{ "id": "b501e545-2a37-4a82-9178-d6395f3fcec3", "created_at": "2026-04-06T00:07:59.992593Z", "updated_at": "2026-04-10T13:11:53.980634Z", "deleted_at": null, "sha1_hash": "b461983db09c505f986e3136f01a97015b591315", "title": "APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47675, "plain_text": "APT10 (MenuPass Group): New Tools, Global Campaign Latest\r\nManifestation of Longstanding Threat\r\nBy Mandiant\r\nPublished: 2017-04-06 · Archived: 2026-04-05 13:17:00 UTC\r\nWritten by: FireEye iSIGHT Intelligence\r\nAPT10 Background\r\nAPT10 (MenuPass Group) is a Chinese cyber espionage group that FireEye has tracked since 2009. They have\r\nhistorically targeted construction and engineering, aerospace, and telecom firms, and governments in the United\r\nStates, Europe, and Japan. We believe that the targeting of these industries has been in support of Chinese national\r\nsecurity goals, including acquiring valuable military and intelligence information as well as the theft of\r\nconfidential business data to support Chinese corporations. PwC and BAE recently issued a joint blog detailing\r\nextensive APT10 activity.\r\nAPT10’s Resurgence\r\nIn June 2016, FireEye iSIGHT intelligence first reported that APT10 expanded their operations. The group was\r\ninitially detected targeting a Japanese university, and more widespread targeting in Japan was subsequently\r\nuncovered. Further collaboration between FireEye as a Service (FaaS), Mandiant and FireEye iSIGHT intelligence\r\nuncovered additional victims worldwide, a new suite of tools and novel techniques.\r\nGlobal Targeting Using New Tools\r\nLeveraging its global footprint, FireEye has detected APT10 activity across six continents in 2016 and 2017.\r\nAPT10 has targeted or compromised manufacturing companies in India, Japan and Northern Europe; a mining\r\ncompany in South America; and multiple IT service providers worldwide. We believe these companies are a mix\r\nof final targets and organizations that could provide a foothold in a final target.\r\nAPT10 unveiled new tools in its 2016/2017 activity. In addition to the continued use of SOGU, the current wave\r\nof intrusions has involved new tools we believe are unique to APT10. HAYMAKER and SNUGRIDE have been\r\nused as first stage backdoors, while BUGJUICE and a customized version of the open source QUASARRAT have\r\nbeen used as second stage backdoors. These new pieces of malware show that APT10 is devoting resources to\r\ncapability development and innovation.\r\nHAYMAKER is a backdoor that can download and execute additional payloads in the form of modules. It\r\nalso conducts basic victim profiling activity, collecting the computer name, running process IDs,\r\n%TEMP% directory path and version of Internet Explorer. It communicates encoded system information to\r\na single hard coded command and control (C2) server, using the system’s default User-Agent string.\r\nhttps://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html\r\nPage 1 of 3\n\nBUGJUICE is a backdoor that is executed by launching a benign file and then hijacking the search order to\r\nload a malicious dll into it. That malicious dll then loads encrypted shellcode from the binary, which is\r\ndecrypted and runs the final BUGJUICE payload. BUGJUICE defaults to TCP using a custom binary\r\nprotocol to communicate with the C2, but can also use HTTP and HTTPs if directed by the C2. It has the\r\ncapability to find files, enumerate drives, exfiltrate data, take screenshots and provide a reverse shell.\r\nSNUGRIDE is a backdoor that communicates with its C2 server through HTTP requests. Messages are\r\nencrypted using AES with a static key. The malware’s capabilities include taking a system survey, access to\r\nthe filesystem, executing commands and a reverse shell. Persistence is maintained through a Run registry\r\nkey.\r\nQUASARRAT is an open-source RAT. The versions used by APT10 (1.3.4.0, 2.0.0.0, and 2.0.0.1) are not\r\navailable via the public GitHub page, indicating that APT10 has further customized the open source\r\nversion. The 2.0 versions require a dropper to decipher and launch the AES encrypted QUASARRAT\r\npayload. QUASARRAT is a fully functional .NET backdoor that has been used by multiple cyber\r\nespionage groups in the past.\r\nTraditional and Novel Methods\r\nThis recent APT10 activity has included both traditional spear phishing and access to victim’s networks through\r\nservice providers. (For more information on infection via service providers see M-Trends 2016). APT10 spear\r\nphishes have been relatively unsophisticated, leveraging .lnk files within archives, files with double extensions\r\n(e.g. “[Redacted]_Group_Meeting_Document_20170222_doc_.exe) and in some cases simply identically named\r\ndecoy documents and malicious launchers within the same archive.\r\nIn addition to the spear phishes, FireEye ISIGHT Intelligence has observed APT10 accessing victims through\r\nglobal service providers. Service providers have significant access to customer networks, enabling an attacker who\r\nhad compromised a service provider to move laterally into the network of the service provider’s customer. In\r\naddition, web traffic between a service provider’s customer and a service provider is likely to be viewed as benign\r\nby network defenders at the customer, allowing the attacker to exfiltrate data stealthily. A notable instance of this\r\nobserved by FireEye involved a SOGU backdoor that was set to communicate with its C2 through a server\r\nbelonging to the victim’s service provider.\r\nAPT10 actors issued the following commands to a SOGU implant at a victim:\r\nsc create CorWrTool binPath= \"\\\"C:\\Windows\\vss\\vixDiskMountServer.exe\\\"\" start= auto displayname=\r\n\"Corel Writing Tools Utility\" type= own\r\nsc description CorWrTool \"Corel Graphics Corporation Applications.\"\r\nping -a [Redacted]\r\npsexec.exe d.exe\r\nnet view /domain:[Redacted]\r\nproxyconnect - \"port\": 3389, \"server\": \"[IP Address Redacted]\"\r\nThese commands included setting persistence on the victim’s system. The actor then tested connectivity to an IP\r\nmanaged by the victim’s service provider. Once connectivity to the service provider IP was verified, the actor\r\nestablished the service provider IP as a proxy for the victim’s SOGU backdoor. This effectively routes SOGU\r\nhttps://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html\r\nPage 2 of 3\n\nmalware traffic through the victim’s service provider, which likely indicates a foothold on the service provider’s\r\nnetwork. The tactic also serves to mask malicious C2 and exfiltration traffic and make it appear innocuous.\r\nImplications\r\nAPT10 is a threat to organizations worldwide. Their abuse of access to service provider networks demonstrates\r\nthat peripheral organizations continue to be of interest to a malicious actor – especially those seeking alternative\r\nangles of attack. We believe the pace of APT10 operations may slow following the public disclosure by the\r\nPwC/BAE blog; however, we believe they will return to their large-scale operations, potentially employing new\r\ntactics, techniques and procedures.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html\r\nhttps://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE", "MISPGALAXY", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html" ], "report_names": [ "apt10_menupass_grou.html" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434079, "ts_updated_at": 1775826713, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b461983db09c505f986e3136f01a97015b591315.pdf", "text": "https://archive.orkl.eu/b461983db09c505f986e3136f01a97015b591315.txt", "img": "https://archive.orkl.eu/b461983db09c505f986e3136f01a97015b591315.jpg" } }