{ "id": "574c4ae6-2a1d-4fdd-b49b-4f19a909ea28", "created_at": "2026-04-06T00:19:42.831709Z", "updated_at": "2026-04-10T13:11:53.704086Z", "deleted_at": null, "sha1_hash": "7702289fd8aca1ad8dbc3e9c536a03821fe61b65", "title": "UNC215: Spotlight on a Chinese Espionage Campaign in Israel | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2335094, "plain_text": "UNC215: Spotlight on a Chinese Espionage Campaign in Israel |\r\nMandiant\r\nBy Mandiant\r\nPublished: 2021-08-10 · Archived: 2026-04-05 15:35:33 UTC\r\nWritten by: Israel Research Team, U.S. Threat Intel Team\r\nThis blog post details the post-compromise tradecraft and operational tactics, techniques, and procedures (TTPs)\r\nof a Chinese espionage group we track as UNC215. While UNC215’s targets are located throughout the Middle\r\nEast, Europe, Asia, and North America, this report focuses on intrusion activity primarily observed at Israeli\r\nentities.\r\nThis report comes on the heels of the July 19, 2021, announcements by governments in North America, Europe,\r\nand Asia and intragovernmental organizations, such as the North Atlantic Treaty Organization (NATO), and the\r\nEuropean Union, condemning widespread cyber espionage conducted on behalf of the Chinese Government.\r\nThese coordinated statements attributing sustained cyber espionage activities to the Chinese Government\r\ncorroborate our long-standing reporting on Chinese threat actor targeting of private companies, governments, and\r\nvarious organizations around the world, and this blog post shows yet another region where Chinese cyber\r\nespionage is active.\r\nThreat Detail\r\nIn early 2019, Mandiant began identifying and responding to intrusions in the Middle East by Chinese espionage\r\ngroup UNC215. These intrusions exploited the Microsoft SharePoint vulnerability CVE-2019-0604 to install web\r\nshells and FOCUSFJORD payloads at targets in the Middle East and Central Asia. There are targeting and high\r\nlevel technique overlaps with between UNC215 and APT27, but we do not have sufficient evidence to say that the\r\nsame actor is responsible for both sets of activity. APT27 has not been seen since 2015, and UNC215 is targeting\r\nmany of the regions that APT27 previously focused on; however, we have not seen direct connection or shared\r\ntools, so we are only able to assess this link with low confidence.\r\nIn addition to data from Mandiant Incident Response and FireEye telemetry, we worked with Israeli defense\r\nagencies to review data from additional compromises of Israeli entities. This analysis showed multiple, concurrent\r\noperations against Israeli government institutions, IT providers and telecommunications entities beginning in\r\nJanuary 2019. During this time, UNC215 used new TTPs to hinder attribution and detection, maintain operational\r\nsecurity, employ false flags, and leverage trusted relationships for lateral movement. We believe this adversary is\r\nstill active in the region.\r\nAttack Lifecycle\r\nhttps://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel\r\nPage 1 of 13\n\nBetween 2019 and 2020, Mandiant responded to several incidents where Microsoft SharePoint vulnerability CVE-2019-0604 was used to deliver web shells, and then FOCUSFJORD payloads to select government and academic\r\ntargets in the Middle East and Central Asia.\r\nAfter gaining initial access, the operators conduct credential harvesting and extensive internal network\r\nreconnaissance. This includes running native Windows commands on compromised servers, executing ADFind on\r\nthe Active Directory, and scanning the internal network with numerous publicly available tools and a non-public\r\nscanner we named WHEATSCAN. The operators made a consistent effort to delete these tools and remove any\r\nresidual forensic artifacts from compromised systems.\r\nIn another incident response investigation, UNC215 pivoted to multiple OWA servers and installed web shells. In\r\nthe following days, the operators interacted with these web shells from internal IP addresses, attempting to harvest\r\ncredentials.\r\nAfter identifying key systems within the target network, such as domain controllers and Exchange servers,\r\nUNC215 moved laterally and deployed their signature malware FOCUSFJORD. UNC215 often uses\r\nFOCUSFJORD for the initial stages of an intrusion, and then later deploys HYPERBRO, which has more\r\ninformation collection capabilities such as screen capture and keylogging. While UNC215 heavily relies on the\r\ncustom tools FOCUSFJORD and HYPERBRO, Chinese espionage groups often have resource sharing\r\nrelationships with other groups, and we do not have enough information to determine if these tools are developed\r\nand used exclusively by UNC215.\r\nFigure 1: Attack Lifecycle\r\nTradecraft and Operational Security\r\nhttps://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel\r\nPage 2 of 13\n\nWe identified numerous examples of efforts by UNC215 to foil network defenders by minimizing forensic\r\nevidence left on compromised hosts, exploiting relationships with trusted third parties, continuously improving the\r\nFOCUSFJORD backdoor, concealing command and control (C2) infrastructure, and incorporating false flags.\r\nReducing Forensic Evidence on Disk\r\nUNC215 consistently cleaned up evidence of their intrusion after gaining access to a system. This type of action\r\ncan make it more difficult for incident responders to reconstruct what happened during a compromise.\r\nThe operators deleted tools used for credential harvesting and internal reconnaissance including a custom\r\nscanner dubbed WHEATSCAN after use.\r\nThe first FOCUSFJORD payload delivered to a system contains a blob that includes C2 and other\r\nconfiguration data. On initial execution, FOCUSFJORD writes its encrypted C2 configuration into the\r\nsystem’s registry, sets up a persistence mechanism and then rewrites itself on disk without the embedded\r\nconfiguration and with limited functionality to only read configuration data. This process enables the\r\noperators to obfuscate the configured C2 servers from automated sandbox runs or disclosure in public file\r\nscanning services.\r\nA newly identified utility dubbed FJORDOHELPER can update FOCUSFJORD configurations and\r\ncompletely remove FOCUSFJORD from the system. The tool can be deployed and executed remotely to\r\ndelete any remaining FOCUSFJORD forensic evidence, including files on disk, configuration data\r\nencrypted in the registry, and related services and registry keys used for persistence.\r\nExploiting Trust Relationships\r\nUNC215 leveraged trusted third parties in a 2019 operation targeting an Israeli government network. As illustrated\r\nin Figure 2, the operators were able to access their primary target via RDP connections from a trusted third party\r\nusing stolen credentials and used this access to deploy and remotely execute FOCUSFJORD on their primary\r\ntarget.\r\nhttps://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel\r\nPage 3 of 13\n\nFigure 2: Two FOCUSFJORD samples configured to proxy C2 traffic\r\nConcealing C2 Infrastructure\r\nUNC215 made technical modifications to their tools to limit outbound network traffic and used other victim\r\nnetworks to proxy their C2 instructions, likely to minimize the risk of detection and blend in with normal network\r\ntraffic. The following are examples of HYPERBRO and FOCUSFJORD samples capable of acting as proxies to\r\nrelay communications to their C2 servers. We do not have enough context about the following samples to attribute\r\nall of them to UNC215, though they are representative of activity we have seen from the group.\r\nHYPERBRO samples MD5: 0ec4d0a477ba21bda9a96d8f360a6848 and MD5:\r\n04dece2662f648f619d9c0377a7ba7c0 have embedded configurations of internal IP addresses\r\n(192.168.1.237 and 192.168.4.26 respectively) as C2 servers. If they receive a command with an IP address\r\nand port, they will connect and relay the command.\r\nFOCUSFJORD sample MD5: e3e1b386cdc5f4bb2ba419eb69b1b921 has an internal IP address,\r\n192.168.4.197, configured as its C2. This sample was extracted from MD5:\r\nc25e8e4a2d5314ea55afd09845b3e886, which was submitted to a public malware repository in December\r\n2017.\r\nWhile hunting for FOCUSFJORD samples, we found a sample of a new malware (MD5:\r\n625dd9048e3289f19670896cf5bca7d8) that shares code with FOCUSFJORD, but is distinct. However, analysis\r\nhttps://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel\r\nPage 4 of 13\n\nindicates that it only contains functions to relay communications between another FOCUSFJORD instance and a\r\nC2 server (Figure 2, Network A). We suspect this type of malware was used in the aforementioned operation. The\r\nactors stripped out unnecessary FOCUSFJORD capabilities, possibly to reduce the likelihood it would be detected\r\nby security controls. Figure 3 contains the data structure as it is being sent from a FOCUSFJORD sample\r\nconfigured to communicate with another FOCUSFJORD victim.\r\nFigure 3: Two FOCUSFJORD samples configured to proxy C2 traffic\r\nFOCUSFJORD Changes\r\nWe have observed numerous variants of the FOCUSFJORD malware family since 2017. The authors have added\r\nnew communications protocols, an updated loading mechanism, and expanded the number of supported\r\nconfigurations in newer versions. Version numbers indicate that the malware undergoes frequent changes and\r\nmaybe supported by a team of developers. Many of these variants contain or remove functionality depending on\r\nthe operator’s unique requirements at the time, which may suggest that multiple operators have access to the\r\nsource code or a builder, or that a close relationship exists between the developers and operators.\r\nFOCUSFJORD samples can be configured with up to 13 unique registry values which allow operators to control\r\nand organize compromised hosts. In addition to specifying details related to the loading and persistence\r\nmechanisms and C2 communications, there are two keys which allow the operator to add additional context about\r\nthe victim:\r\nRegistry key 12 is the “group” name. When a new FOCUSFJORD sample is first executed and writes its\r\nconfiguration to registry, this value is set to “default” and is later manually changed by the actor, usually to\r\nhttps://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel\r\nPage 5 of 13\n\nthe victim’s domain name or organization name.\r\nRegistry key 13 could be interpreted as the “console” name, although we do not fully understand how the\r\nidentifier is used by the operators. We have observed the values “galway”, “iceland”, “helen”, and\r\n“idapro”.\r\nIt is not clear how or if UNC215 uses these configuration parameters to organize and track large numbers of\r\ncompromised hosts. We observed different console values within the same network, identical console values using\r\ndifferent C2 addresses, and identical console values targeting different countries. Some FOCUSFJORD samples\r\nfrom 2018 and 2020 use the same console values despite the significant gap in time (See Table 1).\r\nThe NCC Group discussed these configurations in a 2018 report and released a decoding tool.\r\nTrendmicro noted changes to supported configurations in FOCUSFJORD, dubbed SysUpdate, in their 2020\r\nand 2021 reports following public disclosures. This suggests that operators using FOCUSFJORD are\r\nsensitive to security vendor reports and will update the code to avoid detection and exposure.\r\nRegistry Key 13 FOCUSFJORD MD5 Hash Related C2 Suspected Target\r\nhelen 3d95e1c94bd528909308b198f3d47620 139.59.81.253 Israel\r\nhelen f335b241652cb7f7e736202f14eb48e9 139.59.81.253 Israel\r\nhelen a0b2193362152053671dbe5033771758 139.59.81.253 Israel\r\nhelen 6a9a4da3f7b2075984f79f67e4eb2f28 139.59.81.253 Kazakhstan\r\nhelen a19370b97fe64ca6a0c202524af35a30 159.89.168.83 Iran\r\nhelen 3c1981991cce3b329902288bb2354728 103.59.144.183 Unknown\r\niceland 26d079e3afb08af0ac4c6d92fd221e71 178.79.177.69 UAE\r\niceland 19c46d01685c463f21ef200e81cb1cf1 138.68.154.133 UAE\r\niceland 28ce8dbdd2b7dfd123cebbfff263882c 138.68.154.133 Unknown\r\niceland a78c53351e23d3f84267e67bbca6cf07 206.189.123.156 Israel (Gov), UAE\r\niceland a78c53351e23d3f84267e67bbca6cf07 206.189.123.156 Israel (IT)\r\nidapro a78c53351e23d3f84267e67bbca6cf07 206.189.123.156 Israel (IT)\r\ngalway 04c51909fc65304d907b7cb6c92572cd 159.65.80.157 Unknown\r\ngalway 0e061265c0b5998088443628c03188f0 159.65.80.157 Unknown\r\ngalway 09ffc31a432f646ebcec59d32f286317 159.65.80.157 Unknown\r\ngalway 6ca8993b341bd90a730faef1fb73958b 128.199.44.86 Unknown\r\nHelen * Unknown 46.101.255.16 Iran\r\nhttps://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel\r\nPage 6 of 13\n\nHelen * Unknown 178.79.143.78 Iran\r\nIdapro * Unknown 138.68.154.133 Iran\r\nTable 1: FOCUSFJORD comparison (note: the * entries are from public reporting and have not been verified by\r\nMandiant)\r\nFalse Flags\r\nArtifacts in UNC215 campaigns often contain foreign language strings that do not match the country being\r\ntargeted and may be intended to mislead an analyst examining the malware. Additionally, on at least three\r\noccasions, UNC215 employed a custom tool associated with Iranian actors whose source code was leaked.\r\nIn several cases, we identified FOCUSFJORD samples with registry key names in regional languages. The\r\nregistry key names are hardcoded into every FOCUSFJORD sample, as the malware needs to read and\r\ndecrypt those registry key values for proper execution.\r\nFOCUSFJORD samples (MD5: d13311df4e48a47706b4352995d67ab0 and MD5:\r\n26d079e3afb08af0ac4c6d92fd221e71) observed on Israeli and UAE networks, and a memory dump\r\n(MD5: d875858dbd84b420a2027ef5d6e3a512) submitted to a public malware repository by a likely\r\nUzbekistan financial organization are configured with registry keys in Farsi. Linguistic analysis\r\nsuggests that these terms were auto translated as they are not commonly used by native Farsi\r\nspeakers.\r\nAnother FOCUSFJORD sample uploaded from Uzbekistan (MD5:\r\nac431261b8852286d99673fddba38a50) contains a configuration with registry key names in Hindi.\r\nNotably, this variant also contains an error message string in Arabic ('ضائع – 'which translates to: lost\r\nor missing).\r\nIn April 2019, UNC215 deployed the SEASHARPEE web shell against financial and high-tech\r\norganizations in the Middle East and Asia. The SEASHARPEE web shell was developed and used by\r\nIranian APT actors until the code was leaked online in the telegram channel Lab Dookhtegan a few weeks\r\nearlier in March 2019.\r\nAround this time, the Turkish-language file Sosyal Güvenlik Reformu-Not-3.doc \"Social Security Reform -\r\nNote - 3.doc\" (MD5: 6930bd66a11e30dee1ef4f57287b1318) was distributed to a suspected Turkish\r\ngovernment entity based on data from an open-source malware repository. The document contains\r\n\"C:\\Users\\Iran\" paths that were likely included to obfuscate the source of the activity.\r\nThe use of Farsi strings, filepaths containing /Iran/, and web shells publicly associated with Iranian APT groups\r\nmay have been intended to mislead analysts and suggest an attribution to Iran. Notably, in 2019 the government of\r\nIran accused APT27 of attacking its government networks and released a detection and removal tool for\r\nHYPERBRO malware.\r\nTradecraft Mistakes\r\nWhile UNC215 prioritizes evading detection within a compromised network, Mandiant identified several\r\nexamples of code, C2 infrastructure, and certificate reuse indicating that UNC215 operators are less concerned\r\nabout defenders’ ability to track and detect UNC215 activity.\r\nhttps://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel\r\nPage 7 of 13\n\nIn several instances, UNC215 used the same exact file against multiple victims and frequently shared\r\ninfrastructure across victims. This lack of compartmentalization is not uncommon, but does show that\r\nUNC215 is relatively less concerned about the ability for their compromises to be linked to each other.\r\nC2 servers used by UNC215 frequently reuse the same SSL certificate, as described in Team Cymru’s\r\nresearch in 2020.\r\nOn one network, between April 2019 and April 2020, an operator repeatedly and infrequently revisited a\r\ncompromised network whenever an Endpoint Detection and Response (EDR) tool detected or quarantined\r\ntools like HYPERBRO and Mimikatz. After several months of repeated detections, UNC215 deployed an\r\nupdated version of HYPERBRO and a tool called “anti.exe” to stop Windows Update service and terminate\r\nEDR and Antivirus related services.\r\nAttribution\r\nMandiant attributes this campaign to Chinese espionage operators which we track as UNC215 a Chinese\r\nespionage operation that has been suspected of targeting organizations around the world since at least 2014. We\r\nhave low confidence that UNC215 is associated with APT27. UNC215 has compromised organizations in the\r\ngovernment, technology, telecommunications, defense, finance, entertainment, and health care sectors. The group\r\ntargets data and organizations which are of great interest to Beijing's financial, diplomatic, and strategic\r\nobjectives.\r\nOutlook and Implications\r\nThe activity detailed in this post demonstrates China’s consistent strategic interest in the Middle East. This cyber\r\nespionage activity is happening against the backdrop of China’s multi-billion-dollar investments related to the Belt\r\nand Road Initiative (BRI) and its interest in Israeli’s robust technology sector.\r\nChinese companies have invested billions of dollars into Israeli technology startups, partnering or\r\nacquiring companies in strategic industries like semi-conductors and artificial intelligence.\r\nAs China’s BRI moves westward, its most important construction projects in Israel are the railway between\r\nEilat and Ashdod, a private port at Ashdod, and the port of Haifa.\r\nChina has conducted numerous intrusion campaigns along the BRI route to monitor potential obstructions—\r\npolitical, economic, and security—and we anticipate that UNC215 will continue targeting governments and\r\norganizations involved in these critical infrastructure projects in Israel and the broader Middle East in the near-and mid-term.\r\nMITRE ATT\u0026CK Techniques\r\nID Technique\r\nT1003.001 OS Credential Dumping: LSASS Memory\r\nT1007 System Service Discovery\r\nT1010 Application Window Discovery\r\nhttps://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel\r\nPage 8 of 13\n\nT1012 Query Registry\r\nT1016 System Network Configuration Discovery\r\nT1021.001 Remote Services: Remote Desktop Protocol\r\nT1027 Obfuscated Files or Information\r\nT1033 System Owner/User Discovery\r\nT1055 Process Injection\r\nT1055.003 Process Injection: Thread Execution Hijacking\r\nT1055.012 Process Injection: Process Hollowing\r\nT1056.001 Input Capture: Keylogging\r\nT1057 Process Discovery\r\nT1059.001 Command and Scripting Interpreter: PowerShell\r\nT1059.003 Command and Scripting Interpreter: Windows Command Shell\r\nT1070.004 Indicator Removal on Host: File Deletion\r\nT1070.006 Indicator Removal on Host: Timestomp\r\nT1071.001 Application Layer Protocol: Web Protocols\r\nT1078 Valid Accounts\r\nT1082 System Information Discovery\r\nT1083 File and Directory Discovery\r\nT1087 Account Discovery\r\nT1090 Proxy\r\nT1095 Non-Application Layer Protocol\r\nT1098 Account Manipulation\r\nT1105 Ingress Tool Transfer\r\nT1112 Modify Registry\r\nT1113 Screen Capture\r\nT1115 Clipboard Data\r\nT1133 External Remote Services\r\nhttps://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel\r\nPage 9 of 13\n\nT1134 Access Token Manipulation\r\nT1140 Deobfuscate/Decode Files or Information\r\nT1190 Exploit Public-Facing Application\r\nT1199 Trusted Relationship\r\nT1202 Indirect Command Execution\r\nT1213 Data from Information Repositories\r\nT1482 Domain Trust Discovery\r\nT1489 Service Stop\r\nT1497 Virtualization/Sandbox Evasion\r\nT1497.001 Virtualization/Sandbox Evasion: System Checks\r\nT1505.003 Server Software Component: Web Shell\r\nT1518 Software Discovery\r\nT1543.003 Create or Modify System Process: Windows Service\r\nT1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder\r\nT1553.002 Subvert Trust Controls: Code Signing\r\nT1559.002 Inter-Process Communication: Dynamic Data Exchange\r\nT1560 Archive Collected Data\r\nT1564.003 Hide Artifacts: Hidden Window\r\nT1569.002 System Services: Service Execution\r\nT1573.002 Encrypted Channel: Asymmetric Cryptography\r\nT1574.002 Hijack Execution Flow: DLL Side-Loading\r\nT1583.003 Acquire Infrastructure: Virtual Private Server\r\nT1588.003 Obtain Capabilities: Code Signing Certificates\r\nT1608.003 Stage Capabilities: Install Digital Certificate\r\nIndicators of Compromise\r\nThe following indicators have been seen in use with the noted malware families, but not all have been confirmed\r\nto be used by UNC215.\r\nhttps://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel\r\nPage 10 of 13\n\nType Value Description\r\nIP 85.204.74.143 HYPERBRO C2\r\nIP 103.79.78.48 HYPERBRO C2\r\nIP 89.35.178.105 HYPERBRO C2\r\nIP 47.75.49.32 HYPERBRO C2\r\nIP 139.59.81.253 FOCUSFJORD C2\r\nIP 34.65.151.250 FOCUSFJORD C2\r\nIP 159.89.168.83 FOCUSFJORD C2\r\nIP 103.59.144.183 FOCUSFJORD C2\r\nIP 141.164.52.232 FOCUSFJORD C2\r\nDetecting the Techniques\r\nFireEye detects this activity across our platforms.\r\nPlatform(s) Detection Name\r\nNetwork Security\r\nEmail Security\r\nDetection On\r\nDemand\r\nMalware Analysis\r\nFile Protect\r\nBackdoor.Win32.HyperBro.FEC3\r\nFE_APT_Backdoor_Win32_HYPERBRO_1\r\nFE_Downloader_Win32_FOCUSFJORD_2\r\nFE_Trojan_Raw32_SILKWRAP_1\r\nTrojan.Win32.LuckyMouse.FEC3\r\nFE_Trojan_Raw32_SILKWRAP_1\r\n33341691_APT.Downloader.Win.FOCUSFJORD\r\nTrojan.Win32.DllHijack.FEC3\r\nFE_Trojan_Raw32_SILKWRAP_1\r\nFE_Autopatt_Win_FOCUSFJORD\r\nTrojan.Generic\r\nFE_Tool_Win_Generic_3\r\nFE_Tool_Win32_Generic_3\r\nFE_Trojan_Win_Generic_154\r\nFE_Trojan_Win32_Generic_403\r\nFE_Trojan_Win_Generic_155\r\nFE_Trojan_Win64_Generic_54\r\nFE_APT_Backdoor_Win32_HYPERBRO_2\r\nFE_Trojan_Win32_Generic_404\r\nFE_Trojan_Win32_Generic_406\r\nhttps://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel\r\nPage 11 of 13\n\nSuspicious File Config\r\nSuspicious Regkey Added\r\nSuspicious Process Launch Activity\r\nSuspicious Codeinjection Activity\r\nSuspicious Process Delete Activity\r\nSuspicious Process Hijacking Activity\r\nSuspicious Process Self Deletion Activity\r\nEndpoint Security\r\nGeneric.mg.a0b2193362152053\r\nGeneric.mg.26d079e3afb08af0\r\nGeneric.mg.28ce8dbdd2b7dfd1\r\nGeneric.mg.04c51909fc65304d\r\nGeneric.mg.0e061265c0b59980\r\nGeneric.mg.09ffc31a432f646e\r\nGeneric.mg.6ca8993b341bd90a\r\nGeneric.mg.0ec4d0a477ba21bd\r\nGeneric.mg.04dece2662f648f6\r\nTrojan.GenericKD.43427954\r\nGen:Variant.Ursu.933105\r\nTrojan.GenericKD.32762213\r\nTrojan.GenericKD.34854595\r\nGen:Variant.Ursu.256631\r\nGen:Variant.Doina.16603\r\nGen:Variant.Doina.13437\r\nHelix\r\n1.1.2927.fireeye_intel_hit_ip\r\n1.1.2928.fireeye_intel_hit_ip\r\n1.1.2929.fireeye_intel_hit_ip\r\n1.1.2930.fireeye_intel_hit_ip\r\n1.1.2947.fireeye_intel_hit_hash\r\n1.1.2948.fireeye_intel_hit_hash\r\n1.1.2949.fireeye_intel_hit_hash\r\n1.1.2950.fireeye_intel_hit_hash\r\n1.1.1404.windows_methodology_unusual_web_server_child_process\r\n1.1.3506.windows_methodology_adfind\r\n1.1.1650.windows_methodology_mimikatz_args\r\n1.1.1651.antivirus_methodology_mimikatz\r\n1.1.1652.windows_methodology_invokemimikatz_powershell_artifacts\r\nPosted in\r\nhttps://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel\r\nPage 12 of 13\n\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel\r\nhttps://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel" ], "report_names": [ "unc215-chinese-espionage-campaign-in-israel" ], "threat_actors": [ { "id": "274f04ff-fae8-4e90-bcf5-3e391a860cd5", "created_at": "2023-12-08T02:00:05.75114Z", "updated_at": "2026-04-10T02:00:03.493837Z", "deleted_at": null, "main_name": "UNC215", "aliases": [], "source_name": "MISPGALAXY:UNC215", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "ea34919f-9093-4e34-b9de-a37ab9b4d5c4", "created_at": "2022-10-25T16:07:24.35727Z", "updated_at": "2026-04-10T02:00:04.952883Z", "deleted_at": null, "main_name": "UNC215", "aliases": [], "source_name": "ETDA:UNC215", "tools": [ "AdFind", "CHINACHOPPER", "China Chopper", "FOCUSFJORD", "HighShell", "HyperBro", "HyperSSL", "HyperShell", "Mimikatz", "NBTscan", "ProcDump", "PsExec", "SEASHARPEE", "SinoChopper", "SysUpdate", "TwoFace", "WHEATSCAN", "WinRAR", "certutil", "certutil.exe", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434782, "ts_updated_at": 1775826713, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7702289fd8aca1ad8dbc3e9c536a03821fe61b65.pdf", "text": "https://archive.orkl.eu/7702289fd8aca1ad8dbc3e9c536a03821fe61b65.txt", "img": "https://archive.orkl.eu/7702289fd8aca1ad8dbc3e9c536a03821fe61b65.jpg" } }