{
	"id": "ea4af17e-1251-45d5-80be-7995e94acd56",
	"created_at": "2026-04-06T00:13:48.705422Z",
	"updated_at": "2026-04-10T03:32:09.447892Z",
	"deleted_at": null,
	"sha1_hash": "b7f33ecd7247d20fa23e11250864ab4ccae1f1f2",
	"title": "Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45956,
	"plain_text": "Palmerworm: Espionage Gang Targets the Media, Finance, and\r\nOther Sectors\r\nBy About the Author\r\nArchived: 2026-04-05 13:32:56 UTC\r\nThe Threat Hunter Team at Symantec, a division of Broadcom (NASDAQ: AVGO), has uncovered a new\r\nespionage campaign carried out by the Palmerworm group (aka BlackTech) involving a brand new suite of custom\r\nmalware, targeting organizations in Japan, Taiwan, the U.S., and China.\r\nThe attacks occurred in 2019 and continued into 2020, targeting organizations in the media, construction,\r\nengineering, electronics, and finance sectors. We observed the group using previously unseen malware in these\r\nattacks.\r\nPalmerworm uses a combination of custom malware, dual use tools, and living-off-the-land tactics in this\r\ncampaign. Palmerworm has been active since at least 2013, with the first activity seen in this campaign in August\r\n2019.\r\nTactics, Tools, and Procedures\r\nPalmerworm was observed using both dual-use tools and custom malware in these attacks.\r\nAmong the custom malware families we saw it use were:\r\nBackdoor.Consock\r\nBackdoor.Waship\r\nBackdoor.Dalwit\r\nBackdoor.Nomri\r\nWe have not observed the group using these malware families in previous attacks – they may be newly developed\r\ntools, or the evolution of older Palmerworm tools. Malware used by Palmerworm in the past has included:\r\nBackdoor.Kivars\r\nBackdoor.Pled\r\nWhile the custom malware used by the group in this campaign is previously undocumented, other elements of the\r\nattack bear similarities to past Palmerworm campaigns, making us reasonably confident that it is the same group\r\ncarrying out this campaign.\r\nAs well as the four backdoors mentioned, we also see the group using a custom loader and a network\r\nreconnaissance tool, which Symantec detects as Trojan Horse and Hacktool. The group also used several dual-use\r\ntools, including:\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt\r\nPage 1 of 3\n\nPutty – can be leveraged by attackers for remote access, to exfiltrate data and send it back to attackers\r\nPSExec – is a legitimate Microsoft tool that can be exploited by malicious actors and used for lateral\r\nmovement across victim networks\r\nSNScan – this tool can be used for network reconnaissance, to find other potential targets on victim\r\nnetworks\r\nWinRAR – is an archiving tool that can be used to compress files (potentially to make them easier to send\r\nback to attackers) and also to extract files from zipped folders\r\nAll these dual-use tools are commonly exploited by malicious actors like Palmerworm, with advanced persistent\r\nthreat (APT) groups like this increasingly using living-off-the-land tactics, including the use of dual-use tools, in\r\nrecent years. These tools provide attackers with a good degree of access to victim systems without the need to\r\ncreate complicated custom malware that can more easily be linked back to a specific group.\r\nIn this campaign, Palmerworm is also using stolen code-signing certificates to sign its payloads, which makes the\r\npayloads appear more legitimate and therefore more difficult for security software to detect. Palmerworm has been\r\npublicly documented using stolen code-signing certificates in previous attack campaigns.\r\nWe did not see what infection vector Palmerworm used to gain initial access to victim networks in this campaign,\r\nhowever, in the past the group has been documented as using spear-phishing emails to gain access to victim\r\nnetworks.\r\nVictims\r\nSymantec identified multiple victims in this campaign, in a number of industries, including media, construction,\r\nengineering, electronics, and finance. The media, electronics, and finance companies were all based in Taiwan, the\r\nengineering company was based in Japan, and the construction company in China. It is evident Palmerworm has a\r\nstrong interest in companies in this region of East Asia.\r\nWe also observed Palmerworm activity on some victims in the U.S., however, we were unable to identify the\r\nsector of the companies targeted.\r\nPalmerworm activity was first spotted in this campaign in August 2019, when activity was seen on the network of\r\na Taiwanese media company and a construction company in China. The group remained active on the network of\r\nthe media company for a year, with activity on some machines there seen as recently as August 2020.\r\nPalmerworm also maintained a presence on the networks of a construction and a finance company for several\r\nmonths. However, it spent only a couple of days on the network of a Japanese engineering company in September\r\n2019, and a couple of weeks on the network of an electronics company in March 2020. It spent approximately six\r\nmonths on one of the U.S.-based machines on which we observed activity.\r\nThe finance, media, and construction industries, then, appear to be of the biggest interest to Palmerworm in this\r\ncampaign. There have been reports previously of Palmerworm targeting the media sector.\r\nWhat do the attackers want?\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt\r\nPage 2 of 3\n\nWhile we cannot see what Palmerworm is exfiltrating from these victims, the group is considered an espionage\r\ngroup and its likely motivation is considered to be stealing information from targeted companies.\r\nHow do we know this is Palmerworm?\r\nWhile the custom malware used in this attack is not malware we have seen used by Palmerworm before, some of\r\nthe samples identified in this research are detected by other vendors as PLEAD, which is a known Palmerworm\r\n(aka Blacktech) malware family. We also saw the use of infrastructure that has previously been attributed to\r\nPalmerworm.\r\nThe group’s use of dual-use tools has also been seen in previous campaigns identified as being carried out by\r\nPalmerworm, while the location of its victims is also typical of the geography targeted by Palmerworm in past\r\ncampaigns. The group’s use of stolen code-signing certificates has also been observed in previous Palmerworm\r\nattacks. These various factors make us reasonably confident we can attribute this activity to Palmerworm.\r\nSymantec does not attribute Palmerworm’s activity to any specific geography, however, Taiwanese officials have\r\nstated publicly that they believe Blacktech, which we track as Palmerworm, is backed by the Chinese government.\r\nConclusion\r\nAPT groups continue to be highly active in 2020, with their use of dual-use tools and living-off-the-land tactics\r\nmaking their activity ever harder to detect, and underlining the need for customers to have a comprehensive\r\nsecurity solution in place that can detect this kind of activity.\r\nProtection\r\nThe following protections are in place to protect customers against Palmerworm activity:\r\nBackdoor.Consock\r\nBackdoor.Waship\r\nBackdoor.Dalwit\r\nBackdoor.Nomri\r\nBackdoor.Kivars\r\nBackdoor.Pled\r\nHacktool\r\nTrojan Horse\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"ETDA",
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt"
	],
	"report_names": [
		"palmerworm-blacktech-espionage-apt"
	],
	"threat_actors": [
		{
			"id": "efa7c047-b61c-4598-96d5-e00d01dec96b",
			"created_at": "2022-10-25T16:07:23.404442Z",
			"updated_at": "2026-04-10T02:00:04.584239Z",
			"deleted_at": null,
			"main_name": "BlackTech",
			"aliases": [
				"BlackTech",
				"Canary Typhoon",
				"Circuit Panda",
				"Earth Hundun",
				"G0098",
				"Manga Taurus",
				"Operation PLEAD",
				"Operation Shrouded Crossbow",
				"Operation Waterbear",
				"Palmerworm",
				"Radio Panda",
				"Red Djinn",
				"T-APT-03",
				"TEMP.Overboard"
			],
			"source_name": "ETDA:BlackTech",
			"tools": [
				"BIFROST",
				"BUSYICE",
				"BendyBear",
				"Bluether",
				"CAPGELD",
				"DRIGO",
				"Deuterbear",
				"Flagpro",
				"GOODTIMES",
				"Gh0stTimes",
				"IconDown",
				"KIVARS",
				"LOLBAS",
				"LOLBins",
				"Linopid",
				"Living off the Land",
				"TSCookie",
				"Waterbear",
				"XBOW",
				"elf.bifrose"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2646f776-792a-4498-967b-ec0d3498fdf1",
			"created_at": "2022-10-25T15:50:23.475784Z",
			"updated_at": "2026-04-10T02:00:05.269591Z",
			"deleted_at": null,
			"main_name": "BlackTech",
			"aliases": [
				"BlackTech",
				"Palmerworm"
			],
			"source_name": "MITRE:BlackTech",
			"tools": [
				"Kivars",
				"PsExec",
				"TSCookie",
				"Flagpro",
				"Waterbear"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "75024aad-424b-449a-b286-352fe9226bcb",
			"created_at": "2023-01-06T13:46:38.962724Z",
			"updated_at": "2026-04-10T02:00:03.164536Z",
			"deleted_at": null,
			"main_name": "BlackTech",
			"aliases": [
				"CIRCUIT PANDA",
				"Temp.Overboard",
				"Palmerworm",
				"G0098",
				"T-APT-03",
				"Manga Taurus",
				"Earth Hundun",
				"Mobwork",
				"HUAPI",
				"Red Djinn",
				"Canary Typhoon"
			],
			"source_name": "MISPGALAXY:BlackTech",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b",
			"created_at": "2025-08-07T02:03:24.569066Z",
			"updated_at": "2026-04-10T02:00:03.730864Z",
			"deleted_at": null,
			"main_name": "BRONZE CANAL",
			"aliases": [
				"BlackTech",
				"CTG-6177 ",
				"Circuit Panda ",
				"Earth Hundun",
				"Palmerworm ",
				"Red Djinn",
				"Shrouded Crossbow "
			],
			"source_name": "Secureworks:BRONZE CANAL",
			"tools": [
				"Bifrose",
				"DRIGO",
				"Deuterbear",
				"Flagpro",
				"Gh0stTimes",
				"KIVARS",
				"PLEAD",
				"Spiderpig",
				"Waterbear",
				"XBOW"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434428,
	"ts_updated_at": 1775791929,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b7f33ecd7247d20fa23e11250864ab4ccae1f1f2.pdf",
		"text": "https://archive.orkl.eu/b7f33ecd7247d20fa23e11250864ab4ccae1f1f2.txt",
		"img": "https://archive.orkl.eu/b7f33ecd7247d20fa23e11250864ab4ccae1f1f2.jpg"
	}
}