{
	"id": "c0072244-474c-4011-b4fd-676da11f59eb",
	"created_at": "2026-04-06T00:21:24.983092Z",
	"updated_at": "2026-04-10T13:12:25.287918Z",
	"deleted_at": null,
	"sha1_hash": "622129f2454dad1a99932a902170da68cd55526e",
	"title": "Chinese Cyber-Espionage Group Hacked Government Data Center",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1775025,
	"plain_text": "Chinese Cyber-Espionage Group Hacked Government Data Center\r\nBy Catalin Cimpanu\r\nPublished: 2018-06-15 · Archived: 2026-04-05 13:06:15 UTC\r\nA Chinese-linked cyber-espionage unit has hacked a data center belonging to a Central Asian country and has embedded\r\nmalicious code on government sites.\r\nThe hack of the data center happened sometime in mid-November 2017, according to a report published by Kaspersky Lab\r\nearlier this week.\r\nExperts assigned the codename of LuckyMouse to the group behind this hack, but they later realized the attackers were an\r\nolder Chinese threat actor known under various names in the reports of other cyber-security firms, such as Emissary Panda,\r\nAPT27, Threat Group 3390, Bronze Union, ZipToken, and Iron Tiger [1, 2, 3, 4, 5].\r\nhttps://www.bleepingcomputer.com/news/security/chinese-cyber-espionage-group-hacked-government-data-center/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/chinese-cyber-espionage-group-hacked-government-data-center/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nHackers redirected visitors of government sites to malware\r\nKaspersky researchers say LuckyMouse used access to the data center to add JavaScript code to government sites, which\r\nredirected users to malicious sites hosting exploitation tools such as ScanBox and BEeF (Browser Exploitation Framework).\r\nOn these sites, these tools would attempt to infect users with HyperBro, a remote access trojan that operated via an \"in-memory\" state, leaving minimal traces on disk that could be identified by antivirus solutions.\r\nResearchers say they found evidence of this end-user infection campaign taking place from December 2017 to January 2018.\r\nKaspersky didn't name the Central Asian country, but they did say LuckyMouse targeted it before in previous campaigns.\r\nThe Russian antivirus vendor also didn't say how hackers breached the data center hosting government sites, as they didn't\r\nhave enough evidence to formulate a conclusion.\r\nLuckyMouse hacked a MikroTik router to host their C\u0026C server\r\nAnother detail that also stood out was that LuckyMouse appears to have hacked a MikroTik router to host the command and\r\ncontrol server of the HyperBro RAT. Attackers would use this router to control and retrieve data from infected victims,\r\nputting an additional layer of anonymity between them, victims, and forensic investigators.\r\nThis is not the first time that nation-state hackers have used routers as part of their attack infrastructure, this being a very\r\npopular trend recently (let's not forget VPNFilter), but it is the first time they hosted a C\u0026C server on one.\r\n\"The most unusual and interesting point here is the target. A national data center is a valuable source of data that can also be\r\nabused to compromise official websites,\" Kaspersky expert Denis Legezo explained. \"Another interesting point is the\r\nMikrotik router, which we believe was hacked specifically for the campaign.\"\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nhttps://www.bleepingcomputer.com/news/security/chinese-cyber-espionage-group-hacked-government-data-center/\r\nPage 3 of 4\n\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/chinese-cyber-espionage-group-hacked-government-data-center/\r\nhttps://www.bleepingcomputer.com/news/security/chinese-cyber-espionage-group-hacked-government-data-center/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/chinese-cyber-espionage-group-hacked-government-data-center/"
	],
	"report_names": [
		"chinese-cyber-espionage-group-hacked-government-data-center"
	],
	"threat_actors": [
		{
			"id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c",
			"created_at": "2022-10-25T15:50:23.819113Z",
			"updated_at": "2026-04-10T02:00:05.354598Z",
			"deleted_at": null,
			"main_name": "Threat Group-3390",
			"aliases": [
				"Threat Group-3390",
				"Earth Smilodon",
				"TG-3390",
				"Emissary Panda",
				"BRONZE UNION",
				"APT27",
				"Iron Tiger",
				"LuckyMouse",
				"Linen Typhoon"
			],
			"source_name": "MITRE:Threat Group-3390",
			"tools": [
				"Systeminfo",
				"gsecdump",
				"PlugX",
				"ASPXSpy",
				"Cobalt Strike",
				"Mimikatz",
				"Impacket",
				"gh0st RAT",
				"certutil",
				"China Chopper",
				"HTTPBrowser",
				"Tasklist",
				"netstat",
				"SysUpdate",
				"HyperBro",
				"ZxShell",
				"RCSession",
				"ipconfig",
				"Clambling",
				"pwdump",
				"NBTscan",
				"Pandora",
				"Windows Credential Editor"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "c63ab035-f9f2-4723-959b-97a7b98b5942",
			"created_at": "2023-01-06T13:46:38.298354Z",
			"updated_at": "2026-04-10T02:00:02.917311Z",
			"deleted_at": null,
			"main_name": "APT27",
			"aliases": [
				"BRONZE UNION",
				"Circle Typhoon",
				"Linen Typhoon",
				"TEMP.Hippo",
				"Budworm",
				"Lucky Mouse",
				"G0027",
				"GreedyTaotie",
				"Red Phoenix",
				"Iron Tiger",
				"Iron Taurus",
				"Earth Smilodon",
				"TG-3390",
				"EMISSARY PANDA",
				"Group 35",
				"ZipToken"
			],
			"source_name": "MISPGALAXY:APT27",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43",
			"created_at": "2025-08-07T02:03:24.68371Z",
			"updated_at": "2026-04-10T02:00:03.64323Z",
			"deleted_at": null,
			"main_name": "BRONZE UNION",
			"aliases": [
				"APT27 ",
				"Bowser",
				"Budworm ",
				"Circle Typhoon ",
				"Emissary Panda ",
				"Group35",
				"Iron Tiger ",
				"Linen Typhoon ",
				"Lucky Mouse ",
				"TG-3390 ",
				"Temp.Hippo "
			],
			"source_name": "Secureworks:BRONZE UNION",
			"tools": [
				"AbcShell",
				"China Chopper",
				"EAGERBEE",
				"Gh0st RAT",
				"OwaAuth",
				"PhantomNet",
				"PoisonIvy",
				"Sysupdate",
				"Wonknu",
				"Wrapikatz",
				"ZxShell",
				"reGeorg"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "5c13338b-eaed-429a-9437-f5015aa98276",
			"created_at": "2022-10-25T16:07:23.582715Z",
			"updated_at": "2026-04-10T02:00:04.675765Z",
			"deleted_at": null,
			"main_name": "Emissary Panda",
			"aliases": [
				"APT 27",
				"ATK 15",
				"Bronze Union",
				"Budworm",
				"Circle Typhoon",
				"Earth Smilodon",
				"Emissary Panda",
				"G0027",
				"Group 35",
				"Iron Taurus",
				"Iron Tiger",
				"Linen Typhoon",
				"LuckyMouse",
				"Operation DRBControl",
				"Operation Iron Tiger",
				"Operation PZChao",
				"Operation SpoiledLegacy",
				"Operation StealthyTrident",
				"Red Phoenix",
				"TEMP.Hippo",
				"TG-3390",
				"ZipToken"
			],
			"source_name": "ETDA:Emissary Panda",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"Agent.dhwf",
				"AngryRebel",
				"Antak",
				"CHINACHOPPER",
				"China Chopper",
				"Destroy RAT",
				"DestroyRAT",
				"FOCUSFJORD",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"HTTPBrowser",
				"HTran",
				"HUC Packet Transmit Tool",
				"HighShell",
				"HttpBrowser RAT",
				"HttpDump",
				"HyperBro",
				"HyperSSL",
				"HyperShell",
				"Kaba",
				"Korplug",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Mimikatz",
				"Moudour",
				"Mydoor",
				"Nishang",
				"OwaAuth",
				"PCRat",
				"PlugX",
				"ProcDump",
				"PsExec",
				"RedDelta",
				"SEASHARPEE",
				"Sensocode",
				"SinoChopper",
				"Sogu",
				"SysUpdate",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Token Control",
				"TokenControl",
				"TwoFace",
				"WCE",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"Xamtrav",
				"ZXShell",
				"gsecdump",
				"luckyowa"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "236429ce-6355-43f6-9b58-e6803a1df3f4",
			"created_at": "2026-03-16T02:02:50.60344Z",
			"updated_at": "2026-04-10T02:00:03.641587Z",
			"deleted_at": null,
			"main_name": "Bronze Union",
			"aliases": [
				"Circle Typhoon ",
				"Emissary Panda "
			],
			"source_name": "Secureworks:Bronze Union",
			"tools": [
				"China Chopper",
				"OwaAuth",
				"Sysupdate"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434884,
	"ts_updated_at": 1775826745,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/622129f2454dad1a99932a902170da68cd55526e.pdf",
		"text": "https://archive.orkl.eu/622129f2454dad1a99932a902170da68cd55526e.txt",
		"img": "https://archive.orkl.eu/622129f2454dad1a99932a902170da68cd55526e.jpg"
	}
}