{ "id": "d16c45d5-8bda-4c0b-a1e2-cff3409086f7", "created_at": "2026-04-06T00:09:10.105629Z", "updated_at": "2026-04-10T03:33:56.177245Z", "deleted_at": null, "sha1_hash": "ea5a80ac99c581326dfc69794754fb544488d446", "title": "a long‑term attack against China", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3325830, "plain_text": "a long‑term attack against China\r\nArchived: 2026-04-05 14:50:59 UTC\r\nVB2019 paper: A vine climbing over the Great Firewall: a long‑term attack against\r\nChina\r\nLion Gu \u0026 Bowen Pan\r\nQi An Xin Threat Intelligence Center, China\r\nAbstract\r\nIn this paper we will disclose details of a little-known APT group, PoisonVine, and its long history of\r\ncyberespionage activities lasting 11 years. The group is keen on Chinese entities and aims to harvest political and\r\nmilitary intelligence. Targets include government agencies, military personnel, research institutes and maritime\r\nagencies. The group has compromised multiple entities successfully and is still active in 2019. We will describe\r\nthe group’s campaigns in detail, including malware, vulnerabilities, infrastructure and TTP. Furthermore, we will\r\nshed light on the impact of the attacks and on actor attribution, thanks to mistakes made by the group when all\r\nstolen data, including profiles of victim machines and sensitive documents, was saved to cloud storage at the data\r\nexfiltration stage.\r\nIntroduction\r\nPoisonVine is a little-known Traditional Chinese-speaking APT group that was first disclosed in 2018 by Qi An\r\nXin Threat Intelligence Center [1, 2]. Starting in 2007, the PoisonVine group has carried out 11 years of\r\ncyberespionage campaigns against Chinese key units and departments, including national defence, government,\r\nscience and technology, education and maritime agencies. The group mainly targets the military industry, Sino-US\r\nrelations, cross-strait relations and ocean‑related fields.\r\nThe PoisonVine group obtained an established foothold by sending spear-phishing emails and delivering decoy\r\ndocuments, the contents of which were closely related to the target industry or field (for example, specific\r\nconference materials, research papers or announcements). They mainly used implants including publicly available\r\nRATs and custom trojans, such as ZxShell and Poison Ivy, and preferred to use cloud storage for the exfiltration of\r\nstolen information.\r\nBecause the group mainly uses Poison Ivy and cloud storage, making it similar to vines that can climb across a\r\nwall, we named it ‘PoisonVine’.\r\n11 years of campaigns\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-vine-climbing-over-great-firewall-longterm-attack-against-china/\r\nPage 1 of 24\n\nThe earliest activities of PoisonVine were seen in December 2007, since when the group has been active for 11\r\nyears. We list some of the major events in the timeline below:\r\nIn December 2007, the trojan associated with the group was first discovered. Marine-related fields\r\n(suspected to be related to a large shipping company) were involved.\r\nIn March 2008, a key laboratory (a scientific research institute) at a university in China was attacked.\r\nIn February 2009, attacks against the military industry began (involving a well-known military journal).\r\nIn October 2009, the trojan added a special method for avoiding detection via static scanning: API string\r\nreverse order. The method was used in most versions of the trojan and continued to be used until 2018.\r\nIn December 2011, the trojan added a special method to combat dynamic detection (error API parameters).\r\nRelated methods were used in most versions of the trojan and continued to be used until 2015.\r\nIn February 2012, the first modified version of a backdoor based on ZxShell code was discovered. The key\r\nfunction was to steal document files such as .doc, .ppt, .xls and .wps.\r\nIn March 2013, intense attacks were conducted targeting the Chinese Academy of Sciences and a number\r\nof national ministries and commissions in the fields of science and technology, maritime affairs, etc.\r\nIn October 2013, a watering hole attack was carried out against a Chinese government website.\r\nIn May 2014, an evolved version of ZxShell was discovered. In addition to the functions based on the\r\nprevious version, a search was added for keywords such as ‘military (军)’, ‘aviation (航)’, and ‘report (报\r\n告)’.\r\nOn 12 September 2014, events and samples related to CVE-2014-4114 (a zero-day vulnerability) were first\r\ndiscovered.\r\nOn 14 October 2014, iSIGHT Partners [3] released a report and disclosed CVE-2014-4114. On the same\r\nday, Microsoft released relevant security bulletins.\r\nOn 25 February 2015, an attack was detected against a military industry association (national defence\r\ntechnology) and the Chinese Academy of Engineering. Kanbox (酷盘) [4] samples were discovered.\r\nIn October 2017, the CVE-2017-8759 vulnerability document was used to initiate a spear‑phishing attack\r\nagainst a large media agency website and an individual working in Quanzhou.\r\nIn April 2018, the Qi An Xin Threat Intelligence Center disclosed the malicious attack code of the group,\r\nexploit CVE-2017-8759 [1].\r\nIn May 2018, the actor launched attacks against several maritime organizations including ship‑building\r\ncompanies and port‑operating companies.\r\nIn April 2019, the Qi An Xin Threat Intelligence Center found new samples using exploit CVE-2018-20250\r\n[5] and JianguoYun cloud storage [6].\r\nCapabilities and cyber weapons\r\nPoisonVine has used publicly available RATs, custom trojans and several vulnerabilities in its activities. In this\r\nsection, we will analyse the group’s main capabilities and its cyber arsenal, including RATs, vulnerabilities and\r\ninfrastructures.\r\nRATs\r\nPoison Ivy\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-vine-climbing-over-great-firewall-longterm-attack-against-china/\r\nPage 2 of 24\n\nThe Poison Ivy trojan is essentially a remote access trojan (RAT). FireEye conducted a special analysis of Poison\r\nIvy [7]. The Poison Ivy trojan in this report corresponds to the 2.3.2 version. The Poison Ivy Trojan Generator has\r\na total of 10 versions starting from version 1.0.0. The latest version is 2.3.2. The Poison Ivy Trojan Generator can\r\ngenerate both EXE and shellcode versions. The trojans generated in this case are in shellcode form. Most of the\r\nrelated mutexes use the default value of ‘)!VoqA.I4’.\r\n Figure 1: Poison Ivy Trojan Generator.\r\nThe Poison Ivy trojan decrypts the shellcode using two rounds of a one-character XOR operation.\r\nFigure 2: Decrypting the shellcode using a one-character XOR operation.\r\nZxShell\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-vine-climbing-over-great-firewall-longterm-attack-against-china/\r\nPage 3 of 24\n\nZxShell was used by PoisonVine continuously from December 2007 until October 2014. Due to a large difference\r\nbetween the relevant versions, ZxShell can be regarded as existing in two versions. They are the internal published\r\nversion and the open-source version. The first version refers to the ZxShell trojan used by PoisonVine from 2007\r\nto 2012. The second version refers to the ZxShell trojan used by the group from 2012 to 2014. The related trojan is\r\ndeveloped based on the open‑source version, which we call the secondary development version. The internal\r\npublished version and the open-source version are both version 3.0. The former is not widely publicized, but\r\nintergrated with features. The latter version’s source code is widely distributed, and the functions are eliminated\r\nfrom the previous versions. For a more detailed analysis of ZxShell, please refer to Cisco’s report [8].\r\nThe samples we captured are based on ZxShell source code modifications. They have retained the original\r\nstructure. ZxShell itself has more than 20 instructions. In addition to retaining some instructions, the samples we\r\ncaptured excluded a large number of instructions, such as: installation start, clone system account, shutdown\r\nfirewall, port scan, proxy server and other functions, but had the ‘IEPass’ command added.\r\nFigure 3: The IEPass command.\r\nKanbox RAT\r\nKanbox RAT is a customized tool which was developed by the group. It is often disguised as a folder icon. After\r\nexecution, it will release the ‘svch0st.exe’ trojan file as well as the normal folder and a ‘.doc’ file to confuse the\r\nuser.\r\n‘svch0st.exe’ is a trojan transmitted using the SSL encryption protocol. It will execute all the trojan processes\r\nevery hour, and the trojan processes will pack and upload all the information on the computer (including: file\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-vine-climbing-over-great-firewall-longterm-attack-against-china/\r\nPage 4 of 24\n\ndirectory, system version, network card information, process list information, package specified files, network\r\ninformation and disk information), as well as files with related keywords (such as ‘Taiwan’, ‘Army’ and ‘War’ in\r\nChinese), to the Kanbox that the attacker registered in advance via the SSL protocol.\r\nThe C\u0026C address is a Kanbox address. The file will be uploaded via the API provided by Kanbox. Kanbox is a\r\nfree cloud service in China which provides online file storage services.\r\nFigure 4: The file is uploaded via the API provided by Kanbox.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-vine-climbing-over-great-firewall-longterm-attack-against-china/\r\nPage 5 of 24\n\nFigure 5: Kanbox.\r\nCustom shellcode loader\r\nWe discovered this custom shellcode loader in early 2018. The custom shellcode loader is delivered by a\r\nmalicious HTA file, which will download and execute a PE implant.\r\nFigure 6: Custom shellcode loader.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-vine-climbing-over-great-firewall-longterm-attack-against-china/\r\nPage 6 of 24\n\nFigure 7: Malicious HTA file.\r\nFrom the ‘SCLoaderByWeb’ string in the implant file, we believe, from the literal meaning, that the actor built it\r\nas a shellcode loader.\r\nThe loader program will first try to connect to a common URL to check network connectivity. If there is no\r\nconnection, it will try to connect every five seconds until the network is connected. Then it downloads the payload\r\nfrom hxxp://updateinfo.servegame.org/tiny1detvghrt.tmp, as shown in Figure 8.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-vine-climbing-over-great-firewall-longterm-attack-against-china/\r\nPage 7 of 24\n\nFigure 8: The loader program.\r\nThe downloaded file is decrypted using a multiple round character XOR operation. For example, as shown in\r\nFigure 9, each round of the XOR key is 0xac, 0x5c, 0xdd, the result is equivalent to XOR 0x2d. After the\r\ndecryption, the file will execute in a created thread.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-vine-climbing-over-great-firewall-longterm-attack-against-china/\r\nPage 8 of 24\n\nFigure 9: Each\r\nround of the XOR key is 0xac, 0x5c, 0xdd, the result is equivalent to XOR 0x2d.\r\nThe shellcode is generated by the Poison Ivy RAT.\r\nVulnerabilities\r\nCVE-2012-0158\r\nCVE-2012-0158 is a vulnerability that could allow remote code execution – the attacker would have to convince\r\nusers to open a specially crafted document. CVE-2012-0158 is typically exploited in the RTF and DOC formats,\r\nbut the PoisonVine group saved the exploit document to MHT format, which helps avoid detection by anti-virus\r\nengines.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-vine-climbing-over-great-firewall-longterm-attack-against-china/\r\nPage 9 of 24\n\nFigure 10:\r\nThe exploit document.\r\nCVE-2014-6352\r\nCVE-2014-6352 is an OLE code execution vulnerability that can bypass the patch for CVE‑2014‑4114, a\r\nvulnerability of Windows OLE package manager code execution that has been exploited in the wild by the\r\nSandworm APT group (found by iSIGHT Partners). CVE-2014-4114 is exploited by executing an INF file via a\r\ncrafted OLE object in a PPSX document.\r\nCVE-2014-6352 can bypass the patch for CVE-2014-4114. The patch for CVE-2014-4114 fixes the problem by\r\nadding a ‘MarkFileUnsafe’ function. The MarkFileUnsafe function sets the file security zone to\r\nURLZONE_INTERNET if it comes from a remote computer, and alerts the user when the file executes.\r\nThe CVE-2014-6352 exploit triggers the opening of an executable file, which is embedded in a PowerPoint\r\ndocument, directly and without using the INF file.\r\nWe found the PoisonVine group using CVE-2014-6352 as a 0-day. Related samples are listed in the table below.\r\nMD5 SHA256 Filename\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-vine-climbing-over-great-firewall-longterm-attack-against-china/\r\nPage 10 of 24\n\nda807804fa5f53f7cbcaac82b901689c\r\n5e4a081a63f0122328e75cae991a1\r\n9b3ae25af9c68bccf4ae514ce972ef\r\n2148d\r\n指挥控制专委会评审责\r\n任书.ppsx\r\n19f967e27e21802fe92bc9705ae0a770\r\ne99f089bf209d5caea948f424881c\r\nbf6652658b973a5b97dbb59db6e0\r\n3e8c907\r\n南 海 课 题 项 目 建 议\r\n书.ppsx\r\nThe earliest we found the exploitation document, which is named ‘指挥控制专委会评审责任书.ppsx’ in Chinese,\r\nwas on 4 September 2014 based on the document created date. The first activities were captured on 12 September\r\n2014.\r\nFigure 11: The exploitation document named ‘指挥控制专委会评审责任书.ppsx’.\r\nCVE-2017-8759\r\nWe found several malicious HTA files on one of the remote servers used by the PoisonVine group. The content of\r\nthe HTA file is as shown in Figure 12.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-vine-climbing-over-great-firewall-longterm-attack-against-china/\r\nPage 11 of 24\n\nFigure 12: The content of HTA.\r\nWe can certainly recognize these as exploits of CVE-2017-8759, so we believe the PoisonVine group also built a\r\nmalicious document which exploits CVE-2017-8759. After the vulnerability is triggered, mshta.exe executes the\r\nHTA file remotely.\r\nThe HTA file is an HTML page with malicious VBS code embedded. The VBS code calls POWERSHELL to\r\ndownload the subsequent exe loader.\r\nFigure 13: An HTML page with malicious VBS code embedded.\r\nInfrastructures\r\nThe PoisonVine group preferred to use dynamic domain services and cloud storage for C\u0026C and data exfiltration.\r\nDynamic domain services\r\nThe group used several DDNS services. The table below lists the distribution of the service providers’ usage.\r\nChangeIP and No-IP are the group’s preferred choice.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-vine-climbing-over-great-firewall-longterm-attack-against-china/\r\nPage 12 of 24\n\nDDNS service provider Domains\r\nChangeIP 30\r\nNo-IP 9\r\nDynDNS 2\r\nAfraid(FreeDNS) 1\r\ndnsExit 1\r\nDisguised legitimate websites\r\nThe group used domains that mimicked those of legitimate Chinese websites to confuse their victims. They chose\r\ngovernment websites, email service providers and the sites of some anti-virus software.\r\nC\u0026C Legitimate website\r\nchinamil.lflink.com Website of Chinese Military: www.chinamil.com.cn\r\nsoagov.sytes.net\r\nsoagov.zapto.org\r\nsoasoa.sytes.net\r\nState Oceanic Administration: www.soa.gov.cn\r\nxinhua.redirectme.net Xinhua News: www.xinhuanet.com\r\n126mailserver.serveftp.com\r\nmail163.mypop3.net\r\nFamous mail service provider in China: 126.com, 163.com\r\nkav2011.mooo.com\r\nsafe360.dns05.com\r\ncluster.safe360.dns05.com\r\nrising.linkpc.net\r\nChinese anti-virus software\r\nCloud storage\r\nIn previous activities, we found two samples that used Kanbox, a Chinese cloud storage service provider, for data\r\nexfiltration.\r\nclient_id client_secret refresh_token\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-vine-climbing-over-great-firewall-longterm-attack-against-china/\r\nPage 13 of 24\n\n3edfe684ded31a7cca6378c022\r\n6f5629\r\nbfa89eebf29032076e9cffb755\r\n49fee5\r\n75cdc35b1cdaee24047f3afb23\r\na5ccce\r\n7a5691b81bf4322fd88f5fa994\r\n07fbbc\r\nd44cfa7dd3c852b69c59efacf76\r\n6cc23\r\n14b6685330bf32a22688910e7\r\n65b5dce\r\n By using the token and Kanbox API we can retrieve the register information, which contains a telephone number:\r\n{\"status\":\"ok\",\"email\":\"\",\"phone\":\"15811848796\",\"spaceQuota\":1700807049216,\"spaceUsed\":508800279,\"ema\r\nThird-party blogger\r\nThe PoisonVine group also use blogging services for payload transmission. In their previous activities they used\r\nSina, which is a popular blogging service in China. By using a blogging service and hiding malicious code in the\r\nblog content, it is easy to penetrate target organization networks without triggering a firewall alert.\r\nFigure 14: Malicious code hidden in blog content.\r\nTactics, techniques and procedures\r\nThe PoisonVine group used spear-phishing emails to deliver decoy documents or achieve an executable payload.\r\nThe content of the email and attached file appear sufficiently legitimate to confuse the targeted victim. If the target\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-vine-climbing-over-great-firewall-longterm-attack-against-china/\r\nPage 14 of 24\n\nopens the attached file, some vulnerabilities are triggered and payloads are executed. In this way the actor gains\r\ninitial access to target networks.\r\nFigure\r\n15: The content of the email.\r\nFigure 16: The attached file.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-vine-climbing-over-great-firewall-longterm-attack-against-china/\r\nPage 15 of 24\n\nFigure 17: Payloads executed.\r\nThe actor also used RLO, appending a number of spaces to the end of the filename, and disguising the file using a\r\nlegitimate software icon such as a folder or Office document. These techniques help to hide the file extension\r\nname and confuse the target victim.\r\nFigure\r\n18: The actor also used RLO and appended a number of spaces to the end of the file name.\r\nThe implant RATs used some techniques to evade detection. One of the evasion techniques is to reverse the order\r\nof the API names. When the trojan executes, the reverse string is converted to a normal API string by the ‘_strrev’\r\nfunction, and the ‘GetProcAddress’ function is called to dynamically obtain the API address. The use of reverse\r\norder API strings increases the difficulty of string detection. In addition, the API address is obtained dynamically\r\nduring the execution of the trojan, which is difficult to detect in the static information of the PE, which increases\r\nthe difficulty of API detection. This technique is known to have been used between 2009 and 2018.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-vine-climbing-over-great-firewall-longterm-attack-against-china/\r\nPage 16 of 24\n\nFigure 19: API names are reversed.\r\nAnother way to evade detection systems is to pass the wrong parameter to the ‘GetClientRect’ function. The first\r\nparameter of GetClientRect is to obtain a target window handler. The trojan passes 0 to GetClientRect, which will\r\nfail forever in the Windows operating system, and the return value is 0. At present, many anti-virus solutions use\r\ndynamic scanning technology (mostly in heuristic detection). The simulation of executing the GetClientRect\r\nfunction does not consider error parameters, meaning that the GetClientRect function is always executed\r\nsuccessfully by simulation, and the return value is non-zero. In this way, the anti-virus software’s virtual\r\nenvironment and the user’s real system can be distinguished by trojans, thus allowing them to bypass anti-virus\r\nsoftware detection.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-vine-climbing-over-great-firewall-longterm-attack-against-china/\r\nPage 17 of 24\n\nFigure 20: Another way to evade detection systems is to pass the wrong parameter to ‘GetClientRect’.\r\nAfter implanting the RATs in the target endpoint, information will be collected from the local system, including\r\nMAC address, operating system version, host name, user name, process list, disk volume information, and so on.\r\nIt will also scan the document files for filename that contain hard‑coded keywords, such as ‘military (军)’,\r\n‘international (国际)’, ‘Taiwan (对台)’, ‘technology (科技)’ and ‘national (国)’ (see Figure 21).\r\nFigure 21: Hard-coded keywords.\r\nThe following is a list of MITRE ATT\u0026CK techniques we have observed based on our analysis of the PoisonVine\r\ngroup.\r\nT1193 Spearphishing Attachment\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-vine-climbing-over-great-firewall-longterm-attack-against-china/\r\nPage 18 of 24\n\nT1203 Exploitation for Client Execution\r\nT1204 User Execution\r\nT1170 Mshta\r\nT1064 Scripting\r\nT1102 Web Service\r\nT1022 Data Encrypted\r\nT1005 Data from Local System\r\nData exfiltration and impact\r\nThe PoisonVine group used cloud storage to store the exfiltration data – the access token was embedded in the\r\nimplant. This is helpful for security researchers investigating the exfiltration data and the real impact of the attack\r\non the victims.\r\nThe actor only used a simple XOR function to encrypt the data that is uploaded. After decrypting the token by\r\nreversing RAT samples, we were able to access the full data with at least 3GB uncompressed file size. Most of the\r\ndata consists of documents relating to the logged in user or data of installed programs.\r\nFigure 22: We were able to access the full data.\r\nWe discovered that the actor used another cloud storage service, named JianGuoYun, in its recent activity, which\r\nwas used for tests and exfiltration.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-vine-climbing-over-great-firewall-longterm-attack-against-china/\r\nPage 19 of 24\n\nFigure 23: The actor recently used another cloud storage service named JianGuoYun.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-vine-climbing-over-great-firewall-longterm-attack-against-china/\r\nPage 20 of 24\n\nBesides the data we mentioned, the actor also collects information about the target PC. The RATs collected\r\ninformation from the victim PC, including OS, process list, IP address, host name, user name, and so on.\r\nAttribution of the actor\r\nAttribution is always a problem for the security investigator. For the PoisonVine group, we found several pieces of\r\nevidence which could help identify the actor, including language, encoding and character set. We found several\r\ncases of metadata written in Traditional Chinese in the payloads.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-vine-climbing-over-great-firewall-longterm-attack-against-china/\r\nPage 21 of 24\n\nFigure 24: We found several cses of metadata written in Traditional Chinese in payloads.\r\nThe default character set in the decoy document is ‘PMingLiU’, which is used most commonly in the Traditional\r\nChinese-speaking regions. And most of the names of the decoy documents related to cross-strait relations in\r\nChina.\r\nFigure 25: The default character set in the decoy document is ‘PMingLiU’.\r\nThe Whois information for one of the C\u0026C domains (javainfo.upgrinfo.com) is shown in Figure 26. The registrant\r\naddress is in Taiwan, New Taipei. And the registrant name may use the Wade–Giles romanization system.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-vine-climbing-over-great-firewall-longterm-attack-against-china/\r\nPage 22 of 24\n\nFigure 26: Whois information for javainfo.upgrinfo.com.\r\nConclusion\r\nGeopolitics is always a major motivation of a cyberespionage threat. Based on the techniques it uses, we believe\r\nthat the PoisonVine group isn’t a sophisticated APT group. However, it has been active for 11 years and remains\r\nactive. Furthermore, the group’s purpose is to collect intelligence regarding national defence, military,\r\ngovernment, science and technology, education and so on.\r\nAcknowledgement\r\nWe acknowledge the 360 Core Security Team from Qihoo 360 for their cooperation in the analysis of and report\r\non the PoisonVine group, as well as the English version of the report [2, 9].\r\nReferences\r\n[1] APT Group (APT-C-01) New Utilization Vulnerability Sample Analysis and Association Mining (in Chinese).\r\n360 Threat Intelligence Center. https://ti.qianxin.com/blog/articles/analysis-of-apt-c-01/.\r\n[2] APT-C-01. https://ti.qianxin.com/uploads/2018/09/20/6f8ad451646c9eda1f75c5d31f39f668.pdf.\r\n[3] http://www.isightpartners.com/2014/10/cve-2014-4114/.\r\n[4] Kanbox. https://kanbox.com/.\r\n[5] RedDrip Team. https://twitter.com/RedDrip7/status/1118009381679878144.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-vine-climbing-over-great-firewall-longterm-attack-against-china/\r\nPage 23 of 24\n\n[6] Jianguoyun. https://www.jianguoyun.com/.\r\n[7] POISON IVY: Assessing Damage and Extracting Intelligence. https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf.\r\n[8] Allievi, A.; Goddard, D.; Hurley, S.; Zidouemba, A. Threat Spotlight: Group 72, Opening the ZxShell\r\nhttps://blogs.cisco.com/security/talos/opening-zxshell.\r\n[9] Poison Ivy Group and the Cyberespionage Campaign Against Chinese Military and Goverment.\r\nhttp://blogs.360.cn/post/APT_C_01_en.html.\r\nSource: https://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-vine-climbing-over-great-firewall-longterm-attack-against-china/\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-vine-climbing-over-great-firewall-longterm-attack-against-china/\r\nPage 24 of 24", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-vine-climbing-over-great-firewall-longterm-attack-against-china/" ], "report_names": [ "vb2019-paper-vine-climbing-over-great-firewall-longterm-attack-against-china" ], "threat_actors": [ { "id": "cea5ceec-0f14-4e34-bd0e-4074bc1a707d", "created_at": "2022-10-25T15:50:23.629983Z", "updated_at": "2026-04-10T02:00:05.362084Z", "deleted_at": null, "main_name": "Axiom", "aliases": [ "Group 72" ], "source_name": "MITRE:Axiom", "tools": [ "ZxShell", "gh0st RAT", "Zox", "PlugX", "Hikit", "PoisonIvy", "Derusbi", "Hydraq" ], "source_id": "MITRE", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b9695d1c-08bf-4cb9-b408-f9275bbe47e7", "created_at": "2025-03-07T02:00:03.802302Z", "updated_at": "2026-04-10T02:00:03.83211Z", "deleted_at": null, "main_name": "GreenSpot", "aliases": [ "PoisonVine", "APT-Q-20" ], "source_name": "MISPGALAXY:GreenSpot", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def", "created_at": "2025-08-07T02:03:24.626625Z", "updated_at": "2026-04-10T02:00:03.605175Z", "deleted_at": null, "main_name": "BRONZE KEYSTONE", "aliases": [ "APT17 ", "Aurora Panda ", "DeputyDog ", "Group 72 ", "Hidden Lynx ", "TG-8153 ", "Tailgater Team" ], "source_name": "Secureworks:BRONZE KEYSTONE", "tools": [ "9002", "BlackCoffee", "DeputyDog", "Derusbi", "Gh0stHTTPSDropper", "HiKit", "InternalCMD", "PlugX", "PoisonIvy", "ZxShell" ], "source_id": "Secureworks", "reports": null }, { "id": "5c74936a-79d1-41b8-81eb-01d03c90a26b", "created_at": "2022-10-25T16:07:23.371052Z", "updated_at": "2026-04-10T02:00:04.570621Z", "deleted_at": null, "main_name": "Axiom", "aliases": [ "G0001", "Group 72", "Operation SMN" ], "source_name": "ETDA:Axiom", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "BlackCoffee", "BleDoor", "Chymine", "Darkmoon", "DeputyDog", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PNGRAT", "PlugX", "Poison Ivy", "RbDoor", "RedDelta", "RibDoor", "Roarur", "SPIVY", "Sensocode", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "ZXShell", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434150, "ts_updated_at": 1775792036, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ea5a80ac99c581326dfc69794754fb544488d446.pdf", "text": "https://archive.orkl.eu/ea5a80ac99c581326dfc69794754fb544488d446.txt", "img": "https://archive.orkl.eu/ea5a80ac99c581326dfc69794754fb544488d446.jpg" } }