{ "id": "ed1934f3-b96e-4df9-87cd-71f2e38e04f9", "created_at": "2026-04-06T00:16:22.818372Z", "updated_at": "2026-04-10T13:12:03.647774Z", "deleted_at": null, "sha1_hash": "8e839c51a4baa5be107f6e70bd2a9cbfbfcbaeb2", "title": "Red Apollo", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 94039, "plain_text": "Red Apollo\r\nBy Contributors to Wikimedia projects\r\nPublished: 2019-06-30 · Archived: 2026-04-05 17:41:39 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nThis article is about the threat actor. For the butterfly, see Parnassius epaphus. For the element, see Potassium.\r\nRed Apollo\r\nFormation c. 2003–2005[1]\r\nType Advanced persistent threat\r\nPurpose Cyberespionage, cyberwarfare\r\nRegion China\r\nMethods Zero-days, Phishing, backdoor (computing), RAT, Keylogging\r\nOfficial language Chinese\r\nParent organization Tianjin State Security Bureau of the Ministry of State Security\r\nFormerly called\r\nAPT10\r\nStone Panda\r\nMenuPass\r\nRedLeaves\r\nCVNX\r\nPOTASSIUM\r\nRed Apollo (also known as APT 10 by Mandiant, MenuPass by FireEye, Stone Panda by Crowdstrike, and\r\nPOTASSIUM by Microsoft)\r\n[1][2]\r\n is a Chinese state-sponsored cyberespionage group which has operated since\r\n2006. In a 2018 indictment, the United States Department of Justice attributed the group to the Tianjin State\r\nSecurity Bureau of the Ministry of State Security.\r\n[3]\r\nThe team was designated an advanced persistent threat by FireEye, who reported that they target aerospace,\r\nengineering, and telecom firms and any government that they believe is a rival of China.\r\nhttps://en.wikipedia.org/wiki/Red_Apollo\r\nPage 1 of 3\n\nFireEye stated that they could be targeting intellectual property from educational institutions such as a Japanese\r\nuniversity and is likely to expand operations into the education sector in the jurisdictions of nations that are allied\r\nwith the United States.\r\n[4]\r\n FireEye claimed that they were tracked since 2009, however because of the low-threat\r\nnature they had posed, they were not a priority. FireEye now describes the group as \"a threat to organizations\r\nworldwide.\"[4]\r\nThe group directly targets managed information technology service providers (MSPs) using RAT. The general role\r\nof an MSP is to help manage a company's computer network. MSPs were often compromised by Poison Ivy,\r\nFakeMicrosoft, PlugX, ArtIEF, Graftor, and ChChes, through the use of spear-phishing emails.[5]\r\n2014 to 2017: Operation Cloud Hopper\r\n[edit]\r\nOperation Cloud Hopper was an extensive attack and theft of information in 2017 directed at MSPs in the United\r\nKingdom (U.K.), United States (U.S.), Japan, Canada, Brazil, France, Switzerland, Norway, Finland, Sweden,\r\nSouth Africa, India, Thailand, South Korea and Australia. The group used MSP's as intermediaries to acquire\r\nassets and trade secrets from MSP-client engineering, industrial manufacturing, retail, energy, pharmaceuticals,\r\ntelecommunications, and government agencies.\r\nOperation Cloud Hopper used over 70 variants of backdoors, malware and trojans. These were delivered through\r\nspear-phishing emails. The attacks scheduled tasks or leveraged services/utilities to persist in Microsoft Windows\r\nsystems even if the computer system was rebooted. It installed malware and hacking tools to access systems and\r\nsteal data.[5]\r\n2016 US Navy personnel data\r\n[edit]\r\nHackers accessed records relating to 130,000 US Navy personnel (out of 330,000).[6] Under these actions the\r\nNavy decided to coordinate with Hewlett Packard Enterprise Services, despite warnings being given prior to the\r\nbreach.[7] All affected sailors were required to be notified.\r\nA 2018 indictment showed evidence that CVNX was not the name of the group, but was the alias of one of two\r\nhackers. Both used four aliases each to make it appear as if more than five hackers had attacked.\r\nPost-indictment activities\r\n[edit]\r\nIn April 2019 APT10 targeted government and private organizations in the Philippines.\r\n[8]\r\nIn 2020 Symantec implicated Red Apollo in a series of attacks on targets in Japan.[9]\r\nIn March 2021, they targeted Bharat Biotech and the Serum Institute of India (SII), the world's largest vaccine\r\nmaker's intellectual property for exfiltration.\r\n[10]\r\nhttps://en.wikipedia.org/wiki/Red_Apollo\r\nPage 2 of 3\n\nChina–United States relations\r\nCyberwarfare and China\r\n1. ^ \"APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding\r\nThreat\". FireEye. Archived from the original on 2021-04-28. Retrieved 2021-03-07.\r\n2. ^ Kozy, Adam (2018-08-30). \"Two Birds, One STONE PANDA\". Archived from the original on 2021-01-15.\r\nRetrieved 2021-03-07.\r\n3. ^ \"Two Chinese Hackers Associated With the Ministry of State Security Charged with Global Computer\r\nIntrusion Campaigns Targeting Intellectual Property and Confidential Business Information\". United\r\nStates Department of Justice. 2018-12-20. Archived from the original on 2021-05-01. Retrieved 2021-03-\r\n07.\r\n4. ^ Jump up to: a\r\n \r\nb\r\n \"APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of\r\nLongstanding Threat « APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of\r\nLongstanding Threat\". FireEye. April 6, 2017. Archived from the original on April 28, 2021. Retrieved\r\nJune 30, 2019.\r\n5. ^ Jump up to: a\r\n \r\nb\r\n \"Operation Cloud Hopper: What You Need to Know - Security News - Trend Micro USA\".\r\ntrendmicro.com. April 10, 2017. Archived from the original on June 30, 2019. Retrieved June 30, 2019.\r\n6. ^ \"Chinese hackers allegedly stole data of more than 100,000 US Navy personnel\". MIT Technology\r\nReview. Archived from the original on 2019-06-18. Retrieved 2019-06-30.\r\n7. ^ \"US Navy Sailor Data 'Accessed by Unknown Individuals'\". bankinfosecurity.com. Archived from the\r\noriginal on 2019-06-30. Retrieved 2019-07-12.\r\n8. ^ Manantan, Mark (September 2019). \"The Cyber Dimension of the South China Sea Clashes\". No. 58.\r\nThe Diplomat. The Diplomat. Archived from the original on 17 February 2016. Retrieved 5 September\r\n2019.\r\n9. ^ Lyngaas, Sean (17 November 2020). \"Symantec implicates APT10 in sweeping hacking campaign\r\nagainst Japanese firms\". www.cyberscoop.com. Cyberscoop. Archived from the original on 18 November\r\n2020. Retrieved 19 November 2020.\r\n10. ^ N. Das, Krishna (1 March 2021). \"Chinese hacking group Red Apollo (APT10) had identified gaps and\r\nvulnerabilities in the IT infrastructure and supply chain software of Bharat Biotech and the Serum Institute\r\nof India (SII), the world's largest vaccine maker\". Reuters. Archived from the original on 3 May 2021.\r\nRetrieved 1 March 2021.\r\nSource: https://en.wikipedia.org/wiki/Red_Apollo\r\nhttps://en.wikipedia.org/wiki/Red_Apollo\r\nPage 3 of 3\n\n1. ^ \"APT10 Threat\". FireEye. (MenuPass Group): Archived from New Tools, Global the original Campaign Latest on 2021-04-28. Retrieved Manifestation 2021-03-07. of Longstanding \n2. ^ Kozy, Adam (2018-08-30). \"Two Birds, One STONE PANDA\". Archived from the original on 2021-01-15.\nRetrieved 2021-03-07. \n3. ^ \"Two Chinese Hackers Associated With the Ministry of State Security Charged with Global Computer\nIntrusion Campaigns Targeting Intellectual Property and Confidential Business Information\". United\nStates Department of Justice. 2018-12-20. Archived from the original on 2021-05-01. Retrieved 2021-03-\n07. \n4. ^ Jump up to: a b \"APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of\nLongstanding Threat « APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of\nLongstanding Threat\". FireEye. April 6, 2017. Archived from the original on April 28, 2021. Retrieved \nJune 30, 2019. \n5. ^ Jump up to: a b \"Operation Cloud Hopper: What You Need to Know-Security News-Trend Micro USA\".\ntrendmicro.com. April 10, 2017. Archived from the original on June 30, 2019. Retrieved June 30, 2019.\n6. ^ \"Chinese hackers allegedly stole data of more than 100,000 US Navy personnel\". MIT Technology \nReview. Archived from the original on 2019-06-18. Retrieved 2019-06-30. \n7. ^ \"US Navy Sailor Data 'Accessed by Unknown Individuals'\". bankinfosecurity.com. Archived from the\noriginal on 2019-06-30. Retrieved 2019-07-12. \n8. ^ Manantan, Mark (September 2019). \"The Cyber Dimension of the South China Sea Clashes\". No. 58.\nThe Diplomat. The Diplomat. Archived from the original on 17 February 2016. Retrieved 5 September \n2019. \n9. ^ Lyngaas, Sean (17 November 2020). \"Symantec implicates APT10 in sweeping hacking campaign \nagainst Japanese firms\". www.cyberscoop.com. Cyberscoop. Archived from the original on 18 November\n2020. Retrieved 19 November 2020. \n10. ^ N. Das, Krishna (1 March 2021). \"Chinese hacking group Red Apollo (APT10) had identified gaps and\nvulnerabilities in the IT infrastructure and supply chain software of Bharat Biotech and the Serum Institute\nof India (SII), the world's largest vaccine maker\". Reuters. Archived from the original on 3 May 2021.\nRetrieved 1 March 2021. \nSource: https://en.wikipedia.org/wiki/Red_Apollo \n Page 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://en.wikipedia.org/wiki/Red_Apollo" ], "report_names": [ "Red_Apollo" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "92c0dae2-e255-4b90-8d8f-be88e393ab8d", "created_at": "2022-10-25T16:07:24.402328Z", "updated_at": "2026-04-10T02:00:04.97641Z", "deleted_at": null, "main_name": "Wild Neutron", "aliases": [ "Butterfly", "Morpho", "Sphinx Moth", "The Postal Group", "Wild Neutron" ], "source_name": "ETDA:Wild Neutron", "tools": [ "HesperBot", "Jiripbot", "JripBot" ], "source_id": "ETDA", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434582, "ts_updated_at": 1775826723, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8e839c51a4baa5be107f6e70bd2a9cbfbfcbaeb2.pdf", "text": "https://archive.orkl.eu/8e839c51a4baa5be107f6e70bd2a9cbfbfcbaeb2.txt", "img": "https://archive.orkl.eu/8e839c51a4baa5be107f6e70bd2a9cbfbfcbaeb2.jpg" } }