{ "id": "d7dc9bfc-88eb-47d5-bd1b-61ed381dfc92", "created_at": "2026-04-06T00:21:01.89997Z", "updated_at": "2026-04-10T03:33:56.262821Z", "deleted_at": null, "sha1_hash": "7aab915d0d93980235a982413a177d040abf2e2b", "title": "Threat Spotlight: Group 72", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 92844, "plain_text": "Threat Spotlight: Group 72\r\nBy Talos Group,\r\nPublished: 2014-10-14 · Archived: 2026-04-05 17:02:58 UTC\r\nThis post is co-authored by Joel Esler, Martin Lee and Craig Williams\r\nEveryone has certain characteristics that can be recognised. This may be a way of walking, an accent, a turn of\r\nphrase or a style of dressing. If you know what to look for you can easily spot a friend or acquaintance in a crowd\r\nby knowing what characteristics to look for. Exactly the same is true for threat actors.\r\nEach threat actor group may have certain characteristics that they display during their attack campaigns. These\r\nmay be the types of malware that they use, a pattern in the naming conventions of their command and control\r\nservers, their choice of victims etc. Collecting attack data allows an observer to spot the characteristics that define\r\neach group and identify specific threat actors from the crowd of malicious activity on the internet.\r\nTalos security and intelligence research group collects attack data from our various telemetry systems to analyse,\r\nidentify and monitor threat actors through their different tactics, techniques, and procedures. Rather than give\r\nnames to the different identified groups, we assign numbers to the threat actors. We frequently blog about\r\nsignificant attack campaigns that we discover, behind the scenes we integrate our intelligence data directly into\r\nour products. As part of our research we keep track of certain threat actor groups and their activities. In\r\nconjunction with a number of other security companies, we are taking action to highlight and disrupt the activities\r\nof the threat actors identified by us as Group 72.\r\nGroup 72 is a long standing threat actor group involved in Operation SMN, named Axiom by Novetta. The group\r\nis sophisticated, well funded, and possesses an established, defined software development methodology. The\r\ngroup targets high profile organizations with high value intellectual property in the manufacturing, industrial,\r\naerospace, defense, media sectors. Geographically, the group almost exclusively targets organizations based in\r\nUnited States, Japan, Taiwan, and Korea. The preferred tactics of the group include watering-hole attacks, spear-phishing, and other web-based tactics.\r\nThe tools and infrastructure used by the attackers are common to a number of other threat actor groups which may\r\nindicate some degree of overlap. We have seen similar patterns used in domain registration for malicious domains,\r\nand the same tactics used in other threat actor groups leading us to believe that this group may be part of a larger\r\norganization that comprises many separate teams, or that different groups share tactics, code and personnel from\r\ntime to time.\r\nIt is possible that Group 72 has a vulnerability research team searching for 0-day vulnerabilities in Windows. The\r\ngroup is associated with the initial attack campaigns utilising exploits for the following vulnerabilities CVE-2014-\r\n0322  and  CVE-2012-4792 . We have also observed them using SQL injection as part of their attacks, and\r\nexploits based on  CVE-2012-1889  and CVE-2013-3893.\r\nhttp://blogs.cisco.com/security/talos/threat-spotlight-group-72\r\nPage 1 of 3\n\nFrequently the group deploys a remote access trojan (RAT) on compromised machines. These are used both to\r\nsteal data and credentials from compromised machines, and to use the machine as a staging post to conduct attacks\r\nagainst further systems on the network, allowing the attackers to spread their compromise within the organization.\r\nUnlike some threat actors, Group 72 does not prefer to use a single RAT as part of their attacks. We have observed\r\nthe group to use the following RAT malware:\r\nGh0st RAT (aka Moudoor)\r\nPoison Ivy (aka Darkmoon)\r\nHydraQ (aka 9002 RAT aka McRAT aka Naid)\r\nHikit (aka Matrix RAT aka Gaolmay)\r\nZxshell (aka Sensode)\r\nDeputyDog (aka Fexel) — Using the kumanichi and moon campaign codes\r\nDerusbi\r\nPlugX (aka Destroy RAT aka Thoper aka Sogu)\r\nHydraQ and Hikit, according to our data are unique to Group 72 and to two other threat actor groups.\r\nWhile their operational security is very good, patterns in their domains can be identified such as seemingly\r\nnaming domains after their intended victim. We have observed domains such as\r\ncompanyname.attackerdomain.com and companyacronym.attackerdomain.com. We have also observed similar\r\npatterns in the disposable email addresses used to register their domains. These slips, among others, allow us to\r\nfollow their activities. Intriguingly we have observed the same email address being used in the activities of this\r\nand two other threat actor groups. This may suggest that these three groups are indeed one unit, or possibly hint at\r\nshared staff or ancillary facilities.\r\nWe will post a follow up with more technical detail in the coming days.\r\nClamAV names and Snort Signature IDs detecting Group 72 RAT malware:\r\nGh0stRat — Win.Trojan.Gh0stRAT, 19484, 27964\r\nPoisonIVY / DarkMoon — Win.Trojan.DarkMoon, 7816, 7815, 7814, 7813, 12715, 12724\r\nHydraq — Win.Trojan.HyDraq, 16368, 21304\r\nHiKit — Win.Trojan.HiKit, 30948\r\nZxshell — Win.Trojan.Zxshell, 32180, 32181\r\nDeputyDog — Win.Trojan.DeputyDog, 28493, 29459\r\nDerusbi — Win.Trojan.Derusbi, 20080\r\nProtecting Users Against These Threats\r\nhttp://blogs.cisco.com/security/talos/threat-spotlight-group-72\r\nPage 2 of 3\n\nAdvanced Malware Protection (AMP) is ideally suited to detect the sophisticated malware used by this threat\r\nactor.\r\n CWS or WSA web scanning prevents access to malicious websites, including watering hole attacks, and detects\r\nmalware used in these attacks.\r\n The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network\r\nactivity by threat actors.\r\n ESA can block spear phishing emails sent by threat actors as part of their campaign.\r\nSource: http://blogs.cisco.com/security/talos/threat-spotlight-group-72\r\nhttp://blogs.cisco.com/security/talos/threat-spotlight-group-72\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "http://blogs.cisco.com/security/talos/threat-spotlight-group-72" ], "report_names": [ "threat-spotlight-group-72" ], "threat_actors": [ { "id": "cea5ceec-0f14-4e34-bd0e-4074bc1a707d", "created_at": "2022-10-25T15:50:23.629983Z", "updated_at": "2026-04-10T02:00:05.362084Z", "deleted_at": null, "main_name": "Axiom", "aliases": [ "Group 72" ], "source_name": "MITRE:Axiom", "tools": [ "ZxShell", "gh0st RAT", "Zox", "PlugX", "Hikit", "PoisonIvy", "Derusbi", "Hydraq" ], "source_id": "MITRE", "reports": null }, { "id": "4b076dcb-516e-42fb-9c8f-f153902cd5e9", "created_at": "2022-10-25T16:07:23.708745Z", "updated_at": "2026-04-10T02:00:04.720108Z", "deleted_at": null, "main_name": "Hidden Lynx", "aliases": [ "Aurora Panda", "Group 8", "Heart Typhoon", "Hidden Lynx", "Operation SMN" ], "source_name": "ETDA:Hidden Lynx", "tools": [ "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "BlackCoffee", "HiKit", "MCRAT.A", "Mdmbot.E", "Moudoor", "Naid", "PNGRAT", "Trojan.Naid", "ZoxPNG", "gresim" ], "source_id": "ETDA", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def", "created_at": "2025-08-07T02:03:24.626625Z", "updated_at": "2026-04-10T02:00:03.605175Z", "deleted_at": null, "main_name": "BRONZE KEYSTONE", "aliases": [ "APT17 ", "Aurora Panda ", "DeputyDog ", "Group 72 ", "Hidden Lynx ", "TG-8153 ", "Tailgater Team" ], "source_name": "Secureworks:BRONZE KEYSTONE", "tools": [ "9002", "BlackCoffee", "DeputyDog", "Derusbi", "Gh0stHTTPSDropper", "HiKit", "InternalCMD", "PlugX", "PoisonIvy", "ZxShell" ], "source_id": "Secureworks", "reports": null }, { "id": "5c74936a-79d1-41b8-81eb-01d03c90a26b", "created_at": "2022-10-25T16:07:23.371052Z", "updated_at": "2026-04-10T02:00:04.570621Z", "deleted_at": null, "main_name": "Axiom", "aliases": [ "G0001", "Group 72", "Operation SMN" ], "source_name": "ETDA:Axiom", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "BlackCoffee", "BleDoor", "Chymine", "Darkmoon", "DeputyDog", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PNGRAT", "PlugX", "Poison Ivy", "RbDoor", "RedDelta", "RibDoor", "Roarur", "SPIVY", "Sensocode", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "ZXShell", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434861, "ts_updated_at": 1775792036, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7aab915d0d93980235a982413a177d040abf2e2b.pdf", "text": "https://archive.orkl.eu/7aab915d0d93980235a982413a177d040abf2e2b.txt", "img": "https://archive.orkl.eu/7aab915d0d93980235a982413a177d040abf2e2b.jpg" } }