{ "id": "47c957fd-af11-4530-b056-a617b632ade2", "created_at": "2026-04-06T00:09:45.821871Z", "updated_at": "2026-04-10T13:12:42.592024Z", "deleted_at": null, "sha1_hash": "8b55af3a21178eff88880e439c83efe434d422b1", "title": "AVIVORE – Hunting Global Aerospace through the Supply Chain | Context Information Security", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47483, "plain_text": "AVIVORE – Hunting Global Aerospace through the Supply Chain\r\n| Context Information Security\r\nBy https://www.contextis.com/en/\r\nArchived: 2026-04-05 13:17:31 UTC\r\nUntil now, most prominent supply chain intrusions have been \"vertical\"; initial victims are typically Managed\r\nServices Providers or software vendors leveraged by attackers to move up or down the supply chain. However,\r\nsince summer 2018, Context Information Security has been investigating a series of incidents targeting UK and\r\nEuropean Aerospace and Defence that are best described as \"horizontal\". Advanced attackers have been\r\nleveraging direct connectivity between suppliers and partners who are integrated into each other’s value chains.\r\nWe have been tracking this activity under the codename AVIVORE. \r\nAffected victims include large multinational firms (Primes) and smaller engineering or consultancy firms within\r\ntheir supply chain (Secondaries). Context has worked closely with victims, the National Cyber Security Centre\r\n(NCSC), security organisations, and law enforcement agencies across Europe to reduce impact and prevent further\r\ncompromise. \r\nWho is AVIVORE? \r\nContext categorises AVIVORE as a previously unknown and untracked nation-state level adversary, whose\r\noperators’ working hours appear to correlate to a time zone of UTC +8. The primary objective for their intrusions\r\nis believed to be espionage, as well as access enablement through supply chain partners. \r\nRecent reporting into incidents affecting Aerospace and Defence Primes has speculated that either APT10 or JSSD\r\n(Jiangsu Province Ministry of State Security) may be responsible for this activity.  Whilst certain similarities\r\nbetween these adversaries' campaigns and those investigated by Context exist, the Tactics, Techniques and\r\nProcedures (TTPs), infrastructure and tooling observed differ significantly. Whilst involvement of these named\r\nadversaries cannot be ruled out, available evidence suggests this campaign is the work of a separate adversary\r\ngroup.  \r\nCapable and Adaptable\r\nAVIVORE showed themselves to be highly capable; adept at both “living-off-the-land” (masquerading as\r\nlegitimate users) and in their operational security awareness; including forensically covering their tracks. They\r\ndemonstrated detailed knowledge of key individuals associated with projects of interest, and were able to\r\nsuccessfully mirror working times and patterns of these users to avoid arousing suspicions. They were also able to\r\nmanipulate victim environments and security controls to facilitate and obfuscate their activities (e.g. modifying\r\nfirewall rules to accept RDP over alternate ports; establishing hosts within the victim environment as remote\r\naccess proxies). AVIVORE’s attack methodology for the linked intrusions followed a relatively set-format:\r\nhttps://web.archive.org/web/20191208223958/https://www.contextis.com/en/blog/avivore\r\nPage 1 of 3\n\nAccess into victim through leverage of compromised user credentials and legitimate external remote access\r\nservices;\r\nEscalate privileges within victim environment via abuse of legitimate tools and/or highly privileged service\r\nand enterprise administrator accounts;\r\nConduct account and host enumeration using 'net' commands;\r\nSchedule execution of scripts and tooling run in the context of the ‘SYSTEM’ user;\r\nRemove forensic artefacts of scripts \u0026 tooling, and clearing of event logs following execution;\r\nUse of RDP for lateral movement around the victim environment.\r\nInfrastructure and Tooling\r\nAVIVORE made extensive use of infrastructure providing interconnectivity between victims; affected Secondaries\r\nare often suppliers to multiple Primes and frequently maintain direct network connectivity via Virtual Private\r\nNetworks (VPNs) or other remote and collaborative working solutions. AVIVORE exploited this relationship to\r\nbypass the (generally well-defended) perimeters of the Primes, evading critical controls and taking advantage of\r\nthe challenges many organisations face in cross-boundary coordination.  \r\nThis technique, referred to as \"Island Hopping\", allowed AVIVORE to chain activity across multiple business\r\nunits (with local IT and security teams operating independently) or geographical locales within victim\r\nenvironments. Where Context had visibility of victim-facing network infrastructure employed by AVIVORE, it\r\nprimarily consisted of commercial VPN infrastructure located in Singapore and Japan, as well as Tor. This all\r\nserved to obfuscate the origin of AVIVORE’s connections into victim networks and made investigation\r\nchallenging.\r\nAVIVORE demonstrated a preference for in-built system tooling and abuse of legitimate software. They\r\nintroduced network scanning and certificate extractions tools, as well as Windows SysInternals tools such as\r\nProcDump, across multiple victim environments. These binaries were renamed to imitate Windows DLLs and\r\nstaged in file system locations associated with compatibility and performance logging. Such tools were typically\r\nexecuted on remote systems using scheduled tasks and then removed, together with their output, following\r\nexecution.\r\nMultiple instances of the PlugX Remote Access Trojan were discovered on compromised hosts. Evidence\r\nsuggested these implants were deployed between October 2015 and October 2016. File system artefacts indicated\r\nthat attackers may have interacted with them between deployment and the 2018 intrusions.  Although direct\r\ninteraction with these implants was not observed during the investigation period, Context assess with low-moderate confidence that they may be associated to the AVIVORE intrusions. Evidence indicated that some of the\r\nimplants were patched in-memory, with modified configuration blocks injected post-execution to provide new C2\r\ndomains during times AVIVORE operators were active inside victim environments.\r\nFuture Recommendations and Mitigations \r\nThough the majority of activity investigated by Context has taken place since Jan/Feb 2018, artefacts from some\r\nvictim environments indicate that AVIVORE likely maintained persistent access since October 2015, and\r\npotentially even earlier. Therefore, it is possible that this is a small portion of a broader campaign. In addition to\r\nhttps://web.archive.org/web/20191208223958/https://www.contextis.com/en/blog/avivore\r\nPage 2 of 3\n\nAerospace and Defence engineering victims, Context has seen AVIVORE target assets related to a number of\r\nother verticals including:\r\nAutomotive \r\nConsultancy\r\nEnergy/Nuclear\r\nSpace and Satellite Technology\r\nBased on the information and assets sought by AVIVORE, Context assesses with moderate confidence that the\r\nobjective of the recent campaign was intellectual property theft from victim organisations. Although defence\r\nagainst advanced nation-state level actors can be challenging, Context recommend the following mitigations to\r\ndisrupt future AVIVORE activity:\r\nImpose access limitations on supplier connections over VPNs, such as preventing their use outside of the\r\nsupplier’s business hours or from IP addresses and locations other than those pre-agreed, and restrict access\r\nonly to data and assets they require to perform their actions.\r\nEnsure that security measures, such as multifactor authentication and enhanced auditing/logging are\r\ndeployed to hosts and services into which suppliers are required to connect, in order to prevent or support\r\nthe investigation of any suspicious user behaviour.\r\nEnsure that external remote access services implement appropriate log retention. Logs should contain\r\nenough information on the sources of inbound connections to enable identification of anomalies, such as\r\nconcurrent log-ins with impossible geography.\r\nEnsure that credentials for highly privileged accounts and remote services are stored securely, and their use\r\nis appropriately monitored. Hosts such as domain controllers, sensitive file shares and Public Key\r\nInfrastructure servers, should also be subject to particular additional scrutiny and monitoring. \r\nWhere possible, applications, documentation and technical information related to network infrastructure\r\nand configuration of remote access services should be made available only to engineers, IT support staff\r\nand other individuals with legitimate business need.\r\nSource: https://web.archive.org/web/20191208223958/https://www.contextis.com/en/blog/avivore\r\nhttps://web.archive.org/web/20191208223958/https://www.contextis.com/en/blog/avivore\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://web.archive.org/web/20191208223958/https://www.contextis.com/en/blog/avivore" ], "report_names": [ "avivore" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "680d62c6-23e2-411b-86e9-af6dc6a64d53", "created_at": "2023-01-06T13:46:39.329055Z", "updated_at": "2026-04-10T02:00:03.289076Z", "deleted_at": null, "main_name": "Avivore", "aliases": [], "source_name": "MISPGALAXY:Avivore", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "3b978023-9d82-46fb-b836-a0d011504d2c", "created_at": "2022-10-25T16:07:23.368134Z", "updated_at": "2026-04-10T02:00:04.568035Z", "deleted_at": null, "main_name": "AVIVORE", "aliases": [], "source_name": "ETDA:AVIVORE", "tools": [ "Agent.dhwf", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434185, "ts_updated_at": 1775826762, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8b55af3a21178eff88880e439c83efe434d422b1.pdf", "text": "https://archive.orkl.eu/8b55af3a21178eff88880e439c83efe434d422b1.txt", "img": "https://archive.orkl.eu/8b55af3a21178eff88880e439c83efe434d422b1.jpg" } }