{
	"id": "869c5f6b-7824-4cc9-bca3-0b2f99cbd1b9",
	"created_at": "2026-04-06T00:13:48.546021Z",
	"updated_at": "2026-04-10T03:32:09.459616Z",
	"deleted_at": null,
	"sha1_hash": "663f055c95919a03a2af0b694b76ddf23febb2d3",
	"title": "These hackers have spent months hiding out in company networks undetected",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56373,
	"plain_text": "These hackers have spent months hiding out in company networks\r\nundetected\r\nBy Danny Palmer\r\nPublished: 2020-09-29 · Archived: 2026-04-05 23:46:17 UTC\r\nA cyber-espionage campaign is using new malware to infiltrate targets around the world including organisations in\r\nmedia, finance, construction and engineering.\r\nDetailed by cybersecurity company Symantec, the attacks against organisations in the US, Japan, Taiwan and\r\nChina are being conduced with the aim of stealing information and have been linked to an espionage group known\r\nas Palmerworm – aka BlackTech – which has a history of campaigns going back to 2013.\r\nThe addition of a US target to this campaign suggests the group is expanding campaigns to embrace a wider, more\r\ngeographically diverse set of targets in their quest to steal information – although the full motivations remain\r\nunclear.\r\nSEE: Cybercrime and cyberwar: A spotter's guide to the groups that are out to get you\r\nIn some cases, Palmerworm maintained a presence on compromised networks for a year or more, often with the\r\naid of 'living-off-the-land' tactics that take advantage of legitimate software and tools, so as to not raise suspicion\r\nthat something might be wrong – and also thus creating less evidence thath can be used to trace the origin of the\r\nattack.\r\nResearchers haven't been able to determine how hackers gain access to the network in this latest round of\r\nPalmerworm attacks, but previous campaigns have deployed spear-phishing emails to compromise victims.\r\nHowever, it's known that deployment of the malware uses custom loaders and network-reconnaissance tools\r\nsimilar to previous Palmerworm campaigns, leaving researchers \"reasonably confident\" it's the same group behind\r\nthese attacks.\r\nPalmerworm's malware also uses stolen code-signing certificates in the payloads in order to make them look more\r\nlegitimate and more difficult for security software to detect. This tactic is also known to have been deployed by\r\nthe group previously.\r\nThe trojan malware provides attackers with a secret backdoor into the network and that access is maintained with\r\nthe use of several legitimate tools including PSExec and SNScan, which are exploited to move around the network\r\nundetected. Meanwhile, WinRar is used to compress files, making them easier for the attackers to extract from the\r\nnetwork.\r\n\"The group is savvy enough to move with the times and follow the trend of using publicly available tools where\r\nthey can in order to minimise the risk of discovery and attribution,\" said Dick O'Brien, principal on the threat\r\nhttps://www.zdnet.com/article/these-hackers-have-spent-months-hiding-out-in-company-networks-undetected/\r\nPage 1 of 2\n\nhunter team at Symantec. \"Like many state sponsored attackers, they seem to be minimising the use of custom\r\nmalware, deploying it only when necessary.\"\r\nOrganisations Symantec have identified as victims of Palmerworm include a media company and a finance\r\ncompany in Taiwan, a construction firm in China and a company in the US; in each case, attackers spent months\r\nsecretly accessing the compromised networks. Shorter compromises of just a few days were detected on the\r\nnetworks of an electronics company in Taiwan and an engineering company in Japan.\r\nSEE: Security Awareness and Training policy (TechRepublic Premium)    \r\nSymantec haven't attributed Palmerworm to any particular group, but Taiwanese officials have previously claimed\r\nthat the attacks can be linked back to China. If that is the case, it suggests that Chinese hackers have targeted a\r\nChinese company as part of the campaign – although researchers wouldn't be drawn on the potential implications\r\nof this.\r\nHowever, what is certain is that whoever Palmerworm is working on behalf of, the group is unlikely to have\r\nceased operations and will remain a threat.\r\n\"Give how recent some of the activity is, we consider them still active. The level of retooling we've seen, with\r\nfour new pieces of custom malware, is significant and suggests a group with a busy agenda,\" said O'Brien.\r\nWhile the nature of advanced hacking campaigns means they can be difficult to identify and defend against,\r\norganisations can go a long way to protecting themselves by having a clear view of their network and knowledge\r\nof what usual and unusual activity looks like – and blocking suspicious activity if necessary.\r\n\"Most espionage-type attacks are not a single event. They are a long chain of events where the attackers use one\r\ntool to perform one task, another tool to perform the next task, and then hop from one computer to another and so\r\non,\" said O'Brien\r\n\"There are lots of steps the attacker has to take to get to where they want to go and do whatever they want to do.\r\nEach individual step is an opportunity for it to be detected, disrupted and even blocked. And what you'd hope is\r\nthat, if they aren't detected during one step in that chain, they will be detected in the next,\" he added.\r\nMORE ON CYBERSECURITY\r\nHackers are getting more hands-on with their attacks. That's not a good sign\r\nUS charges Chinese hackers with 'unprecedented' attacks on gaming companies CNET\r\nCyber-espionage warning: The most advanced hacking groups are getting more ambitious\r\n6 reasons hackers target businesses: Is your organization in the line of fire? TechRepublic\r\nHacking and cyber espionage: The countries that are going to emerge as major threats in the 2020s\r\nSource: https://www.zdnet.com/article/these-hackers-have-spent-months-hiding-out-in-company-networks-undetected/\r\nhttps://www.zdnet.com/article/these-hackers-have-spent-months-hiding-out-in-company-networks-undetected/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.zdnet.com/article/these-hackers-have-spent-months-hiding-out-in-company-networks-undetected/"
	],
	"report_names": [
		"these-hackers-have-spent-months-hiding-out-in-company-networks-undetected"
	],
	"threat_actors": [
		{
			"id": "efa7c047-b61c-4598-96d5-e00d01dec96b",
			"created_at": "2022-10-25T16:07:23.404442Z",
			"updated_at": "2026-04-10T02:00:04.584239Z",
			"deleted_at": null,
			"main_name": "BlackTech",
			"aliases": [
				"BlackTech",
				"Canary Typhoon",
				"Circuit Panda",
				"Earth Hundun",
				"G0098",
				"Manga Taurus",
				"Operation PLEAD",
				"Operation Shrouded Crossbow",
				"Operation Waterbear",
				"Palmerworm",
				"Radio Panda",
				"Red Djinn",
				"T-APT-03",
				"TEMP.Overboard"
			],
			"source_name": "ETDA:BlackTech",
			"tools": [
				"BIFROST",
				"BUSYICE",
				"BendyBear",
				"Bluether",
				"CAPGELD",
				"DRIGO",
				"Deuterbear",
				"Flagpro",
				"GOODTIMES",
				"Gh0stTimes",
				"IconDown",
				"KIVARS",
				"LOLBAS",
				"LOLBins",
				"Linopid",
				"Living off the Land",
				"TSCookie",
				"Waterbear",
				"XBOW",
				"elf.bifrose"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2646f776-792a-4498-967b-ec0d3498fdf1",
			"created_at": "2022-10-25T15:50:23.475784Z",
			"updated_at": "2026-04-10T02:00:05.269591Z",
			"deleted_at": null,
			"main_name": "BlackTech",
			"aliases": [
				"BlackTech",
				"Palmerworm"
			],
			"source_name": "MITRE:BlackTech",
			"tools": [
				"Kivars",
				"PsExec",
				"TSCookie",
				"Flagpro",
				"Waterbear"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "75024aad-424b-449a-b286-352fe9226bcb",
			"created_at": "2023-01-06T13:46:38.962724Z",
			"updated_at": "2026-04-10T02:00:03.164536Z",
			"deleted_at": null,
			"main_name": "BlackTech",
			"aliases": [
				"CIRCUIT PANDA",
				"Temp.Overboard",
				"Palmerworm",
				"G0098",
				"T-APT-03",
				"Manga Taurus",
				"Earth Hundun",
				"Mobwork",
				"HUAPI",
				"Red Djinn",
				"Canary Typhoon"
			],
			"source_name": "MISPGALAXY:BlackTech",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b",
			"created_at": "2025-08-07T02:03:24.569066Z",
			"updated_at": "2026-04-10T02:00:03.730864Z",
			"deleted_at": null,
			"main_name": "BRONZE CANAL",
			"aliases": [
				"BlackTech",
				"CTG-6177 ",
				"Circuit Panda ",
				"Earth Hundun",
				"Palmerworm ",
				"Red Djinn",
				"Shrouded Crossbow "
			],
			"source_name": "Secureworks:BRONZE CANAL",
			"tools": [
				"Bifrose",
				"DRIGO",
				"Deuterbear",
				"Flagpro",
				"Gh0stTimes",
				"KIVARS",
				"PLEAD",
				"Spiderpig",
				"Waterbear",
				"XBOW"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434428,
	"ts_updated_at": 1775791929,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/663f055c95919a03a2af0b694b76ddf23febb2d3.pdf",
		"text": "https://archive.orkl.eu/663f055c95919a03a2af0b694b76ddf23febb2d3.txt",
		"img": "https://archive.orkl.eu/663f055c95919a03a2af0b694b76ddf23febb2d3.jpg"
	}
}