{ "id": "28002ec9-06b5-4563-bcd6-1ac90448d249", "created_at": "2026-04-06T00:11:51.637431Z", "updated_at": "2026-04-10T03:35:47.253543Z", "deleted_at": null, "sha1_hash": "b34193f2ae520c8ec3bb05d7a4183caec51ec730", "title": "Naikon Targeted Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 38009, "plain_text": "Naikon Targeted Attacks\r\nBy Kaspersky\r\nPublished: 2017-09-13 · Archived: 2026-04-05 15:53:16 UTC\r\nVIRUS DEFINITION\r\nVirus Type: Advanced Persistent Threat (APT)\r\nWhat is Naikon?\r\nNaikon is a threat actor that appears to be Chinese-speaking. Its primary targets are top-level government agencies\r\nand civil and military organizations.  Naikon is one of the most active APTs in Asia, especially around the South\r\nChina Sea, and has been spying on entities in the area for around five years, since at least 2010.\r\nWho are the victims of these attacks?\r\nKaspersky Lab has detected Naikon malware in the Philippines, Malaysia, Cambodia, Indonesia, Vietnam,\r\nMyanmar, Singapore, Nepal, Thailand, Laos and China.\r\nAm I at risk?\r\nNaikon’s targets are hit using traditional spear-phishing techniques, with emails carrying attachments designed to\r\nbe of interest to the potential victim. This attachment might look like a Word document, but is in fact an\r\nexecutable file with a double extension. You might be a target of Naikon if the following risk factors are familiar\r\nto you:\r\nRisk factors:\r\nIf you work for/with governments/military in APAC\r\nYou possess valuable information\r\nIf you receive and read hundreds of emails, open attachments\r\nAre normal consumers at risk?\r\nWe haven’t seen the Naikon group attacking ordinary consumers, however the malware used by the group could\r\neasily be turned against anyone running Windows and using email.. Basically, if someone is connected with an\r\nindividual of interest to the Naikon APT, they could be targeted.\r\nHow can I protect myself?\r\nKaspersky Lab advises organizations to protect themselves against Naikon as follows:\r\nhttps://usa.kaspersky.com/resource-center/threats/naikon-targeted-attacks\r\nPage 1 of 2\n\nDon’t open attachments and links from people you don’t know\r\nUse an advanced anti-malware solution\r\nIf you are unsure about the attachment, try to open it in a sandbox\r\nMake sure you have an up-to-date version of your operating system with all patches installed\r\nRecommended products:\r\nKaspersky Premium Antivirus\r\nDownload Kaspersky Premium Antivirus with 30-Day Free Trial\r\nKaspersky VPN - Download and Try for Free\r\nSource: https://usa.kaspersky.com/resource-center/threats/naikon-targeted-attacks\r\nhttps://usa.kaspersky.com/resource-center/threats/naikon-targeted-attacks\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://usa.kaspersky.com/resource-center/threats/naikon-targeted-attacks" ], "report_names": [ "naikon-targeted-attacks" ], "threat_actors": [ { "id": "b69484be-98d1-49e6-aed1-a28dbf65176a", "created_at": "2022-10-25T16:07:23.886782Z", "updated_at": "2026-04-10T02:00:04.779029Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "G0019", "Hellsing", "ITG06", "Lotus Panda", "Naikon", "Operation CameraShy" ], "source_name": "ETDA:Naikon", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "AR", "ARL", "Agent.dhwf", "Aria-body", "Aria-body loader", "Asset Reconnaissance Lighthouse", "BackBend", "Creamsicle", "Custom HDoor", "Destroy RAT", "DestroyRAT", "Flashflood", "FoundCore", "Gemcutter", "HDoor", "JadeRAT", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LadonGo", "Lecna", "Living off the Land", "NBTscan", "Naikon", "NetEagle", "Neteagle_Scout", "NewCore RAT", "Orangeade", "PlugX", "Quarks PwDump", "RARSTONE", "RainyDay", "RedDelta", "RoyalRoad", "Sacto", "Sandboxie", "ScoutEagle", "Shipshape", "Sisfader", "Sisfader RAT", "Sogu", "SslMM", "Sys10", "TIGERPLUG", "TVT", "TeamViewer", "Thoper", "WinMM", "Xamtrav", "XsFunction", "ZRLnk", "nbtscan", "nokian", "norton", "xsControl", "xsPlus" ], "source_id": "ETDA", "reports": null }, { "id": "a2912fc0-c34e-4e4b-82e9-665416c8fe32", "created_at": "2023-04-20T02:01:50.979595Z", "updated_at": "2026-04-10T02:00:02.913011Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "BRONZE STERLING", "G0013", "PLA Unit 78020", "OVERRIDE PANDA", "Camerashy", "BRONZE GENEVA", "G0019", "Naikon" ], "source_name": "MISPGALAXY:Naikon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f1ce7e3-77cd-4af0-bedb-1643f55c9baf", "created_at": "2022-10-25T15:50:23.31611Z", "updated_at": "2026-04-10T02:00:05.370146Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "Naikon" ], "source_name": "MITRE:Naikon", "tools": [ "ftp", "netsh", "WinMM", "Systeminfo", "RainyDay", "RARSTONE", "HDoor", "Sys10", "SslMM", "PsExec", "Tasklist", "Aria-body" ], "source_id": "MITRE", "reports": null }, { "id": "578e92ed-3eda-45ef-b4bb-b882ec3dbb62", "created_at": "2025-08-07T02:03:24.604463Z", "updated_at": "2026-04-10T02:00:03.798481Z", "deleted_at": null, "main_name": "BRONZE GENEVA", "aliases": [ "APT30 ", "BRONZE STERLING ", "CTG-5326 ", "Naikon ", "Override Panda ", "RADIUM ", "Raspberry Typhoon" ], "source_name": "Secureworks:BRONZE GENEVA", "tools": [ "Lecna Downloader", "Nebulae", "ShadowPad" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434311, "ts_updated_at": 1775792147, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b34193f2ae520c8ec3bb05d7a4183caec51ec730.pdf", "text": "https://archive.orkl.eu/b34193f2ae520c8ec3bb05d7a4183caec51ec730.txt", "img": "https://archive.orkl.eu/b34193f2ae520c8ec3bb05d7a4183caec51ec730.jpg" } }