{ "id": "9c882d33-b0d8-4243-8e44-a998d37a1348", "created_at": "2026-04-06T00:10:49.467228Z", "updated_at": "2026-04-10T03:37:54.489043Z", "deleted_at": null, "sha1_hash": "e3f5f0ff36f1407c4b41fc83488862cfb8059f1f", "title": "Ke3chang, Vixen Panda, APT 15, GREF, Playful Dragon", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 102489, "plain_text": "Ke3chang, Vixen Panda, APT 15, GREF, Playful Dragon\r\nArchived: 2026-04-05 21:09:04 UTC\r\nHome \u003e List all groups \u003e Ke3chang, Vixen Panda, APT 15, GREF, Playful Dragon\r\n APT group: Ke3chang, Vixen Panda, APT 15, GREF, Playful Dragon\r\nNames\r\nKe3chang (FireEye)\r\nVixen Panda (CrowdStrike)\r\nAPT 15 (Mandiant)\r\nGREF (SecureWorks)\r\nBronze Palace (SecureWorks)\r\nBronze Davenport (SecureWorks)\r\nBronze Idlewood (SecureWorks)\r\nCTG-9246 (SecureWorks)\r\nPlayful Dragon (FireEye)\r\nRoyal APT (NCC Group)\r\nNickel (Microsoft)\r\nBackdoorDiplomacy (ESET)\r\nPlayful Taurus (Palo Alto)\r\nMetushy (?)\r\nSocial Network Team (?)\r\nNylon Typhoon (Microsoft)\r\nFlea (Symantec)\r\nRed Vulture (PWC)\r\nPurpleHaze (SentinelOne)\r\nG0004 (MITRE)\r\nG0135 (MITRE)\r\nCountry China\r\nSponsor State-sponsored\r\nMotivation Information theft and espionage\r\nFirst seen 2010\r\nDescription\r\nKe3chang is a threat group attributed to actors operating out of China. Ke3chang has\r\ntargeted several industries, including oil, government, military, and more.\r\nObserved Sectors: Aerospace, Aviation, Chemical, Defense, Embassies, Energy, Government,\r\nHigh-Tech, Industrial, Manufacturing, Mining, Oil and gas, Telecommunications,\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=110ed515-11db-4bf1-af41-a66f513ecf70\r\nPage 1 of 4\n\nUtilities and Uyghur communities.\r\nCountries: Afghanistan, Albania, Argentina, Barbados, Belgium, Bhutan, Bosnia and\r\nHerzegovina, Brazil, Bulgaria, Chile, China, Colombia, Croatia, Czech, Dominican\r\nRepublic, Ecuador, Egypt, El Salvador, France, Georgia, Germany, Ghana,\r\nGuatemala, Honduras, Hungary, India, Indonesia, Iran, Italy, Jamaica, Kazakhstan,\r\nKuwait, Libya, Malaysia, Mali, Mexico, Montenegro, Namibia, Nigeria, Pakistan,\r\nPanama, Peru, Poland, Portugal, Saudi Arabia, Slovakia, South Africa, Sri Lanka,\r\nSwitzerland, Syria, Trinidad and Tobago, Turkey, UAE, UK, USA, Uzbekistan,\r\nVenezuela.\r\nTools used\r\nBS2005, CarbonSteal, Cobalt Strike, DarthPusher, EarthWorm, EternalBlue,\r\nDoubleAgent, GoldenEagle, Graphican, HenBox, HighNoon, IRAFAU, Ketrican,\r\nKetrum, Mimikatz, MirageFox, MS Exchange Tool, nbtscan, netcat, Okrum,\r\nPluginPhantom, PortQry, ProcDump, PsList, RoyalCli, RoyalDNS, SilkBean,\r\nSinowal, SMBTouch, spwebmember, SpyWaller, TidePool, Turian, Winnti,\r\nXSLCmd, Living off the Land and EternalRocks and EternalSynergy.\r\nOperations performed\r\n2010\r\nOperation “Ke3chang”\r\nAs the crisis in Syria escalates, FireEye research-ers have discovered a\r\ncyber espionage campaign, which we call “Ke3chang,” that falsely\r\nadvertises information updates about the ongoing crisis to compromise\r\nMFA networks in Europe. We believe that the Ke3chang attackers are\r\noperating out of China and have been active since at least 2010.\r\nHowever, we believe specific Syria-themed attacks against MFAs\r\n(codenamed by Ke3chang as “moviestar”) began only in August 2013.\r\nThe timing of the attacks precedes a G20 meeting held in Russia that\r\nfocused on the crisis in Syria.\r\n\u003chttps://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf\u003e\r\nAug 2014\r\nForced to Adapt: XSLCmd Backdoor Now on OS X\r\n\u003chttps://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html\u003e\r\n2015 The Lookout Threat Intelligence team has discovered four Android\r\nsurveillanceware tools, which are used to target the Uyghur ethnic\r\nminority group. Our research indicates that these four interconnected\r\nmalware tools are elements of much larger mAPT (mobile advanced\r\npersistent threat) campaigns that have been active for years. Although\r\nthere is evidence that the campaigns have been active since at least\r\n2013, Lookout researchers have been monitoring the surveillanceware\r\nfamilies — SilkBean, DoubleAgent, CarbonSteal and GoldenEagle —\r\nas far back as 2015.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=110ed515-11db-4bf1-af41-a66f513ecf70\r\nPage 2 of 4\n\nMay 2016\nLittle has been published on the threat actors responsible for Operation\nKe3chang since the report was released more than two years ago.\nHowever, Unit 42 has recently discovered the actors have continued to\nevolve their custom malware arsenal. We’ve discovered a new\nmalware family we’ve named TidePool. It has strong behavioral ties to\nKe3chang and is being used in an ongoing attack campaign against\nIndian embassy personnel worldwide. This targeting is also consistent\nwith previous attacker TTPs; Ke3chang historically targeted the\nMinistry of Affairs, and also conducted several prior campaigns\nagainst India.\nMay 2017\nAttack on a company that provides a range of services to UK\nGovernment\nA number of sensitive documents were stolen by the attackers during\nthe incident and we believe APT15 was targeting information related\nto UK government departments and military technology.\nDuring our analysis of the compromise, we identified new backdoors\nthat now appear to be part of APT15’s toolset. The backdoor BS2005 –\nwhich has traditionally been used by the group – now appears\nalongside the additional backdoors RoyalCli and RoyalDNS.\n2017\nBackdoorDiplomacy: Upgrading from Quarian to Turian\nJun 2018\nOperation “MirageFox”\nThe malware involved in this recent campaign, MirageFox, looks to be\nan upgraded version of a tool, a RAT believed to originate in 2012,\nknown as Mirage.\nMar 2019 The group continues to be active in 2019 – in March 2019, we\ndetected a new Ketrican sample that has evolved from the 2018\nKetrican backdoor. It attacked the same targets as the backdoor from\n2018.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=110ed515-11db-4bf1-af41-a66f513ecf70\nPage 3 of 4\n\nSep 2019\nNICKEL targeting government organizations across Latin America\nand Europe\nMay 2020\nIn mid May, we identified three recently uploaded samples from\nVirusTotal that share code with older APT15 implants. We named this\nnew family of samples, “Ketrum”, due to the merger of features in the\ndocumented backdoor families “Ketrican” and “Okrum”.\nAug 2021\nBackdoorDiplomacy Wields New Tools in Fresh Middle East\nCampaign\nApr 2022\nChinese Playful Taurus Activity in Iran\nLate 2022\nGraphican: Flea Uses New Backdoor in Attacks Targeting Foreign\nMinistries\nOct 2024\nFollow the Smoke | China-nexus Threat Actors Hammer At the Doors\nof Top Tier Targets\nInformation MITRE ATT\u0026CK\nPlaybook Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=110ed515-11db-4bf1-af41-a66f513ecf70\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=110ed515-11db-4bf1-af41-a66f513ecf70\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=110ed515-11db-4bf1-af41-a66f513ecf70" ], "report_names": [ "showcard.cgi?u=110ed515-11db-4bf1-af41-a66f513ecf70" ], "threat_actors": [ { "id": "709ceea7-db99-405e-b5a7-a159e6c307e0", "created_at": "2022-10-25T16:07:23.373699Z", "updated_at": "2026-04-10T02:00:04.571971Z", "deleted_at": null, "main_name": "BackdoorDiplomacy", "aliases": [], "source_name": "ETDA:BackdoorDiplomacy", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "3b56d733-88da-4394-b150-d87680ce67e4", "created_at": "2023-01-06T13:46:39.287189Z", "updated_at": "2026-04-10T02:00:03.274816Z", "deleted_at": null, "main_name": "BackdoorDiplomacy", "aliases": [ "BackDip", "CloudComputating", "Quarian" ], "source_name": "MISPGALAXY:BackdoorDiplomacy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "926dcfeb-19dd-4786-b601-3c0c4c477b43", "created_at": "2023-01-06T13:46:38.787762Z", "updated_at": "2026-04-10T02:00:03.10053Z", "deleted_at": null, "main_name": "HenBox", "aliases": [], "source_name": "MISPGALAXY:HenBox", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0ae281f0-886a-46ab-b413-e2db5c0f3142", "created_at": "2025-05-29T02:00:03.217545Z", "updated_at": "2026-04-10T02:00:03.869082Z", "deleted_at": null, "main_name": "PurpleHaze", "aliases": [], "source_name": "MISPGALAXY:PurpleHaze", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "adfbe698-24b2-41fc-a701-781fef330b16", "created_at": "2024-01-09T02:00:04.17648Z", "updated_at": "2026-04-10T02:00:03.504826Z", "deleted_at": null, "main_name": "GREF", "aliases": [], "source_name": "MISPGALAXY:GREF", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "401a2035-ed5a-4795-8e37-8b7465484751", "created_at": "2022-10-25T15:50:23.616232Z", "updated_at": "2026-04-10T02:00:05.304705Z", "deleted_at": null, "main_name": "BackdoorDiplomacy", "aliases": [ "BackdoorDiplomacy" ], "source_name": "MITRE:BackdoorDiplomacy", "tools": [ "Turian", "China Chopper", "Mimikatz", "NBTscan", "QuasarRAT" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "7c8cf02c-623a-4793-918b-f908675a1aef", "created_at": "2023-01-06T13:46:38.309165Z", "updated_at": "2026-04-10T02:00:02.921721Z", "deleted_at": null, "main_name": "APT15", "aliases": [ "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE DAVENPORT", "BRONZE IDLEWOOD", "VIXEN PANDA", "Ke3Chang", "Playful Dragon", "BRONZE PALACE", "G0004", "Red Vulture", "Nylon Typhoon" ], "source_name": "MISPGALAXY:APT15", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434249, "ts_updated_at": 1775792274, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e3f5f0ff36f1407c4b41fc83488862cfb8059f1f.pdf", "text": "https://archive.orkl.eu/e3f5f0ff36f1407c4b41fc83488862cfb8059f1f.txt", "img": "https://archive.orkl.eu/e3f5f0ff36f1407c4b41fc83488862cfb8059f1f.jpg" } }