APT41 and alleging malicious cyber\r\nactivity also includes impersonating Intrusion Truth, a group known for publishing alleged information belonging\r\nto China-nexus cyber threat actors. Specifically, we identified what we assessed with moderate to high confidence,\r\non a per-account basis, to be eight Twitter accounts impersonating Intrusion Truth comprising part of the\r\nDRAGONBRIDGE campaign.\r\nAll eight accounts were created in September and used the same profile photo, display name, and, in some\r\ncases, similar usernames to that of the legitimate Intrusion Truth’s account. The accounts then plagiarized\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/prc-dragonbridge-influence-elections/\r\nPage 4 of 9\n\nand occasionally slightly altered tweets from the original Intrusion Truth account to establish backstopped\r\npersonas (Figure 3).\r\nMultiple plagiarized tweets that were originally posted by the group Intrusion Truth contained\r\nmentions of the China-nexus threat actors APT40 and APT17; however, we have not observed\r\nDRAGONBRIDGE promote fabricated content regarding these groups’ attribution.\r\nSubsequently, several of these impersonator accounts promoted content and hashtags similar, or identical\r\nto, other DRAGONBRIDGE messaging on alleged malicious cyber activity. Accounts also used the\r\nhashtags #AllRoadsLeadToChengdu or #Chengdu404, which were used by the legitimate Intrusion Truth\r\nregarding APT41.\r\nSeparate DRAGONBRIDGE accounts have also replied to tweets posted by the original Intrusion Truth,\r\nquestioning the veracity of the group’s information while highlighting alleged malicious U.S. cyber\r\nactivities. Such posts demonstrate that DRAGONBRIDGE is aware of and responsive to Intrusion Group\r\nmessaging.\r\nFigure 3: Mastheads of sample DRAGONBRIDGE account (@intrusion_trutl) (top left) impersonating Intrusion\r\nTruth (@intrusion_truth) (top right); sample tweet plagiarized and altered by @intrusion_trutl, changing the\r\nhashtag to #usahacker (bottom left) from @intrusion_truth’s #AllRoadsLeadToChengdu (bottom right)\r\nDRAGONBRIDGE Narratives Attempt to Discredit U.S. Political System,\r\nDemocratic Process\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/prc-dragonbridge-influence-elections/\r\nPage 5 of 9\n\nRecently, DRAGONBRIDGE accounts also promoted narratives that appeared intended to discredit and\r\nundermine the U.S. political system. Most notably, in September 2022, DRAGONBRIDGE accounts posted an\r\nEnglish-language video across multiple platforms containing content attempting to discourage Americans from\r\nvoting in the upcoming U.S. midterm elections (Figure 4). The video questioned the efficacy of voting and of U.S.\r\ngovernment institutions more broadly.\r\nThe video asserted that \"the solution to America's ills is not to vote for someone,\" but rather to \"root out\r\nthis ineffective and incapacitated system\" (Figure 5).\r\nNarratives in the video also cast doubt on the productivity of U.S. lawmakers and of the legislative process\r\nin having a tangible impact on Americans’ lives.\r\nThe video cited statistics comparing the number of bills in “proposals” to those that became laws, further\r\nquestioning the usefulness of enacted laws, and criticizing components of specific laws to support their\r\narguments.\r\nAdditionally, DRAGONBRIDGE posted content asserting that political infighting, partisanship, polarization, and\r\ndivision had become fundamental aspects of American democracy. The campaign also pointed to frequent\r\nmentions of “civil war” on social media and incidents of politically motivated violence, including confrontations\r\nbetween individuals supporting opposing parties and acts against the FBI, as evidence of the deterioration of the\r\npolitical process and its impending demise. Such messaging is in line with, but seemingly a more aggressive form\r\nof, DRAGONBRIDGE’s previous criticisms of the U.S. and attempts to sow discord and dissatisfaction within\r\nU.S. society. The campaign has earlier promoted content surrounding U.S. domestic political issues, such as\r\neconomic and social disparities.\r\nFigure 4: DRAGONBRIDGE video questioning the efficacy of voting in the U.S. midterm elections\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/prc-dragonbridge-influence-elections/\r\nPage 6 of 9\n\nFigure 5: DRAGONBRIDGE video containing an image from the Jan. 6 Capitol riots and asserting that “the\r\nsolution to America’s ills is not to vote for someone,” but rather “to root out this ineffective and incapacitated\r\nsystem”\r\nAllegations of U.S. Sabotage to Nord Stream Gas Pipelines\r\nIn early October 2022, we also observed DRAGONBRIDGE accounts promoting the narrative that the U.S. had\r\n“bombed” the offshore Nord Stream gas pipelines for its own economic benefit, at the expense of its European\r\nand NATO allies (Figure 6). The Nord Stream pipelines were built to provide Russian natural gas to the European\r\nmarket via Germany; accounts claimed that the alleged U.S. sabotage was driven by its desire to replace Russia as\r\nEurope’s energy supplier, and that they precluded the possibility of Russian and European reconciliation over\r\nenergy issues. DRAGONBRIDGE also assigned some blame to Poland, while also noting that a Polish politician\r\nposted a tweet stating: “Thank you, USA” following the explosions.\r\nDRAGONBRIDGE’s messaging mirrored Russian President Vladimir Putin’s statements that the U.S. had\r\nsabotaged the pipelines; the campaign has previously echoed narratives promoted by Russian state-owned media\r\nand influence campaigns. Other narratives promoted by DRAGONBRIDGE earlier in the year, such as claiming\r\nthat the U.S. had bullied Europe into enacting sanctions against Russia following the Ukraine invasion, have also\r\nused similar themes. We consider these narratives to be earlier attempts to sow division between the U.S. and its\r\nallies and portray the U.S. as an aggressor, acting in its own self-interest.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/prc-dragonbridge-influence-elections/\r\nPage 7 of 9\n\nFigure 6: DRAGONBRIDGE content alleging that the U.S. “bombed Nord Stream” for its own economic benefit\r\nat the expense of its European and NATO allies\r\nPreviously Identified DRAGONBRIDGE Themes and Patterns of Activity Persist\r\nWe observed newly identified accounts promote the same content as accounts we previously identified as part of\r\nthe campaign; for example, some accounts promoting narratives alleging the U.S.’ engagement in malicious cyber\r\nactivity targeting allies and adversaries alike also promoted narratives targeting Western rare earths mining\r\ncompanies that we reported on earlier this year. Promoted content by these new accounts also included\r\nDRAGONBRIDGE’s usual criticism of Chinese businessman Guo Wengui (Miles Kwok) and Chinese virologist\r\nDr. Yan Limeng.\r\nAs with previous DRAGONBRIDGE activity we have identified since we first began tracking this campaign in\r\n2019, we also observed similar indicators of inauthenticity and coordination. This includes:\r\nAccounts' use of profile photos appropriated from various online sources, including stock photography\r\nSuggesting that they sought to obfuscate their identities\r\nClustering of their creation dates\r\nSuggesting possible batch creation\r\nsimilar patterns in usernames consisting of English-language names, followed by seemingly random\r\nnumeric strings\r\nMany accounts posting similar or identical content\r\nOutlook\r\nThe DRAGONBRIDGE campaign has continued to exhibit aggressiveness through both the content of its\r\nnarratives and its willingness to experiment with new tactics to accomplish its aims. DRAGONBRIDGE’s\r\nattempts to mobilize protesters in the U.S. last year, while failing to meet with any apparent success, was one such\r\ndemonstration of the campaign’s boldness and interest in influencing real-world activity; since then, the campaign\r\nhas continued to fail to garner any significant engagement. The campaign’s output also remains prolific as we\r\nhave observed DRAGONBRIDGE activity promoting all of these narratives while tandemly continuing other\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/prc-dragonbridge-influence-elections/\r\nPage 8 of 9\n\nactivity, including that targeting Western rare earths companies. Such persistence, combined with clear intent and\r\nscale, renders the campaign a priority for monitoring.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/prc-dragonbridge-influence-elections/\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/prc-dragonbridge-influence-elections/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/prc-dragonbridge-influence-elections/" ], "report_names": [ "prc-dragonbridge-influence-elections" ], "threat_actors": [ { "id": "2150d1ac-edf0-46d4-a78a-a8899e45b2b5", "created_at": "2022-10-25T15:50:23.269339Z", "updated_at": "2026-04-10T02:00:05.402835Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "APT17", "Deputy Dog" ], "source_name": "MITRE:APT17", "tools": [ "BLACKCOFFEE" ], "source_id": "MITRE", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "a90ae795-3c01-4419-8365-07b68df72661", "created_at": "2024-07-02T02:00:04.158227Z", "updated_at": "2026-04-10T02:00:03.668289Z", "deleted_at": null, "main_name": "Dragonbridge", "aliases": [ "Spamouflage Dragon" ], "source_name": "MISPGALAXY:Dragonbridge", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def", "created_at": "2025-08-07T02:03:24.626625Z", "updated_at": "2026-04-10T02:00:03.605175Z", "deleted_at": null, "main_name": "BRONZE KEYSTONE", "aliases": [ "APT17 ", "Aurora Panda ", "DeputyDog ", "Group 72 ", "Hidden Lynx ", "TG-8153 ", "Tailgater Team" ], "source_name": "Secureworks:BRONZE KEYSTONE", "tools": [ "9002", "BlackCoffee", "DeputyDog", "Derusbi", "Gh0stHTTPSDropper", "HiKit", "InternalCMD", "PlugX", "PoisonIvy", "ZxShell" ], "source_id": "Secureworks", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434565, "ts_updated_at": 1775826748, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6008e62621febf404aad57f6056b17c545658931.pdf", "text": "https://archive.orkl.eu/6008e62621febf404aad57f6056b17c545658931.txt", "img": "https://archive.orkl.eu/6008e62621febf404aad57f6056b17c545658931.jpg" } }