{
	"id": "f6f5e9cf-5681-4bad-b59f-b4f244d6b484",
	"created_at": "2026-04-06T00:12:30.769188Z",
	"updated_at": "2026-04-10T03:36:18.99484Z",
	"deleted_at": null,
	"sha1_hash": "cf51163a42693d321ec54fbde193a7c243a0b976",
	"title": "China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 887147,
	"plain_text": "China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for\r\nPersistence\r\nBy Sygnia\r\nPublished: 2024-06-03 · Archived: 2026-04-05 13:33:32 UTC\r\nKey Takeaways\r\nIn late 2023, a large organization was the victim of a serious cyber attack. Sygnia’s forensic investigation into the\r\nattack revealed a sophisticated threat actor who exhibited robust capabilities and employed a methodical approach.\r\nThe evidence gathered suggests the involvement of a China-nexus state-sponsored threat actor.\r\nVelvet Ant is a sophisticated and innovative threat actor. The investigation confirmed the threat actor maintained a\r\nprolonged presence in the organization’s on–premises network for about three years. The overall goal behind this\r\ncampaign was to maintain access to the target network for espionage.\r\nThe threat actor achieved remarkable persistence by establishing and maintaining multiple footholds within the\r\nvictim company’s environment. One of the mechanisms utilized for persistence was a legacy F5 BIG-IP appliance,\r\nwhich was exposed to the internet and which the threat actor leveraged as an internal Command and Control\r\n(C\u0026C).\r\nAfter one foothold was discovered and remediated, the threat actor swiftly pivoted to another, demonstrating agility\r\nand adaptability in evading detection.\r\nThe threat actor exploited various entry points across the victim’s network infrastructure, indicating a\r\ncomprehensive understanding of the target’s environment.\r\nThis incident highlights the importance of establishing resilient defense strategies against sophisticated threats –\r\nparticularly those posed by state-sponsored groups. A holistic approach to mitigating these threats combines\r\ncontinuous monitoring with proactive response mechanisms – including periodic and systematic threat hunts –\r\nalongside stringent traffic controls and system hardening practices for both legacy and public-facing devices. By\r\nembracing such an approach, organizations can enhance their ability to detect, deter, and counteract the persistent\r\nthreat presented by state-sponsored groups.\r\nIntroduction\r\nIn late 2023, Sygnia responded to a cyber attack targeting a large organization. During the investigation, Sygnia\r\ndetermined that the threat actor exhibited behaviors like those of a China-nexus threat actor. This threat actor, which\r\nSygnia tracks as Velvet Ant, maintained access to the organization’s network for at least three years, and had succeeded in\r\ngaining a strong foothold, and intimate knowledge of the network.\r\nOver the course of the attack, the threat actor adeptly used various tools and techniques to infiltrate critical systems and\r\nobtain access to sensitive data. The prolonged period of the attack allowed the threat actor to familiarize itself with the\r\ncomplex network infrastructure, enabling it to conceal persistence mechanisms within overlooked areas. Although Sygnia\r\neventually ousted the threat actor from the network, the eradication process resembled a relentless game of cat-and-mouse.\r\nDespite Sygnia’s diligent efforts to remediate compromised systems and enhance visibility into hosts and network devices,\r\nthe threat actor resurfaced time and again through the use of dormant persistence mechanisms in unmonitored systems.\r\nhttps://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/\r\nPage 1 of 17\n\nThis blog describes the usage of one of those mechanisms, which included leveraging legacy servers and unpatched\r\nnetwork appliances.\r\nIt all began with PlugX\r\nThroughout the duration of the attack, one of Velvet Ant’s attack techniques was to hijack execution flow, by leveraging\r\ndifferent methods such as DLL search order hijacking, Phantom DLL loading and DLL side loading.  \r\nSoon after starting the forensic investigation, Sygnia identified the various tools employed by the threat actor, determined\r\nthe scope of compromise, and formulated a remediation plan. The plan combined eradication, remediation, and visibility\r\nenhancement, which focused on the threat actor’s Tactics, Techniques and Procedures (TTPs).\r\nThe plan was executed successfully. Alerts that were configured to identify re-entry attempts were not triggered, and\r\nSygnia’s experts worked with the IT and security teams of the victim company to bolster overall security. However, the\r\nsuccess of the remediation and hardening efforts drove the threat actor to focus on legacy operating systems, targeting\r\nWindows Server 2003 systems on which the organization’s Endpoint Detection and Response (EDR) product was not\r\ninstalled, and logging was limited. The threat actor resumed activity by utilizing previously deployed malware that\r\nremained dormant for months in the victim environment. The malware was identified as PlugX, a well-known remote\r\naccess Trojan.\r\nPlugX has been used by multiple Chinese state sponsored groups since 2008. The tool is still widely deployed – although\r\nits successor, ShadowPad has been in use since 2015. PlugX was primarily designed to provide remote access to infected\r\nsystems. However, it has a modular plugin system, which provides attackers with a large set of additional capabilities that\r\ncan be utilized for nefarious purposes.  \r\nThe PlugX execution chain in this network consisted of three files: ‘iviewers.exe’, ‘iviewers.dll’ and ‘iviewers.dll.ui’. \r\n‘iviewers.exe’ is a legitimate application called ’OLE/COM Object Viewer‘, that is part of the Windows SDK.\r\n‘iviewers.dll’ is the malicious PlugX DLL loader, that is loaded by ‘iviewers.exe’ via DLL search order hijacking.\r\n‘iviewers.dll.ui’ contains the actual malicious payload, which is loaded by ‘iviewers.dll’.\r\nWhen ‘iviewers.exe’ is executed, these three files are copied to a sub-directory with a non-fixed name under\r\n‘C:\\ProgramData’ (or ‘C:\\Documents and Settings\\All Users\\Application Data’, on Windows Server 2003 systems), and\r\n‘iviewers.exe’ is installed as a Windows service. Afterwards, several ‘Svchost’ processes are launched, and code is\r\ninjected into them.\r\nFigure 1: Snippet from Sygnia’s Velocity XDR system, showing the three files that were created by the\r\nmalware on an infected system. The creation time of the files was manipulated by the malware and does not\r\nreflect the actual creation time.\r\nhttps://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/\r\nPage 2 of 17\n\nFigure 1: Snippet from Sygnia’s Velocity XDR system, showing the three files that were created by the\r\nmalware on an infected system. The creation time of the files was manipulated by the malware and does not\r\nreflect the actual creation time.\r\nFigure 2: Snippet from VMRay sandbox, showing a process graph for an execution of ‘iviewers.exe’.\r\nThroughout the investigation, Sygnia acquired memory dumps of those ‘Svchost’ processes, which proved helpful in\r\ntracking the threat actor’s activities – especially on legacy servers, where logs were lacking. The memory dumps\r\ncontained harvested credentials and various commands executed by the threat actor.\r\nFigure 3: Snippet from a memory dump of an injected ‘Svchost’ process, showing credential harvesting.\r\nhttps://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/\r\nPage 3 of 17\n\nFigure 4: Snippet from a memory dump of an injected ‘Svchost’ process, showing part of a command that\r\nwas executed to scan an internal network segment.\r\nLateral Movement and C\u0026C\r\nWhen moving laterally to workstations installed with newer Windows versions, the threat actor consistently tampered with\r\nthe EDR product prior to installing PlugX. On one occasion, the threat actor attempted to disable the EDR product on a\r\ntarget workstation but failed, and then did not proceed to install PlugX. This demonstrates a high level of operational\r\nsecurity (OPSEC) awareness.\r\nImpacket, an open-source collection of Python classes, was used for lateral tool transfer, and to execute code remotely on\r\nhosts. Specifically, the threat actor employed Impacket’s wmiexec.py, a tool that utilizes the native Windows Management\r\nInstrumentation (WMI) to execute remote commands.\r\nFigure 5: Snippet from an MFT entry of a file created by WmiExec to store command output. This output\r\nbelongs to a ‘del’ command, which was executed to delete EDR anti-malware logs.\r\nThe PlugX C\u0026C address, 202.61.136[.]158, was also found in these memory dumps. This allowed the creation of\r\nnetwork-based detections, and assisted Sygnia in scoping the incident.\r\nhttps://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/\r\nPage 4 of 17\n\nFigure 6: Snippet from VirusTotal, showing that the malware’s C\u0026C IP address was identified as a PlugX\r\nC\u0026C server.\r\nThe ‘Svchost’ process launched by ‘iviewers.exe’ binds to a pre-configured local port and accepts TCP connections. It also\r\ncreates a new rule in the Windows firewall called ‘Network Discovery (SSDP-In)’, to allow these connections. This\r\nbehavior did not seem to be related to the C\u0026C mechanism, and its purpose was initially unclear.\r\nFigure 7: Snippet from Sygnia’s XDR system, Velocity, showing a Sysmon process creation event for a\r\n‘netsh’ command which was launched on a legacy file serve by the injected ‘Svchost’ process to create a\r\nlocal firewall rule.\r\nThe purpose of the local firewall rule soon became clear, following a kill-switch operation that initiated a dramatic turn of\r\nevents.\r\nPlugX is Dead; Long Live PlugX\r\nhttps://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/\r\nPage 5 of 17\n\nEquipped with the forensic investigation findings, the Sygnia team again worked with the victim company to eradicate the\r\ndiscovered threats. Dozens of compromised hosts were re-imaged, many of the legacy servers were decommissioned,\r\nhundreds of indicators of compromise (IOCs) were blocked across the network, and all the known instances of threat actor\r\naccess to the network were eradicated.\r\nThe victim organization has a large network with complex architecture. The post-breach remediation plan designed by\r\nSygnia included prioritized tasks divided into immediate and mid-term recommendations. As a standard procedure, Sygnia\r\nenhanced the organization’s visibility, and established advanced monitoring based on the indicators of attack (IOA).\r\nSeveral days after eliminating Velvet Ant’s presence, the advanced monitoring capabilities that were deployed in the\r\nnetwork proved their value, as alerts were triggered when PlugX was deployed on newly-infected systems. Sygnia’s\r\ninvestigation team quickly analyzed the new infections and noticed a substantial difference in the memory dump acquired\r\nfrom the newly infected hosts – there was no external C\u0026C configured. This was puzzling; PlugX is a remote access tool\r\n– how can it be deployed without a C\u0026C server, and still be effective?\r\nAdditional forensic analysis revealed that the threat actor reconfigured PlugX to use an internal file server as its C\u0026C and\r\nchanneled traffic through that server. This defense evasion technique allowed the C\u0026C traffic to blend in with legitimate\r\ninternal network traffic.\r\nThis meant that the threat actor deployed two versions of PlugX within the network. The first version, configured with an\r\nexternal C\u0026C server, was installed on endpoints with direct internet access, facilitating the exfiltration of sensitive\r\ninformation. The second version did not have a C\u0026C and was deployed exclusively on legacy servers.\r\nThis left us with unanswered questions. How did the threat actor control the legacy file server? And how did they manage\r\nto restore access to the organization despite the comprehensive remediation activities? To answer these questions, Sygnia’s\r\nincident response team set up additional network and host-based monitoring tools on the file server and closely monitored\r\nfor any suspicious activities.\r\nAs shown in figure 7, PlugX created a local firewall rule on compromised endpoints and listened on a high, random port\r\nnumber. On the file server, port 13742 was opened. Analyzing network connections to the file server identified an internal\r\nIP address communicating with it on the same port. The internal IP address belonged to an F5 load balancer.\r\nFigure 8: Snippet from Sygnia’s XDR system, Velocity, showing the network connection event from the F5\r\nload balancer to the file server on port 13742.\r\nThis load balancer was not part of previous remediation efforts, because it was not supposed to be operational in the\r\nproduction network. One team in the organization started deploying the F5 solution in the network a long time ago as part\r\nof a disaster recovery plan (DRP), but the project was never completed.\r\nF5 BIG-IP – The Perfect Place to Hide\r\nF5 BIG-IP appliances occupy a trusted position within the network architecture, often placed at the perimeter or between\r\ndifferent network segments. By compromising such a device, attackers can exert significant control over network traffic\r\nwithout arousing suspicion. Moreover, while organizations frequently gather logs from network devices, their attention is\r\npredominantly directed towards application-level logs such as traffic records and alerts. Unfortunately, operating system\r\nhttps://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/\r\nPage 6 of 17\n\nlogs are often overlooked, either due to vendor constraints or a lack of recognition regarding their significance. As a result,\r\na backdoor hidden within the F5 appliance can evade detection from traditional log monitoring solutions.\r\nThe compromised organization had two F5 BIG-IP appliances which provided services such as firewall, WAF, load\r\nbalancing and local traffic management. These appliances were directly exposed to the internet, and both of which were\r\ncompromised.\r\nBoth F5 appliances were running an outdated, vulnerable, operating system. The threat actor may have leveraged one of\r\nthe vulnerabilities to gain remote access to the appliances. However, visibility limitations hinder the ability to identify\r\nexactly how the appliances were compromised.\r\nForensic investigation of the appliances revealed a reverse SSH tunnel connection to the same C\u0026C IP address that was\r\npreviously blocked on the corporate firewalls during the eradication efforts. Since the appliances were not located behind\r\nthe main corporate firewall, the traffic was not blocked.\r\nFigure 9: Snippet showing the output of a ‘ps’ command executed on one of the F5 appliances. The threat\r\nactor created a reverse SSH tunnel to the C\u0026C with a user named ‘leo’.\r\nAnalyzing the active network connections on the F5, an established connection was observed between the appliance and\r\nthe file server, on the port PlugX was listening on. This complemented the analysis made on the file server itself (see\r\nfigure 8).\r\nFigure 10: Snippet from an output of ‘netstat’ command executed on the F5 appliance, showing the\r\nconnection to the file server.\r\nFigure 11: Snippet extracted from Wireshark, showing that the traffic transmitted from the F5 appliances\r\nwas sent to port 13742 of the file server. This is the port that PlugX was listening on in this server.\r\nPivoting From the F5 Appliance\r\nThe figure below depicts the stages of the threat actor’s working flow.\r\n(1) The malware running on the device polls the C\u0026C server once an hour. After connecting to the C\u0026C server (2), the\r\nthreat actor sends commands to the compromised appliance, including for the creation of a reverse SSH tunnel (3). Once\r\nthe tunnel with the appliance is established, the threat actor connects to the file server that is infected with PlugX (4).\r\nThe PlugX instance on the compromised file server was used by the threat actor as an internal C\u0026C server. From this\r\nserver, the threat actor conducted reconnaissance activities, deployed additional instances of the PlugX onto legacy servers\r\nby leveraging Impacket’s WmiExec (5).\r\nhttps://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/\r\nPage 7 of 17\n\nFigure 12: Diagram showing how the F5 appliance was leveraged by the threat actor as a persistent\r\nbeachhead, utilized to move laterally and execute remote commands on different servers. \r\nRecording the traffic between the F5 appliance and the file server revealed additional details about the threat actor’s TTPs,\r\nas the traffic was sent over SMB, and was not encrypted. The following figures show the interactive activities conducted\r\nby the threat actor prior to deploying additional PlugX instances.\r\nThe threat actor’s first step was to enumerate the active network connections on the targeted server:\r\nFigure 13: Snippet extracted from Wireshark, showing that the threat actor enumerated the active network\r\nconnections before moving laterally to additional servers.\r\nAfter selecting a new server for PlugX deployment, the threat actor listed files in different folders, presumably in order to\r\nchoose where to deploy the malware.\r\nhttps://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/\r\nPage 8 of 17\n\nFigure 14: Snippet from Wireshark showing how the threat actor enumerated additional legacy systems\r\nwithin the network by executing commands through WmiExec.\r\nThe threat actor then chose a folder, and leveraged WmiExec to transfer PlugX over SMB from the file server to the target\r\nserver.\r\nFigure 15: Snippet from Wireshark showing the iviewers PlugX variant being sent over SMB and saved into\r\nthe ‘C:\\tools\\’ folder.\r\nAdditional Malware on the F5 Appliances\r\nForensic analysis of the F5 appliances identified four binaries deployed by the threat actor:\r\n1. VELVETSTING – a tool that connects to the threat actor’s C\u0026C once an hour, searching commands to execute.\r\nThe threat actor used the IP address 202.61.136[.]158:8443 as a C\u0026C and the commands were encoded with the\r\npassphrase ‘1qaz@WSXedc’. Once the tool received a command, it was executed via ‘csh’ (Unix C shell).\r\nhttps://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/\r\nPage 9 of 17\n\nFigure 16: Snippet showing the output of the ‘strace’ command, which monitored the ‘VELVETSTING’\r\nprocess. The malware tried to connect to the C\u0026C server on port 8443 every 3600 seconds (1 hour). Once\r\nthe connection was successful, the malware created a child process based on the commands it received from\r\nthe C\u0026C.\r\n2. VELVETTAP – a tool with the ability to capture network packets. The binary was executed on the F5 appliance\r\nwith the argument ‘mgmt’, which is the name of the internal NIC of the F5 device.\r\nFigure 17: Snippet from an output of ‘ifconfig’ command, showing the ‘mgmt’ network interface on the F5\r\nappliance.\r\nTo maintain persistence on the F5 appliance, the threat actor added both VELVETSTING and VELVETTAP to the\r\n‘/etc/rc.local’ file. ‘rc.local’ is executed as part of the system’s startup process, which means that any commands or scripts\r\nlisted in it will be executed automatically whenever the system boots up.\r\nhttps://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/\r\nPage 10 of 17\n\nFigure 18: Snippet showing that the paths for VELVETSTING and VELVETTAP were added to the\r\n‘/etc/rc.local’ file by the threat actor.\r\n3. SAMRID – identified as ‘EarthWorm’, an open-source SOCKS proxy tunneller available on GitHub. The tool was\r\nutilized in the past by different Chinese state-sponsored groups, such as ‘Volt Typhoon’, ‘APT27’ and\r\n‘Gelsemium’. The tool was not running on the device at the time of investigation.\r\n4. ESRDE – a tool with similar capabilities to that of ‘VELVETSTING’, but with minor differences, such as using\r\nbash instead of ‘csh’. The tool was not running on the device at the time of investigation.\r\nA Note on Attribution\r\nThe attack described in this blog demonstrates a single attack flow of Velvet Ant, a threat actor that exhibited\r\ncharacteristics like those of a China-nexus state sponsored threat actor. These include but are not limited to target selection\r\n(industry and geo-location), clear definition of goals, targeting of network devices, exploitation of vulnerabilities, and a\r\ntoolset that includes the ShadowPad and PlugX malware families, and utilization of DLL side-loading techniques. The\r\nthreat actor was extremely persistent and remained active in the compromised network for about three years, despite\r\nseveral eradication attempts throughout that period.\r\nThe modus operandi of Chinese-nexus Intrusion Sets includes shared tools, infrastructure, and sometimes manpower – for\r\nexample via shared contractors. This mode of operation makes it difficult for Sygnia to attribute the attack to any\r\npreviously publicly-reported group. Moreover, the visibility available in the network prevents Sygnia from ruling out a\r\n‘false-flag’ operation conducted by a different Advanced Persistent Threat (APT) group.\r\nDefending Against Velvet Ant\r\nThe defense strategies presented below are designed to provide organizations with robust measures for countering threats\r\nrelated to C\u0026C and the malicious weaponization of legacy and edge devices strengthening organizational cyber security\r\ndefenses and strengthening resilience against advanced persistent attacks.\r\nhttps://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/\r\nPage 11 of 17\n\nLimit outbound internet traffic: Outbound internet connections should be restricted across servers, workstations,\r\nand edge devices, to prevent attackers from maintaining access via Command and Control (C\u0026C) channels –\r\nsimilar to the tactic of utilizing the PlugX loader. Configure perimeter firewalls to allow only the necessary\r\noutbound connections, placing internet-facing devices such as load balancers behind these firewalls to prevent\r\ndirect public access.\r\nLimit lateral movement throughout the network: Performing lateral movement within networks is a technique\r\nfrequently employed by threat actors using tools like WmiExec. To mitigate this risk, it is essential to rigorously\r\ncontrol traffic over common management ports. These include SMB on port 445, RPC on port 135, WinRM on\r\nports 5985-5986, RDP on port 3389, and SSH on port 22. Access should be strictly limited to hosts with explicit\r\nauthorization. Although implementing such controls poses challenges in complex network environments, the\r\nsecurity benefits are substantial. Mitigation strategies may include deploying host-based firewalls,establishing\r\neffective network segmentation, and adopting cutting-edge microsegmentation technologies.\r\nEnhance security hardening of legacy servers: Prioritize decommissioning and replacement of legacy systems.\r\nTighten control over legacy servers, which are prime targets for cyberattacks due to their weaker defenses. Enhance\r\nsecurity by installing Endpoint protection tools that support older systems such as Windows Server 2003, or using\r\nalternatives like Sysmon for comprehensive monitoring. Strengthen protections by limiting access to essential staff,\r\nenforcing strict network segmentation, and monitoring traffic to and from these servers. These steps considerably\r\nreduce the vulnerabilities inherent in older server infrastructures.\r\nMitigate credential harvesting: Implement Endpoint Detection and Response (EDR) systems for continuous\r\nmonitoring and interception of malicious actions. Ensure that EDR sensors are configured with anti-tampering\r\nfeatures, and are consistently operational and current, as attackers might attempt to neutralize or circumvent the\r\nsensors. Apply Protected Process Light (PPL) to LSASS, and activate Windows Credential Guard for credential\r\nsecurity.\r\nProtect public-facing devices: To improve the security of public-facing edge devices such as F5 BIG-IP load\r\nbalancers, it is essential to implement a proactive security strategy that includes external attack surface and asset\r\nmanagement, patch management, Intrusion Detection and Prevention Systems, and robust security and integrity\r\nmonitoring. Additionally, migration to cloud-based solutions such as SASE or cloud-native load balancers can\r\nreduce the risk of running vulnerable, exploitable edge devices. For comprehensive guidance on establishing such\r\ndefenses, refer to Sygnia’s blog “Defending Your Network Edge Against the Next Zero-Day Exploit”, which\r\noutlines key measures for enhancing the resilience of network edges against threats demonstrated by this threat\r\nactor, and other emerging threats.\r\nAppendix I: Indicators of Compromise\r\nValue Type Description \r\nd1e6767900c85535f300e08d76aac9ab  MD5  iviewers.exe \r\n4a0f328e7672ee7ba83f265d48a6077a0c9068d4  SHA1  iviewers.exe \r\n91f6547bceddfb2f241570ac82c00de700e311e4a38dea60d8619638f1ed3520  SHA256  iviewers.exe \r\n0d5abbe83e5eeb2cb79630caba3a33c7  MD5  iviewers.exe \r\nd80427c922db5fcd8cf490a028915485ff833666  SHA1  iviewers.exe \r\nd663b323d132a3c811bb53a48a686ea85c6bf8faeef3b48dfa93528be8f4133b  SHA256  iviewers.exe \r\nhttps://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/\r\nPage 12 of 17\n\nValue Type Description \r\n977a7e48f8b05c12249a28dbc4054d78  MD5  iviewers.exe.ui \r\n291bcceef6e03a9f4f0c524f1dd3a4b77d870cd8  SHA1  iviewers.exe.ui \r\n9a7a24b1c785b3c7c39f7e33e99897290165693dea1f46ed4f3c7919aef93928  SHA256  iviewers.exe.ui \r\n4cdeffe8c379e6b702f2d22160c59ccf  MD5  iviewers.exe.ui \r\nf07272762b322cea1d8cc0845718371f1af0bd4a  SHA1  iviewers.exe.ui \r\n75fa71e65344b61a80f0e598349b735912be39d04a7e2159748423bd860d3454  SHA256  iviewers.exe.ui \r\ndacfc13d17cda55e58fab7d66d5417d1  MD5  iviewers.exe.ui \r\n37d3665d3b803eeddfad245c0e96172b9c3e8a29  SHA1  iviewers.exe.ui \r\nbe852d7a59ba168d93eb975fbed652617046433e6fdc177d0087331f9a095f02  SHA256  iviewers.exe.ui \r\n74a6c8bb6fb08c68d0ff4a6efad64242  MD5  iviewers.exe.ui \r\n2c5d678948938de4d10095db35390c064305413c  SHA1  iviewers.exe.ui \r\n0acc25396ef78c00631c64df538678a323982115bafbfa7487a4370d4b4129ac  SHA256  iviewers.exe.ui \r\ncefbb71fd132df7fb913ec747080da7c  MD5  iviewers.exe.ui \r\n6003f8042d375ec5c6d56a1d6e363e2d2cc9eb67  SHA1  iviewers.exe.ui \r\n859c823eb3e7420e0db234ba224764faa62d391bddd25e9ad415b11d853741f9  SHA256  iviewers.exe.ui \r\nababde83c740651f014d9671d4dab557  MD5  iviewers.exe.ui \r\n1fc7b986e55f116d92e77e3b2bee86b720ffa155  SHA1  iviewers.exe.ui \r\n9b9d2da73b510276d38d1698f3b87671958e338b40230e6a004ccaf3dcceb03b  SHA256  iviewers.exe.ui \r\nad2d2126fe198b35a657804c7cbbf84f  MD5  iviewers.exe.ui \r\n0b400eb4451c3148fa48bc72cb8a84fdcf4461d3  SHA1  iviewers.exe.ui \r\nb4d71b0ac0bc1495789501f9afce6f950b601a36c0836534294640f2db6b2f40  SHA256  iviewers.exe.ui \r\n654349edf1ac14dabce9bec435f06f98  MD5  iviewers.exe.ui \r\n49d2e3dfabd21ed4a11c6fca6236ced7b17fa97e  SHA1  iviewers.exe.ui \r\n3a6a5b1d76dfcac5920e6e9163c08543304ba013425eb2c2e64071b15d26996e  SHA256  iviewers.exe.ui \r\n113779c96c005ac50729462ec1b81f96  MD5  iviewers.exe.ui \r\ne6bd682c47f1a9d564f45a54427100b42e19d2e9  SHA1  iviewers.exe.ui \r\nbdf8a8c7f0298484dc95895dbddf367689ca361618453597129343838b94debb  SHA256  iviewers.exe.ui \r\nhttps://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/\r\nPage 13 of 17\n\nValue Type Description \r\n0b0b592ec201605503b4a245f024b37c  MD5  iviewers.exe.ui \r\nfc06519154e3a4b28fe16606dec05ec02dd2f647  SHA1  iviewers.exe.ui \r\n7c9336afd7530576b6a0f2e978b36955e8f264fee429d810309ce157a4918aaa  SHA256  iviewers.exe.ui \r\n7266fb2e71fc97036ad642fb592d3444  MD5  iviewers.exe.ui \r\nca7331e0c8dda90054eb941a2fdd0cc943a04fc4  SHA1  iviewers.exe.ui \r\nc456747731141c2ea0f8e69f89193e8bb823da4667527fe90b614b97f1d425ae  SHA256  iviewers.exe.ui \r\nc5af1894f9806fafc6eae449a4021362  MD5  iviewers.exe.ui \r\n61a382b2139512f8c816ceae93ec823c88bd6eed  SHA1  iviewers.exe.ui \r\n55d6c4a95b5172ea47381ab66ea9ea37fa0afb53b9bb10a1d752ac4acc8f6cd4  SHA256  iviewers.exe.ui \r\n52692f03f7c14bc6a6bd35679beb7fab  MD5  iviewers.exe.ui \r\n8e722b2c6b114b69bd71c37759dc3410a32b7594  SHA1  iviewers.exe.ui \r\n527df166af23cd0d139ebad9d219f125137b5a7b619fa50e5e245ccaf8c0b7d6  SHA256  iviewers.exe.ui \r\nb9a46c2960ddbece1a5fc4db1a810d92  MD5  iviewers.exe.ui \r\n35e0cbec56e6ad052c3cf53a052b254490995453  SHA1  iviewers.exe.ui \r\n4965f809b71ffb71fe8456d88dcd0a80a99fa6aa4ffd6ba96e1a1d810d41bbd0  SHA256  iviewers.exe.ui \r\n805fa6261f5fb268e56fd9f11fd13e01  MD5  iviewers.exe.ui \r\n7dc223a47fa35011d9e5ed8ef0bbeaf7bd08500f  SHA1  iviewers.exe.ui \r\nb5aa86fd97624a317945d110541a07fc80b83dd960fbf16642720fc275d8f04f  SHA256  iviewers.exe.ui \r\nf0293d80323383dcb494b12ceb313105  MD5  iviewers.exe.ui \r\n0667f44b8dc20d0d1b8f1a5c2fe2f8011204664b  SHA1  iviewers.exe.ui \r\n9092cdd52109531f9f58c28bda25b0c3f82d9bd2d261ce5fcb0137873dbb0868  SHA256  iviewers.exe.ui \r\n3e32bcdc16db8baf98065b29faeaa18d  MD5  iviewers.exe.ui \r\n86a219232410f236665c51854425fbe5e37b07b3  SHA1  iviewers.exe.ui \r\nbcbc3184756a6cacfd5ca2b879708cfd015e84050c9b9ede096cfb70282f870c  SHA256  iviewers.exe.ui \r\n5312ba28ce0105cf4563279508bf83fa  MD5  iviewers.exe.ui \r\n3faf065a9987ade102f20dd1ac6b857c7c191b97  SHA1  iviewers.exe.ui \r\nfebe116a87860e42bbcfd7c6e2c710446f33bdacc56e990f69493837c01f1059  SHA256  iviewers.exe.ui \r\nhttps://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/\r\nPage 14 of 17\n\nValue Type Description \r\nd8a1805843925a0394d64d1574b15388  MD5  iviewers.exe.ui \r\n2b3b897dd7ef6a54bc038a9afc9d79d5989b6c5f  SHA1  iviewers.exe.ui \r\n7e118a6c4d6f162d8c6a53faf972bd3e675da7f9d0a0b67a1988b4e2102ebb53  SHA256  iviewers.exe.ui \r\nf26edb1d8a61d6bee6da5b5214cce77e  MD5  iviewers.exe.ui \r\n44e2b73f6f5ec010681cb1fa5681ca0903f0a080  SHA1  iviewers.exe.ui \r\ncc48a02f06066a37c90d063b6d28ae17d9503e4ba6df69aef1b55b5fa5a5ff48  SHA256  iviewers.exe.ui \r\n9003d7c01c4f2b2e2632a86815eb40a2  MD5  iviewers.exe.ui \r\nddb59cf25b40273ef0f394c6f164923b6872d7cf  SHA1  iviewers.exe.ui \r\n562974ea1325a88c916a55719fb9263eb6c710ba281fdee4ba7e9a98a3f4a5a8  SHA256  iviewers.exe.ui \r\nad9267c5c64390d1ed2d6cfa498b5339  MD5  iviewers.dll \r\n1f2e03650afbbd10b9cff21116b7b8d9b192cee3  SHA1  iviewers.dll \r\n92b2535373e55b16b6f3b2d134a1d5545e837d3c19fff4cead4e92558e302b6e  SHA256  iviewers.dll \r\nc5a873b83798a7ad21990eff4c90cb98  MD5  iviewers.dll \r\n3a5ea30f0ff6928a26c4e67352d0adf44dd978da  SHA1  iviewers.dll \r\na9556cc05422cae960e36f76eeff7168b8e3cfeb16a20855a93d4f2ed4a65a8b  SHA256  iviewers.dll \r\n9f128f604a3e57a92381457e6552f886  MD5 \r\nVELVETSTING\r\n(PMCD) \r\nef22dfed358bf35f702af4a14f7a646375123e05  SHA1 \r\nVELVETSTING\r\n(PMCD) \r\n821d0cdc3e8a735976045ecb1afd1c0170bf39701d2da118b9533a45383a9ebe  SHA256 \r\nVELVETSTING\r\n(PMCD) \r\nd8958e44fa0499a5fbde99b71207184b  MD5 \r\nVELVETTAP\r\n(MCDP) \r\n553674972e59e7b37a63d19556152b13bf785d71  SHA1 \r\nVELVETTAP\r\n(MCDP) \r\n436f35dc69bbe7cb8cf5430b52c3aedace099730245de57e004dc1f6531ae262  SHA256 \r\nVELVETTAP\r\n(MCDP) \r\n2666a1f1f38ba3bd261c908f14d588c7  MD5  ESRDE \r\n0e7c4f374009ff3e264d299dfc1c279bff5b6b4b  SHA1  ESRDE \r\nhttps://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/\r\nPage 15 of 17\n\nValue Type Description \r\n13f3c05cc348ecb47c4e86d1fb522fdf499a6fb23e0cc6370f4618137f055b04         SHA256  ESRDE \r\nd313dd345d5ea37bc1c431a53d1af91d  MD5  SAMRID \r\nbaaa29799bdbb6c1f3fc70e25c0aee4b033fefc8  SHA1  SAMRID \r\n3d9aaac0a8e5c7eadd79d8d5c16119d04f4e9db7107fc44a1e32a8746a1ec375         SHA256  SAMRID \r\n202.61.136[.]158  \r\nIP\r\nAddress \r\nC\u0026C \r\n103.138.13[.]31  \r\nIP\r\nAddress \r\nC\u0026C \r\nAppendix II: MITRE ATT\u0026CK Matrix Mapping\r\n1. Initial Access\r\n1. T1133 – External Remote Services\r\n2. Execution\r\n1. T1047- Windows Management Instrumentation\r\n2. T1059.008 – Command and Scripting Interpreter: Network Device CLI\r\n3. T1569.002 – System Services: Service Execution\r\n3. Persistence\r\n1. T1037.004 – Boot or Logon Initialization Scripts: RC Scripts\r\n2. T1133 – External Remote Services\r\n3. T1078.002 – Valid Accounts: Domain Accounts\r\n4. T1078.003 – Valid Accounts: Local Accounts\r\n4. Privilege Escalation\r\n1. T1078.002 – Valid Accounts: Domain Accounts\r\n5. Defense Evasion\r\n1. T1574.001 – Hijack Execution Flow: DLL Search Order Hijacking\r\n2. T1562.004 – Impair Defenses: Disable or Modify System Firewall\r\n3. T1055 – Process Injection\r\n4. T1070.006 – Indicator Removal: Timestomp\r\n5. Masquerading: Match Legitimate Name or Location (T1036.005)\r\n6. Credential Access\r\n1. T1003.001 – OS Credential Dumping: LSASS Memory\r\n7. Discovery\r\n1. T1087.002 – Account Discovery: Domain Account\r\n2. T1083 – File and Directory Discovery\r\n3. T1135 – Network Share Discovery\r\n4. T1018 – Remote System Discovery\r\n5. T1082 – System Information Discovery\r\n6. T1016 – System Network Configuration Discovery\r\n7. T1040 – Network Sniffing\r\nhttps://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/\r\nPage 16 of 17\n\n8. Lateral Movement\r\n1. T1021.002 – Remote Services: SMB/Windows Admin Shares\r\n2. T1021.004 – Remote Services: SSH\r\n3. T1570 – Lateral Tool Transfer\r\n9. Collection\r\n1. T1039 – Data from Network Shared Drive\r\n10. Command and Control\r\n1. T1572 – Protocol Tunneling\r\n2. T1090.001 – Proxy: Internal Proxy\r\n3. T1132.001 – Data Encoding: Standard Encoding\r\n4. T1071.001 – Application Layer Protocol: Web Protocols\r\n11. Exfiltration\r\n1. T1048 – Exfiltration Over Alternative Protocol\r\nIf you were impacted by this attack or are seeking guidance on how to prevent similar attacks, please contact us at\r\ncontact@sygnia.co or our 24-hour hotline +1-877-686-8680.\r\nThis advisory and any information or recommendation contained here has been prepared for general informational\r\npurposes and is not intended to be used as a substitute for professional consultation on facts and circumstances specific to\r\nany entity. While we have made attempts to ensure the information contained herein has been obtained from reliable\r\nsources and to perform rigorous analysis, this advisory is based on initial rapid study, and needs to be treated accordingly.\r\nSygnia is not responsible for any errors or omissions, or for the results obtained from the use of this Advisory. This\r\nadvisory is provided on an as-is basis, and without warranties of any kind.\r\nSource: https://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/\r\nhttps://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/"
	],
	"report_names": [
		"china-nexus-threat-group-velvet-ant"
	],
	"threat_actors": [
		{
			"id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7",
			"created_at": "2023-06-23T02:04:34.793629Z",
			"updated_at": "2026-04-10T02:00:04.971054Z",
			"deleted_at": null,
			"main_name": "Volt Typhoon",
			"aliases": [
				"Bronze Silhouette",
				"Dev-0391",
				"Insidious Taurus",
				"Redfly",
				"Storm-0391",
				"UAT-5918",
				"UAT-7237",
				"UNC3236",
				"VOLTZITE",
				"Vanguard Panda"
			],
			"source_name": "ETDA:Volt Typhoon",
			"tools": [
				"FRP",
				"Fast Reverse Proxy",
				"Impacket",
				"LOLBAS",
				"LOLBins",
				"Living off the Land"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2d4d2356-8f9e-464d-afc6-2403ce8cf424",
			"created_at": "2023-01-06T13:46:39.290101Z",
			"updated_at": "2026-04-10T02:00:03.275981Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"狼毒草"
			],
			"source_name": "MISPGALAXY:Gelsemium",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "77874718-7ad2-4d15-9831-10935ab9bcbe",
			"created_at": "2022-10-25T15:50:23.619911Z",
			"updated_at": "2026-04-10T02:00:05.349462Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"Gelsemium"
			],
			"source_name": "MITRE:Gelsemium",
			"tools": [
				"Gelsemium",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b5550c4e-943a-45ea-bf67-875b989ee4c4",
			"created_at": "2022-10-25T16:07:23.675771Z",
			"updated_at": "2026-04-10T02:00:04.707782Z",
			"deleted_at": null,
			"main_name": "Gelsemium",
			"aliases": [
				"Operation NightScout",
				"Operation TooHash"
			],
			"source_name": "ETDA:Gelsemium",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"Agentemis",
				"BadPotato",
				"CHINACHOPPER",
				"China Chopper",
				"Chrommme",
				"Cobalt Strike",
				"CobaltStrike",
				"FireWood",
				"Gelsemine",
				"Gelsenicine",
				"Gelsevirine",
				"JuicyPotato",
				"OwlProxy",
				"Owowa",
				"SAMRID",
				"SessionManager",
				"SinoChopper",
				"SpoolFool",
				"SweetPotato",
				"WolfsBane",
				"cobeacon",
				"reGeorg"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c",
			"created_at": "2022-10-25T15:50:23.819113Z",
			"updated_at": "2026-04-10T02:00:05.354598Z",
			"deleted_at": null,
			"main_name": "Threat Group-3390",
			"aliases": [
				"Threat Group-3390",
				"Earth Smilodon",
				"TG-3390",
				"Emissary Panda",
				"BRONZE UNION",
				"APT27",
				"Iron Tiger",
				"LuckyMouse",
				"Linen Typhoon"
			],
			"source_name": "MITRE:Threat Group-3390",
			"tools": [
				"Systeminfo",
				"gsecdump",
				"PlugX",
				"ASPXSpy",
				"Cobalt Strike",
				"Mimikatz",
				"Impacket",
				"gh0st RAT",
				"certutil",
				"China Chopper",
				"HTTPBrowser",
				"Tasklist",
				"netstat",
				"SysUpdate",
				"HyperBro",
				"ZxShell",
				"RCSession",
				"ipconfig",
				"Clambling",
				"pwdump",
				"NBTscan",
				"Pandora",
				"Windows Credential Editor"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "a88747e2-ffed-45d8-b847-8464361b2254",
			"created_at": "2023-11-01T02:01:06.605663Z",
			"updated_at": "2026-04-10T02:00:05.289908Z",
			"deleted_at": null,
			"main_name": "Volt Typhoon",
			"aliases": [
				"Volt Typhoon",
				"BRONZE SILHOUETTE",
				"Vanguard Panda",
				"DEV-0391",
				"UNC3236",
				"Voltzite",
				"Insidious Taurus"
			],
			"source_name": "MITRE:Volt Typhoon",
			"tools": [
				"netsh",
				"PsExec",
				"ipconfig",
				"Wevtutil",
				"VersaMem",
				"Tasklist",
				"Mimikatz",
				"Impacket",
				"Systeminfo",
				"netstat",
				"Nltest",
				"certutil",
				"FRP",
				"cmd"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b",
			"created_at": "2025-08-07T02:03:24.661509Z",
			"updated_at": "2026-04-10T02:00:03.644548Z",
			"deleted_at": null,
			"main_name": "BRONZE SILHOUETTE",
			"aliases": [
				"Dev-0391 ",
				"Insidious Taurus ",
				"UNC3236 ",
				"Vanguard Panda ",
				"Volt Typhoon ",
				"Voltzite "
			],
			"source_name": "Secureworks:BRONZE SILHOUETTE",
			"tools": [
				"Living-off-the-land binaries",
				"Web shells"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "822063cf-d9bd-499a-9715-70d95881378f",
			"created_at": "2025-04-23T02:00:55.295207Z",
			"updated_at": "2026-04-10T02:00:05.254566Z",
			"deleted_at": null,
			"main_name": "Velvet Ant",
			"aliases": [
				"Velvet Ant"
			],
			"source_name": "MITRE:Velvet Ant",
			"tools": [
				"PlugX",
				"Impacket"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "c63ab035-f9f2-4723-959b-97a7b98b5942",
			"created_at": "2023-01-06T13:46:38.298354Z",
			"updated_at": "2026-04-10T02:00:02.917311Z",
			"deleted_at": null,
			"main_name": "APT27",
			"aliases": [
				"BRONZE UNION",
				"Circle Typhoon",
				"Linen Typhoon",
				"TEMP.Hippo",
				"Budworm",
				"Lucky Mouse",
				"G0027",
				"GreedyTaotie",
				"Red Phoenix",
				"Iron Tiger",
				"Iron Taurus",
				"Earth Smilodon",
				"TG-3390",
				"EMISSARY PANDA",
				"Group 35",
				"ZipToken"
			],
			"source_name": "MISPGALAXY:APT27",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "4ed2b20c-7523-4852-833b-cebee8029f55",
			"created_at": "2023-05-26T02:02:03.524749Z",
			"updated_at": "2026-04-10T02:00:03.366175Z",
			"deleted_at": null,
			"main_name": "Volt Typhoon",
			"aliases": [
				"BRONZE SILHOUETTE",
				"VANGUARD PANDA",
				"UNC3236",
				"Insidious Taurus",
				"VOLTZITE",
				"Dev-0391",
				"Storm-0391"
			],
			"source_name": "MISPGALAXY:Volt Typhoon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43",
			"created_at": "2025-08-07T02:03:24.68371Z",
			"updated_at": "2026-04-10T02:00:03.64323Z",
			"deleted_at": null,
			"main_name": "BRONZE UNION",
			"aliases": [
				"APT27 ",
				"Bowser",
				"Budworm ",
				"Circle Typhoon ",
				"Emissary Panda ",
				"Group35",
				"Iron Tiger ",
				"Linen Typhoon ",
				"Lucky Mouse ",
				"TG-3390 ",
				"Temp.Hippo "
			],
			"source_name": "Secureworks:BRONZE UNION",
			"tools": [
				"AbcShell",
				"China Chopper",
				"EAGERBEE",
				"Gh0st RAT",
				"OwaAuth",
				"PhantomNet",
				"PoisonIvy",
				"Sysupdate",
				"Wonknu",
				"Wrapikatz",
				"ZxShell",
				"reGeorg"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "0c0d8f44-d131-41c8-a693-efb687e777f1",
			"created_at": "2024-06-20T02:02:10.211899Z",
			"updated_at": "2026-04-10T02:00:04.962606Z",
			"deleted_at": null,
			"main_name": "Velvet Ant",
			"aliases": [],
			"source_name": "ETDA:Velvet Ant",
			"tools": [
				"Agent.dhwf",
				"Destroy RAT",
				"DestroyRAT",
				"ESRDE",
				"Kaba",
				"Korplug",
				"POISONPLUG.SHADOW",
				"PlugX",
				"RedDelta",
				"SAMRID",
				"ShadowPad Winnti",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"VELVETSTING",
				"VELVETTAP",
				"XShellGhost",
				"Xamtrav"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434350,
	"ts_updated_at": 1775792178,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cf51163a42693d321ec54fbde193a7c243a0b976.pdf",
		"text": "https://archive.orkl.eu/cf51163a42693d321ec54fbde193a7c243a0b976.txt",
		"img": "https://archive.orkl.eu/cf51163a42693d321ec54fbde193a7c243a0b976.jpg"
	}
}