{ "id": "c4bcac1f-21bc-4360-af2e-6e6e2f022428", "created_at": "2026-04-06T00:15:04.007603Z", "updated_at": "2026-04-10T03:36:33.961822Z", "deleted_at": null, "sha1_hash": "71a6cdf9a7133b7f18c54ae88788fe8d4f2b7798", "title": "Targets of Interest | Russian Organizations Increasingly Under Attack By Chinese APTs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1764306, "plain_text": "Targets of Interest | Russian Organizations Increasingly Under Attack By\r\nChinese APTs\r\nBy Tom Hegel\r\nPublished: 2022-07-07 · Archived: 2026-04-05 15:41:11 UTC\r\nExecutive Summary\r\nSentinelLabs has identified a new cluster of threat activity targeting Russian organizations.\r\nWe assess with high-confidence that the threat actor responsible for the attacks is a Chinese state-sponsored cyber\r\nespionage group, as also recently noted by Ukraine CERT (CERT-UA).\r\nThe attacks use phishing emails to deliver Office documents to exploit targets in order to deliver their RAT of choice,\r\nmost commonly Bisonal.\r\nSentinelLabs has also identified associated activity targeting telecommunication organizations in Pakistan leveraging\r\nsimilar attack techniques.\r\nOverview\r\nOn June 22nd 2022, CERT-UA publicly released Alert #4860, which contains a collection of documents built with the Royal\r\nRoad malicious document builder, themed around Russian government interests. SentinelLabs has conducted further\r\nanalysis of CERT-UA’s findings and has identified supplemental Chinese threat activity.\r\nChina’s recent intelligence objectives against Russia can be observed in multiple campaigns following the invasion of\r\nUkraine, such as Scarab, Mustang Panda, ‘Space Pirates’, and now the findings here. Our analysis indicates this is a separate\r\nChinese campaign, but specific actor attribution is unclear at this time.\r\nWhile the overlap of publicly reported actor names inevitably muddies the picture, it remains clear that the Chinese\r\nintelligence apparatus is targeting a wide range of Russian-linked organizations. Our findings currently offer only an\r\nincomplete picture of this threat cluster’s phishing activity, but they serve to provide perspective into an attacker’s ongoing\r\noperational objectives and a framework for our ongoing research.\r\nMalicious Documents Targeting Russia\r\nOn June 22nd , Ukraine’s CERT-UA reported several RTF documents containing malicious code exploiting one or more\r\nvulnerabilities in MS Office. CERT-UA assessed that the documents, “Vnimaniyu.doc”,\r\n“17.06.2022_Protokol_MRG_Podgruppa_IB.doc”, and “remarks table 20.06.2022_obraza”, were likely built with the Royal\r\nRoad builder and dropped the Bisonal backdoor. Royal Road is a malicious document builder used widely by Chinese APT\r\ngroups, while Bisonal is a backdoor RAT unique to Chinese threat actors.\r\nThe CERT-UA advisory followed public reporting by our colleagues from nao_sec and Malwarebytes, who identified some\r\nof the first indicators and shared related samples and C2 servers. Building off this initial intelligence, SentinelLabs\r\ndiscovered a further related cluster of activity.\r\nhttps://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/\r\nPage 1 of 6\n\nTimeline of Royal Road Malicious Documents\r\nAs we have observed over the years, Royal Road documents follow content themes relevant to their targets. Following that\r\npractice, it’s reasonable to assume that the targets in this recent cluster of activity are likely Russian government\r\norganizations.\r\nOne example of this cluster (f599ed4ecb6c61ef2f2692d1a083e3bb040f95e6) is a fake document mimicking a RU-CERT\r\nmemo on increased phishing attacks.\r\nMalicious document mimicking RU-CERT\r\nhttps://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/\r\nPage 2 of 6\n\nMalicious document mimicking RU-CERT (Translated)\r\nAnother example is themed around telecommunication organizations (415ce2db3957294d73fa832ed844940735120bae).\r\nhttps://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/\r\nPage 3 of 6\n\nMalicious Document – Russia Telecom Theme – “Пояснительная записка к ЗНИ.doc”\r\nMalicious Document – Russia Telecom Theme – “Пояснительная записка к ЗНИ.doc” (Translated)\r\nThe example documents shown above both exploit CVE-2018-0798, a remote execution vulnerability in Microsoft Office to\r\ninstall the embedded malware.\r\nAttribution to Chinese Threat Groups\r\nThe collection of files and infrastructure noted above could be considered related to the Tonto Team APT group (aka\r\n“CactusPete”, “Earth Akhlut”), a Chinese threat group that has been reported on for nearly ten years. However, we assess\r\nthat link with only medium confidence due to the potential for shared attacker resources that could muddy attribution based\r\non the currently available data. Known targets span the globe, with a particular interest in Northeast Asia, including\r\ngovernments, critical infrastructure, and other private businesses.\r\nThe attacker continues their long history of Russian targeting; however, the rate of Russian and Russia-relevant targets in\r\nrecent weeks may indicate increased prioritization.\r\nThere are multiple connections of this activity to Chinese threat actors. As noted above, the documents are built with a\r\ncommonly known malicious document builder used widely by Chinese APT groups, the shared toolkit often referred to as\r\nthe “Royal Road” or the “8.t” builder.\r\nThese documents often contain metadata indicating the document creator’s operating system was using simplified Chinese, a\r\ntrait we observed in our previous analysis of Scarab APT activity.\r\nhttps://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/\r\nPage 4 of 6\n\nThe malicious documents are generally used for the delivery of custom malware, such as the Bisonal RAT, which as noted\r\nby CERT-UA, is unique to Chinese groups, including Tonto Team. Bisonal has a uniquely long history of use and continued\r\ndevelopment by its creators, such as expanding features for file searching and exfiltration, anti-analysis and detection\r\ntechniques, and maintaining generally unrestricted system control.\r\nAdditionally, the collection of C2 infrastructure associated with these various samples fall under a larger umbrella of known\r\nChinese APT activity.\r\nRelated Activity of Interest\r\nIt’s also worth noting that there are still ongoing related attacks focused on non-Russian organizations, such as those against\r\nPakistan.\r\nFor example, one file uploaded to VirusTotal (91ca78231bcacab0d5e6194041817b96252e65bf) from Pakistan is a May\r\n2022 email message file to the Pakistan Telecommunication Authority, sent from a potentially compromised account in the\r\nCabinet Division of the Pakistani government. This email contains the Royal Road attachment “Please help to Check.doc”\r\n(f444ff2386cd3ada204c3224463f4be310e5554a), dropping 85fac143c52e26c22562b0aaa80ffe649640bd29 and beaconing\r\noutbound to instructor.giize[.]com (198.13.56[.]122).\r\nPhishing email containing malicious document\r\nConclusion\r\nWe assess with high confidence that the Royal Road-built malicious documents, delivered malware, and associated\r\ninfrastructure are attributable to Chinese threat actors. Based on our observations, there’s been a continued effort to target\r\nRussian organizations by this cluster through well-known attack methods– the use of malicious documents exploiting n-day\r\nvulnerabilities with lures specifically relevant to Russian organizations. Overall, the objectives of these attacks appear\r\nespionage-related, but the broader context remains unavailable from our standpoint of external visibility.\r\nIndicators of Compromise\r\nIOC Description\r\nf599ed4ecb6c61ef2f2692d1a083e3bb040f95e6 6/21/2022 Royal Road Document”Вниманию.doc”\r\ncb8eb16d94fd9242baf90abd1ef1a5510edd2996 6/16/2022  Royal Road Document “Вниманию.doc”\r\nhttps://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/\r\nPage 5 of 6\n\n41ebc0b36e3e3f16b0a0565f42b0286dd367a352\r\n6/15/2022 (Estimate) Royal Road Document”Анкетирование Агентства по\r\nделам государственной службы.rtf”\r\n2abf70f69a289cc99adb5351444a1bd23fd97384\r\n6/20/2022 Royal Road\r\nDocument”17.06.2022_Протокол_МРГ_Подгруппа_ИБ.doc”\r\nsupportteam.lingrevelat[.]com C2 Domain\r\nupportteam.lingrevelat[.]com C2 Domain for cb8eb16d94fd9242baf90abd1ef1a5510edd2996\r\n2b7975e6b1e9b72e9eb06989e5a8b1f6fd9ce027\r\n6/21/2022 Royal Road\r\nDocument”О_формировании_проекта_ПНС_2022_файл_отображен.doc”\r\na501fec38f4aca1a57393b6e39a52807a7f071a4 6/21/2022 Royal Road Document”замечания таблица 20.06.2022.doc”\r\n415ce2db3957294d73fa832ed844940735120bae 6/23/2022 Royal Road Document”Пояснительная записка к ЗНИ.doc”\r\nnews.wooordhunts[.]com C2 Domain for 415ce2db3957294d73fa832ed844940735120bae\r\n137.220.176[.]165\r\nIP Resolved for C2 Domains news.wooordhunts[.]com\r\nsupportteam.lingrevelat[.]com upportteam.lingrevelat[.]com\r\n1c848911e6439c14ecc98f2903fc1aea63479a9f 6/23/2022 Royal Road Document”РЭН 2022.doc”\r\n91ca78231bcacab0d5e6194041817b96252e65bf 5/12/2022 Phishing Email File\r\nf444ff2386cd3ada204c3224463f4be310e5554a 5/12/2022 Royal Road Document”Please help to Check.doc”\r\ninstructor.giize[.]com C2 Server for f444ff2386cd3ada204c3224463f4be310e5554a\r\nSource: https://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/\r\nhttps://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/" ], "report_names": [ "targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts" ], "threat_actors": [ { "id": "536ca49a-2666-4005-8a50-e552fc7e16ef", "created_at": "2023-11-21T02:00:07.375813Z", "updated_at": "2026-04-10T02:00:03.471967Z", "deleted_at": null, "main_name": "Webworm", "aliases": [ "Space Pirates" ], "source_name": "MISPGALAXY:Webworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "58db0213-4872-41fe-8a76-a7014d816c73", "created_at": "2023-01-06T13:46:38.61757Z", "updated_at": "2026-04-10T02:00:03.040816Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "G0131", "PLA Unit 65017", "Earth Akhlut", "TAG-74", "CactusPete", "KARMA PANDA", "BRONZE HUNTLEY", "Red Beifang" ], "source_name": "MISPGALAXY:Tonto Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "da483338-e479-4d74-a6dd-1fb09343fd07", "created_at": "2022-10-25T15:50:23.698197Z", "updated_at": "2026-04-10T02:00:05.355597Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Tonto Team", "Earth Akhlut", "BRONZE HUNTLEY", "CactusPete", "Karma Panda" ], "source_name": "MITRE:Tonto Team", "tools": [ "Mimikatz", "Bisonal", "ShadowPad", "LaZagne", "NBTscan", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "9099912b-a00a-4afb-8294-c6d35af421a1", "created_at": "2023-01-06T13:46:39.338108Z", "updated_at": "2026-04-10T02:00:03.292102Z", "deleted_at": null, "main_name": "Scarab", "aliases": [], "source_name": "MISPGALAXY:Scarab", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e7d03ac8-7d6f-4ea0-83a9-10dff2ea1486", "created_at": "2022-10-25T16:07:24.158325Z", "updated_at": "2026-04-10T02:00:04.884772Z", "deleted_at": null, "main_name": "Scarab", "aliases": [ "UAC-0026" ], "source_name": "ETDA:Scarab", "tools": [ "Scieron" ], "source_id": "ETDA", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17d16126-35d7-4c59-88a5-0b48e755e80f", "created_at": "2025-08-07T02:03:24.622109Z", "updated_at": "2026-04-10T02:00:03.726126Z", "deleted_at": null, "main_name": "BRONZE HUNTLEY", "aliases": [ "CactusPete ", "Earth Akhlut ", "Karma Panda ", "Red Beifang", "Tonto Team" ], "source_name": "Secureworks:BRONZE HUNTLEY", "tools": [ "Bisonal", "RatN", "Royal Road", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "c39b0fe6-5642-4717-9a05-9e94265e3e3a", "created_at": "2022-10-25T16:07:24.332084Z", "updated_at": "2026-04-10T02:00:04.940672Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Bronze Huntley", "CactusPete", "Earth Akhlut", "G0131", "HartBeat", "Karma Panda", "LoneRanger", "Operation Bitter Biscuit", "TAG-74", "Tonto Team" ], "source_name": "ETDA:Tonto Team", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Bioazih", "Bisonal", "CONIME", "Dexbia", "Korlia", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "8e385d36-06a2-4294-b3d3-01fe8e9d95f4", "created_at": "2022-10-25T16:07:24.219051Z", "updated_at": "2026-04-10T02:00:04.902017Z", "deleted_at": null, "main_name": "Space Pirates", "aliases": [ "Erudite Mogwai", "Webworm" ], "source_name": "ETDA:Space Pirates", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "BH_A006", "Chymine", "Darkmoon", "Deed RAT", "Destroy RAT", "DestroyRAT", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "MyKLoadClient", "Mydoor", "PCRat", "PCShare", "POISONPLUG.SHADOW", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SnappyBee", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "XShellGhost", "Xamtrav", "Zupdax", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434504, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/71a6cdf9a7133b7f18c54ae88788fe8d4f2b7798.pdf", "text": "https://archive.orkl.eu/71a6cdf9a7133b7f18c54ae88788fe8d4f2b7798.txt", "img": "https://archive.orkl.eu/71a6cdf9a7133b7f18c54ae88788fe8d4f2b7798.jpg" } }