{ "id": "94d480d7-d620-4b0b-be48-b411d449af1e", "created_at": "2026-04-06T00:15:53.608571Z", "updated_at": "2026-04-10T03:34:27.669613Z", "deleted_at": null, "sha1_hash": "af8bd23d980eb52ddb01d1eb656095ff8d8b8b8f", "title": "Chinese Hackers Target Satellite, Geospatial Imaging, Defense Companies", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1349773, "plain_text": "Chinese Hackers Target Satellite, Geospatial Imaging, Defense\r\nCompanies\r\nBy Catalin Cimpanu\r\nPublished: 2018-06-19 · Archived: 2026-04-05 19:51:46 UTC\r\nA cyber-espionage group believed to be operating out of China hacked companies who develop satellite communications,\r\ngeospatial imaging, and defense contractors from both United States and Southeast Asia.\r\nThe hacks were detected by US cyber-security firm Symantec, who said today in a report that intruders showed particular\r\ninterest in the operational side of the breached companies.\r\nHackers tried to reach and paid close attention to infecting computer systems used for controlling communications satellites\r\nor those working with geospatial data collected by world-mapping satellites.\r\nhttps://www.bleepingcomputer.com/news/security/chinese-hackers-target-satellite-geospatial-imaging-defense-companies/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/chinese-hackers-target-satellite-geospatial-imaging-defense-companies/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"This suggests to us that [the group]’s motives go beyond spying and may also include disruption,\" Symantec said. There are\r\nfears that hackers might be able or even attempt to sabotage satellites or poison geospatial data.\r\nThrip APT behind the hacks\r\nThe company said that responsible for the attacks was an advanced persistent threat (APT, a term used to describe cyber-espionage groups) known under the codename of Thrip.\r\nSymantec says it's been tracking this group since 2013, and it has historically believed the group to be operating out of\r\nChina.\r\nThe recent attacks were difficult to detect, the company said. Hackers used a technique known as \"living off the land,\"\r\nwhich consists of using local tools already available on the operating system to carry out malicious operations.\r\n\"The purpose of living off the land is twofold,\" Symantec explained. \"By using such features and tools, attackers are hoping\r\nto blend in on the victim’s network and hide their activity in a sea of legitimate processes. Secondly, even if malicious\r\nactivity involving these tools is detected, it can make it harder to attribute attacks.\"\r\nAccording to Symantec, hackers used the following locally-installed and completely legitimate tools...\r\nPsExec: Microsoft Sysinternals tool for executing processes on other systems. The tool was primarily used by the attackers\r\nto move laterally on the victim’s network.\r\nPowerShell: Microsoft scripting tool that was used to run commands to download payloads, traverse compromised\r\nnetworks, and carry out reconnaissance.\r\nMimikatz: Freely available tool capable of changing privileges, exporting security certificates, and recovering Windows\r\npasswords in plaintext.\r\nWinSCP: Open source FTP client used to exfiltrate data from targeted organizations.\r\nLogMeIn: Cloud-based remote access software. It’s unclear whether the attackers gained unauthorized access to the\r\nvictim’s LogMeIn accounts or whether they created their own.\r\n...to install custom-made malware such as:\r\nTrojan.Rikamanu: A custom Trojan designed to steal information from an infected computer, including credentials and\r\nsystem information.\r\nInfostealer.Catchamas: Based on Rikamanu, this malware contains additional features designed to avoid detection. It also\r\nincludes a number of new capabilities, such as the ability to capture information from newer applications (such as new or\r\nupdated web browsers) that have emerged since the original Trojan.Rikamanu malware was created.\r\nTrojan.Mycicil: A keylogger known to be created by underground Chinese hackers. Although publicly available, it is not\r\nfrequently seen.\r\nBackdoor.Spedear: Although not seen in this recent wave of attacks, Spedear is a backdoor Trojan that has been used by\r\nThrip in other campaigns.\r\nTrojan.Syndicasec: Another Trojan used by Thrip in previous campaigns.\r\nHacks detected as back as January 2018\r\nSymantec says it detected these attacks only after one of its artificial intelligence and machine learning-based triggered an\r\nalert for a suspicious use of a legitimate tool.\r\nExperts say they've used this initial alert to uncover initial signs of compromise and then pulled on a thread to uncover a\r\nbroader operation targeting multiple companies across multiple countries and industry sectors. The purpose of this hacking\r\ncampaign was obvious cyber-espionage.\r\nThe company says it uncovered this operation in January, but the Thrip hacking campaign could be broader than the\r\ncompany has currently reported.\r\nhttps://www.bleepingcomputer.com/news/security/chinese-hackers-target-satellite-geospatial-imaging-defense-companies/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/chinese-hackers-target-satellite-geospatial-imaging-defense-companies/\r\nhttps://www.bleepingcomputer.com/news/security/chinese-hackers-target-satellite-geospatial-imaging-defense-companies/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/chinese-hackers-target-satellite-geospatial-imaging-defense-companies/" ], "report_names": [ "chinese-hackers-target-satellite-geospatial-imaging-defense-companies" ], "threat_actors": [ { "id": "c4bc6ac9-d3e5-43f1-9adf-e77ac5386788", "created_at": "2022-10-25T15:50:23.722608Z", "updated_at": "2026-04-10T02:00:05.397432Z", "deleted_at": null, "main_name": "Thrip", "aliases": [ "Thrip" ], "source_name": "MITRE:Thrip", "tools": [ "PsExec", "Mimikatz", "Catchamas" ], "source_id": "MITRE", "reports": null }, { "id": "2fa14cf4-969f-48bc-b68e-a8e7eedc6e98", "created_at": "2022-10-25T15:50:23.538608Z", "updated_at": "2026-04-10T02:00:05.378092Z", "deleted_at": null, "main_name": "Lotus Blossom", "aliases": [ "Lotus Blossom", "DRAGONFISH", "Spring Dragon", "RADIUM", "Raspberry Typhoon", "Bilbug", "Thrip" ], "source_name": "MITRE:Lotus Blossom", "tools": [ "AdFind", "Impacket", "Elise", "Hannotog", "NBTscan", "Sagerunex", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "a0548d4e-edc2-40c1-a4e2-c1d6103012eb", "created_at": "2023-01-06T13:46:38.793461Z", "updated_at": "2026-04-10T02:00:03.102807Z", "deleted_at": null, "main_name": "Thrip", "aliases": [ "G0076", "ATK78" ], "source_name": "MISPGALAXY:Thrip", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eaa8168f-3fab-4831-aa60-5956f673e6b3", "created_at": "2022-10-25T16:07:23.805824Z", "updated_at": "2026-04-10T02:00:04.754761Z", "deleted_at": null, "main_name": "Lotus Blossom", "aliases": [ "ATK 1", "ATK 78", "Billbug", "Bronze Elgin", "CTG-8171", "Dragonfish", "G0030", "G0076", "Lotus Blossom", "Operation Lotus Blossom", "Red Salamander", "Spring Dragon", "Thrip" ], "source_name": "ETDA:Lotus Blossom", "tools": [ "BKDR_ESILE", "Catchamas", "EVILNEST", "Elise", "Group Policy Results Tool", "Hannotog", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "PsExec", "Rikamanu", "Sagerunex", "Spedear", "Syndicasec", "WMI Ghost", "Wimmie", "gpresult" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434553, "ts_updated_at": 1775792067, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/af8bd23d980eb52ddb01d1eb656095ff8d8b8b8f.pdf", "text": "https://archive.orkl.eu/af8bd23d980eb52ddb01d1eb656095ff8d8b8b8f.txt", "img": "https://archive.orkl.eu/af8bd23d980eb52ddb01d1eb656095ff8d8b8b8f.jpg" } }