{
	"id": "49637b31-edfe-4b50-9a75-e7162b23512f",
	"created_at": "2026-04-06T00:10:40.169124Z",
	"updated_at": "2026-04-10T03:33:45.970423Z",
	"deleted_at": null,
	"sha1_hash": "f7085df6fedc4b7d9d96c1611fbab9ee29b9d15a",
	"title": "Cicada: Chinese APT Group Widens Targeting in Recent Espionage Activity",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 44854,
	"plain_text": "Cicada: Chinese APT Group Widens Targeting in Recent\r\nEspionage Activity\r\nBy About the Author\r\nArchived: 2026-04-02 11:58:48 UTC\r\nA Chinese state-backed advanced persistent threat (APT) group is attacking organizations around the globe in a\r\nlikely espionage campaign that has been ongoing for several months.\r\nVictims in this Cicada (aka APT10) campaign include government, legal, religious, and non-governmental\r\norganizations (NGOs) in multiple countries around the world, including in Europe, Asia, and North America. The\r\nwide number of sectors and geographies of the organizations targeted in this campaign is interesting. Cicada’s\r\ninitial activity several years ago was heavily focused on Japanese-linked companies, though in more recent times\r\nit has been linked to attacks on managed service providers (MSPs) with a more global footprint. However, this\r\ncampaign does appear to indicate a further widening of Cicada’s targeting.\r\nThe attribution of this activity to Cicada is based on the presence on victim networks of a custom loader and\r\ncustom malware that are believed to be exclusively used by the APT group.\r\nWhile Cicada has been linked to espionage-style operations dating back to 2009, the earliest activity in\r\nthis current campaign occurred in mid-2021, with the most recent activity seen in February 2022, so this is a long-running attack campaign that may still be ongoing, researchers from Symantec, a division of Broadcom, have\r\nfound.\r\nActivity on infected networks\r\nIn several cases, the initial activity on victim networks is seen on Microsoft Exchange Servers, suggesting the\r\npossibility that a known, unpatched vulnerability in Microsoft Exchange may have been used to gain access to\r\nvictim networks in some cases.\r\nOnce the attackers have successfully gained access to victim machines we observe them deploying various\r\ndifferent tools, including a custom loader and the Sodamaster backdoor. The loader deployed in this campaign was\r\nalso deployed in a previous Cicada attack.\r\nSodamaster is a known Cicada tool that is believed to be exclusively used by this group. It is a fileless malware\r\nthat is capable of multiple functions, including evading detection in a sandbox by checking for a registry key or\r\ndelaying execution; enumerating the username, hostname, and operating system of targeted systems; searching for\r\nrunning processes, and downloading and executing additional payloads. It is also capable of obfuscating and\r\nencrypting traffic that it sends back to its command-and-control (C\u0026C) server. It is a powerful backdoor that\r\nCicada has been using since at least 2020.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks\r\nPage 1 of 4\n\nIn this campaign, the attackers are also seen dumping credentials, including by using a custom Mimikatz loader.\r\nThis version of Mimikatz drops mimilib.dll to obtain credentials in plain text for any user that is accessing the\r\ncompromised host and provides persistence across reboots.\r\nThe attackers also exploit the legitimate VLC Media Player by launching a custom loader via the VLC Exports\r\nfunction, and use the WinVNC tool for remote control of victim machines.\r\nOther tools utilized in this attack campaign include:\r\nRAR archiving tool - can be used to compress, encrypt, or archive files, likely for exfiltration.\r\nSystem/Network discovery - a way for attackers to determine what systems or services are connected to an\r\ninfected machine.\r\nWMIExec - Microsoft command-line tool that can be used to execute commands on remote computers.\r\nNBTScan - an open-source tool that has been observed being used by APT groups to conduct internal\r\nreconnaissance within a compromised network.\r\nVictims\r\nThe victims in this campaign appear to primarily be government-related institutions or NGOs, with some of these\r\nNGOs working in the fields of education and religion. There were also victims in the telecoms, legal, and\r\npharmaceutical sectors.\r\nThe victims are spread through a wide number of regions including the U.S., Canada, Hong Kong, Turkey, Israel,\r\nIndia, Montenegro, and Italy. There is also just one victim in Japan, which is notable due to Cicada’s previous\r\nstrong focus on Japanese-linked companies.\r\nThe attackers spent as long as nine months on the networks of some victims.\r\nThe victims targeted, the various tools deployed in this campaign, and what we know of Cicada’s past activity all\r\nindicate that the most likely goal of this campaign is espionage. Cicada activity was linked by U.S. government\r\nofficials to the Chinese government in 2018.\r\nSignificance of this activity\r\nThis is a long-running campaign from a sophisticated and experienced nation-state-backed actor that may still be\r\nongoing, as the most recent activity we saw in this campaign was in February 2022. The targeting of multiple\r\nlarge organizations in different geographies at the same time would require a lot of resources and skills that are\r\ngenerally only seen in nation-state backed groups, and shows that Cicada still has a lot of firepower behind it\r\nwhen it comes to its cyber activities.\r\nProtection\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise (IOCs)\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks\r\nPage 2 of 4\n\nIf an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.\r\n01b610e8ffcb8fd85f2d682b8a364cad2033c8104014df83988bc3ddfac8e6ec\r\n056c0628be2435f2b2031b3287726eac38c94d1e7f7aa986969baa09468043b1\r\n062ce400f522f90909ed5c4783c5e9c60b63c09272e2ddde3d13e748a528fa88\r\n0b452f7051a74a1d4a544c0004b121635c15f80122dc6be54db660ceb2264d6f\r\n0ec48b297dd1b0d6c3ddd15ab63f405191d7a849049feedfa7e44096c6f9d42a\r\n20fc3cf1afcad9e6f19e9abebfc9daf374909801d874c3d276b913f12d6230ec\r\n2317d3e14ab214f06ae38a729524646971e21b398eda15cc9deb8b00b231abc3\r\n2417da3adebd446b9fcb8b896adb14ea495a4d923e3655e5033f78d8e648fcc8\r\n37f56127226ce96af501c8d805e76156ca6b87da1ba1bb5d227100912f6c52d9\r\n3aa54e7d99b69a81c8b25ab57aeb971644ed0a206743c9e51a80ec1852f03663\r\n3ff2d6954a6b62afb7499e1e317af64502570181fd49ac5a74e2f7947e2e89db\r\n4f6a768841595293146ca04f879efa988e4e95ce0f2bc299cb669fea55e78b65\r\n5269db6b19a1d758c75e58ee9bbf2f8fd684cfedbfe712d5b0182d7bbd3a1690\r\n5bc68df582c86c884b563b15057cc223f2e9bc1022ebb297e32a9a7e3036228b\r\n6b4692029f05489ecda10e11cfacfc3b19097856b88647d3695f3bdc7dd83ce9\r\n7b581c0305c78f28bad60028c63e852dc34fc9e28f39e4b0af73d80c1d9680c9\r\n83030f299a776114878bcd2ade585d97836ef4ddb6943cb796be2c88bcb83a83\r\n90a03dabfc4e56a12cc3bac5cbe991db044b900a01ec341803c864506e467ffa\r\n9917a2213f114e87745867e5fea6717efd727d7c08fdc851969224be2f0e019b\r\n9b5f9ff82ed238bcbd83628ed3ec84988dc05f81cec9e45a512fbd2c8ac45c33\r\nadfe177ade7d9bfe4df251a69678102aec1104a4ba9f73032dd90aba76d8bdd9\r\nb76fde584f87c88bdd21fab613335ce7fc05788aa4bb3191d1517ec16ef4d11a\r\nce45af43dd2af52d6034e981515474147802efdfe036e00078fee29a01694fd6\r\nd461347388ccf0c2008332a1674885a41f70b94b2263bddef44e796d3b1b43b5\r\ndf993dca434c3cd2da94b6a90b0ae1650d9c95ea1d5f6a5267aca640d8c6d00e\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks\r\nPage 3 of 4\n\nee46e714660f7652502d5b3633fae0c08c8018f51cfb56a487afd58d04dd551a\r\nfe33fdd5a63fee62362c9db329dde11080a0152e513ef0e6f680286a6a7b243f\r\n88[.]198.101[.]58\r\n168[.]100.8[.]38\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks"
	],
	"report_names": [
		"cicada-apt10-china-ngo-government-attacks"
	],
	"threat_actors": [
		{
			"id": "ec14074c-8517-40e1-b4d7-3897f1254487",
			"created_at": "2023-01-06T13:46:38.300905Z",
			"updated_at": "2026-04-10T02:00:02.918468Z",
			"deleted_at": null,
			"main_name": "APT10",
			"aliases": [
				"Red Apollo",
				"HOGFISH",
				"BRONZE RIVERSIDE",
				"G0045",
				"TA429",
				"Purple Typhoon",
				"STONE PANDA",
				"Menupass Team",
				"happyyongzi",
				"CVNX",
				"Cloud Hopper",
				"ATK41",
				"Granite Taurus",
				"POTASSIUM"
			],
			"source_name": "MISPGALAXY:APT10",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ba9fa308-a29a-4928-9c06-73aafec7624c",
			"created_at": "2024-05-01T02:03:07.981061Z",
			"updated_at": "2026-04-10T02:00:03.750803Z",
			"deleted_at": null,
			"main_name": "BRONZE RIVERSIDE",
			"aliases": [
				"APT10 ",
				"CTG-5938 ",
				"CVNX ",
				"Hogfish ",
				"MenuPass ",
				"MirrorFace ",
				"POTASSIUM ",
				"Purple Typhoon ",
				"Red Apollo ",
				"Stone Panda "
			],
			"source_name": "Secureworks:BRONZE RIVERSIDE",
			"tools": [
				"ANEL",
				"AsyncRAT",
				"ChChes",
				"Cobalt Strike",
				"HiddenFace",
				"LODEINFO",
				"PlugX",
				"PoisonIvy",
				"QuasarRAT",
				"QuasarRAT Loader",
				"RedLeaves"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a",
			"created_at": "2022-10-25T15:50:23.298889Z",
			"updated_at": "2026-04-10T02:00:05.316886Z",
			"deleted_at": null,
			"main_name": "menuPass",
			"aliases": [
				"menuPass",
				"POTASSIUM",
				"Stone Panda",
				"APT10",
				"Red Apollo",
				"CVNX",
				"HOGFISH",
				"BRONZE RIVERSIDE"
			],
			"source_name": "MITRE:menuPass",
			"tools": [
				"certutil",
				"FYAnti",
				"UPPERCUT",
				"SNUGRIDE",
				"P8RAT",
				"RedLeaves",
				"SodaMaster",
				"pwdump",
				"Mimikatz",
				"PlugX",
				"PowerSploit",
				"ChChes",
				"cmd",
				"QuasarRAT",
				"AdFind",
				"Cobalt Strike",
				"PoisonIvy",
				"EvilGrab",
				"esentutl",
				"Impacket",
				"Ecipekac",
				"PsExec",
				"HUI Loader"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434240,
	"ts_updated_at": 1775792025,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f7085df6fedc4b7d9d96c1611fbab9ee29b9d15a.pdf",
		"text": "https://archive.orkl.eu/f7085df6fedc4b7d9d96c1611fbab9ee29b9d15a.txt",
		"img": "https://archive.orkl.eu/f7085df6fedc4b7d9d96c1611fbab9ee29b9d15a.jpg"
	}
}