{ "id": "bcc912e9-6e17-40a9-b432-0ab36df71c9b", "created_at": "2026-04-06T00:06:41.69692Z", "updated_at": "2026-04-10T13:12:52.987959Z", "deleted_at": null, "sha1_hash": "f169c9f142f0a1a141f8c915b87a07623b146df4", "title": "APT17 is run by the Jinan bureau of the Chinese Ministry of State Security", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 722120, "plain_text": "APT17 is run by the Jinan bureau of the Chinese Ministry of State\r\nSecurity\r\nBy intrusiontruth\r\nPublished: 2019-07-24 · Archived: 2026-04-05 20:31:34 UTC\r\nIn previous articles we identified Jinan Quanxin Fangyuan Technology Co. Ltd. ( 济南全欣方沅科技有限公司),\r\nJinan Anchuang Information Technology Co. Ltd. (济南安创信息科技有限公司), Jinan Fanglang Information\r\nTechnology Co. Ltd. (济南方朗信息科技有限公司) and RealSOI Computer Network Technology Co. Ltd. (瑞索\r\n计算机网络科技有限公司) as companies associated with Guo Lin (郭林), a likely MSS Officer in Jinan.\r\nWe also identified two hackers from Jinan – Wang Qingwei (王庆卫), the representative of the Jinan Fanglang\r\ncompany and Zeng Xiaoyong (曾小勇) the individual behind the online profile ‘envymask’.\r\nZoxRPC\r\nThe Chinese variant of MS08-067 is particularly interesting because it forms part of a hacking tool frequently\r\nused by Chinese APT groups called ZoxRPC. This report from Novetta details ZoxRPC’s incorporation in its code\r\nof specific memory addresses from the port of MS08-067 to Chinese operating systems (for which envymask\r\ntakes responsibility).\r\nThat is to say, Zeng’s code is used in ZoxRPC.\r\nhttps://intrusiontruth.wordpress.com/2019/07/24/apt17-is-run-by-the-jinan-bureau-of-the-chinese-ministry-of-state-security/\r\nPage 1 of 5\n\nNovetta report on ZoxRPC evolution\r\nIf there were any doubt that it was envymask’s code used in ZoxRPC, have a look at the code found on\r\npudn[.]com and you will see that it says: ‘MS08-067 Exploit for CN by EMM@ph4nt0m.org’.\r\nMS08-067 for China written by envymask aka EMM\r\nZoxPNG\r\nIn a timeline analysis, the Novetta report identifies that ZoxRPC was evolved from code dating back to 2002 and\r\nwas eventually released in 2008. It was then further developed into a new tool called ZoxPNG in 2013.\r\nhttps://intrusiontruth.wordpress.com/2019/07/24/apt17-is-run-by-the-jinan-bureau-of-the-chinese-ministry-of-state-security/\r\nPage 2 of 5\n\nNovetta timeline analysis\r\nA PwC presentation given at the Kaspersky Security Analyst Summit in 2015 showed that Chinese hacker Zhang\r\nPeng (张鹏) aka ‘missll’ was the author of the newer ZoxPNG variant.\r\nPwC presentation on ZoxPNG\r\nAPT17\r\nAs FireEye noted in their ‘Hide and Seek’ report, ZoxPNG is also known as BLACKCOFFEE. And as V3 showed\r\nin their blog article, APT17 aka DeputyDog used BLACKCOFFEE malware as a key part of multiple campaigns.\r\nhttps://intrusiontruth.wordpress.com/2019/07/24/apt17-is-run-by-the-jinan-bureau-of-the-chinese-ministry-of-state-security/\r\nPage 3 of 5\n\nV3 blog article on APT17 using BLACKCOFFEE malware\r\nSo Zeng wrote the MS08-067 code in ZoxRPC.\r\nAnd Zhang Peng aka missll evolved it into the APT17 tool ZoxPNG aka BLACKCOFFEE.\r\nWhere was Zhang Peng from? Jinan, China.\r\nPWC presentation on missll\r\nIn summary:\r\nEither, one of the authors of code in APT17’s primary malware just happens to be associated with a series of\r\nCyber Security outfits that claim the MSS as their clients and are coincidentally managed by an MSS Officer.\r\nhttps://intrusiontruth.wordpress.com/2019/07/24/apt17-is-run-by-the-jinan-bureau-of-the-chinese-ministry-of-state-security/\r\nPage 4 of 5\n\nOr, MSS Officer Guo Lin of the Jinan bureau of the Ministry of State Security manages APT17.\r\n#thereismore…\r\nDiscover more from Intrusion Truth\r\nSubscribe to get the latest posts sent to your email.\r\nPost navigation\r\nSource: https://intrusiontruth.wordpress.com/2019/07/24/apt17-is-run-by-the-jinan-bureau-of-the-chinese-ministry-of-state-security/\r\nhttps://intrusiontruth.wordpress.com/2019/07/24/apt17-is-run-by-the-jinan-bureau-of-the-chinese-ministry-of-state-security/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://intrusiontruth.wordpress.com/2019/07/24/apt17-is-run-by-the-jinan-bureau-of-the-chinese-ministry-of-state-security/" ], "report_names": [ "apt17-is-run-by-the-jinan-bureau-of-the-chinese-ministry-of-state-security" ], "threat_actors": [ { "id": "2150d1ac-edf0-46d4-a78a-a8899e45b2b5", "created_at": "2022-10-25T15:50:23.269339Z", "updated_at": "2026-04-10T02:00:05.402835Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "APT17", "Deputy Dog" ], "source_name": "MITRE:APT17", "tools": [ "BLACKCOFFEE" ], "source_id": "MITRE", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def", "created_at": "2025-08-07T02:03:24.626625Z", "updated_at": "2026-04-10T02:00:03.605175Z", "deleted_at": null, "main_name": "BRONZE KEYSTONE", "aliases": [ "APT17 ", "Aurora Panda ", "DeputyDog ", "Group 72 ", "Hidden Lynx ", "TG-8153 ", "Tailgater Team" ], "source_name": "Secureworks:BRONZE KEYSTONE", "tools": [ "9002", "BlackCoffee", "DeputyDog", "Derusbi", "Gh0stHTTPSDropper", "HiKit", "InternalCMD", "PlugX", "PoisonIvy", "ZxShell" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434001, "ts_updated_at": 1775826772, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f169c9f142f0a1a141f8c915b87a07623b146df4.pdf", "text": "https://archive.orkl.eu/f169c9f142f0a1a141f8c915b87a07623b146df4.txt", "img": "https://archive.orkl.eu/f169c9f142f0a1a141f8c915b87a07623b146df4.jpg" } }