Who is APT27?
APT27 — also known as Emissary Panda, Iron Tiger, and LuckyMouse — is a Chinese state-sponsored cyber-espionage group active since at least 2010. The group has been linked to long-running campaigns against governments, critical industries, and organizations worldwide, typically seeking political, economic, strategic intelligence and occasionally financial objectives.
APT27 is recognized for its use of spear-phishing, watering-hole compromises, and exploitation of internet-facing applications to gain access, commonly relying on a mix of custom-built and widely shared malware to maintain long-term footholds in targeted networks.
Aliases
APT27 is tracked under multiple names by different security vendors and research organizations including:
| Lucky Mouse | BRONZE UNION | Budworm | EMISSARY PANDA |
| Circle Typhoon | Iron Taurus | Iron Tiger | Threat Group-3390 |
| Group 35 | Earth Smilodon | G0027 | GreedyTaotie |
| Linen Typhoon | Red Phoenix | TEMP.Hippo | ZipToken |
Motivations & Objectives
APT27 is a Chinese state-sponsored cyber-espionage group whose operations primarily serve intelligence collection. The group’s campaigns show a clear focus on gaining and maintaining access to government, industry, and other strategic targets to extract political, economic, and technological information.
Over time, APT27 has also expanded its activity to include financially motivated intrusions, indicating a dual focus on both state-aligned espionage and profit-driven operations.
Targeted Regions & Sectors
APT27 has consistently targeted organizations across multiple global regions, prominently including North America, Southeast Asia, Western and Eastern Asia, the Middle East, Europe and South America.
The group’s operations most frequently focus on government entities, defense and aerospace, telecommunications, energy, manufacturing, high-tech and IT, research and education, business services, travel and automotive, electronics, and information technology.
APT27 has also expanded its operations into the healthcare sector. In 2021, German pharmaceutical and technology companies were targeted in campaigns aimed at stealing trade secrets and intellectual property. That same year, the U.S. Department of Health and Human Services reported that APT27 exploited a vulnerability in Zoho ManageEngine ADSelfService Plus, compromising organizations across healthcare, defense, higher education, consulting, and IT industries.
Malware & Toolset
APT27 has employed a mix of custom-built malware and widely shared tools across its campaigns. Their arsenal includes long-running proprietary backdoors that have been maintained and updated over the years, alongside modular RATs and lightweight web shells used for quick access and persistence. The group also makes use of credential theft and post-exploitation utilities to extend their reach and maintain control within compromised environments.
| Malware / Tool | Description |
|---|---|
| HyperBro | In-memory backdoor/RAT used for persistent access, command execution, and data exfiltration. |
| PlugX (aka Korplug, Sogu) | Modular RAT widely used by China-nexus clusters; supports command execution, screen capture, keylogging, file operations, and process/service management. |
| SysUpdate | Modular backdoor used by APT27 for persistence, command execution, file and process management, screenshot capture, and C2 communications; supports Windows and Linux. |
| ZxShell | Classic China-nexus RAT. |
| gh0st RAT | Remote access tool (RAT) used by China-nexus cyberespionage groups. |
| HTTPBrowser | Remote access trojan (RAT). |
| ASPXSpy | ASP.NET webshell; APT27 uses a modified “ASPXTool” variant. |
| China Chopper | Lightweight webshell used for foothold and post-exploitation. |
| Windows Credential Editor (WCE) | Credential-dumping utility used to extract passwords/hashes from memory. |
| Mimikatz | Post-exploitation credential dumper for LSASS/DPAPI/SSP creds. |
| gsecdump | Credential-dumping tool used to pull SAM/LSA secrets and hashes. |
| Pandora | Multistage kernel-mode rootkit/backdoor. |
| fscan | Fast intranet scanner used for network/port discovery during intrusions. |
| OwaAuth | Web Shell and credential stealer. |
| ShadowPad | Modular backdoor used across China-nexus clusters; used in Operation StealthyTrident (Able Desktop supply-chain, Mongolia, 2020; LuckyMouse/Emissary Panda). |
APT27 Attack Techniques
APT27 has developed and refined a wide-ranging arsenal of attack techniques that reflect both the group’s persistence and adaptability. Their operations consistently show a methodical use of structured methods, allowing them to gain access to networks, maintain long-term presence, and conduct espionage against high-value targets. These techniques form the backbone of APT27’s campaigns, supporting their ability to achieve strategic objectives while evading detection.
Initial Access
APT27 gains initial access through a range of well-documented and opportunistic methods. The group has consistently exploited vulnerabilities in internet-facing applications, including high-profile cases like Zoho ManageEngine ADSelfService Plus (CVE-2021-40539) and Microsoft Exchange ProxyLogon/ProxyShell (CVE-2021-26855/-26857/-26858/-27065). They also targeted Apache Tomcat servers using Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45105).
Beyond vulnerability exploitation, APT27 has leveraged spear-phishing emails to deliver malicious attachments or links, often tailored to specific targets and sectors.
In some campaigns, the group has also employed watering-hole attacks, compromising legitimate websites commonly visited by their targets to silently deliver malware.
APT27 has also been observed using compromised credentials to access target environments, which allows the group to access networks and to maintain or regain access through external remote services such as VPN gateways and Outlook Web Access (OWA) portals.
Post-Compromise Actions
After achieving initial access, APT27 performs a series of strategic actions to escalate privileges, establish long-term persistence, and collect sensitive data from compromised networks. One of the group’s immediate post-exploitation steps often includes deploying web shells, such as China Chopper, which provide direct command-line access to victim servers to execute commands and upload additional payloads. APT27 has been observed using these web shells to deploy a variety of tools and malware, most notably their custom malware HYPERBRO.
The group is also known to deploy post-exploitation malware such as HYPERBRO, SysUpdate, PlugX and others through DLL sideloading, abusing trusted binaries to execute malicious code and evade detection. In addition, APT27 has been observed disabling Windows event logging to limit forensic visibility, and in some operations, deploying kernel-mode rootkits to conceal malicious activity at the system level.
APT27 employs a wide range of techniques to obtain credentials across compromised environments. The group is known for dumping operating system credentials from memory, as well as from Windows registry hives, using tools such as Mimikatz, Windows Credential Editor (WCE), gsecdump.
In addition to system-level dumping, APT27 leverages custom web shells — notably one known as OwaAuth on Microsoft Exchange OWA to log credentials directly submitted at login. The group has also used backdoors with keylogging functionality, to passively capture user credentials over time.
APT 27 Recent Activity
APT27 has been linked to numerous, large-scale espionage campaigns targeting a wide array of industries and geographies, reflecting the group’s persistent focus on intelligence collection and strategic advantage across different sectors and regions.
Operation StealthyTrident (Mongolia, 2017–2020).
A long-running supply-chain breach of Able Desktop—a chat app widely deployed across Mongolian government agencies—began with trojanized installers (from December 2017) and evolved into a compromised update mechanism that swapped legitimate updates for malware. Across phases, victims received HyperBro, PlugX/Korplug, and later Tmanger. The operators leaned on a three-pronged DLL side-loading “trident” that abused signed binaries (e.g., Symantec thinprobe.exe/IntgStat.exe and McAfee siteadv.exe) to decrypt and launch payloads at scale. Researchers noted tooling and infrastructure overlaps—HyperBro, Tmanger, and ShadowPad C2—that point to APT27’s hand and suggest possible collaboration or capability-sharing among China-nexus actors.
April 2019 – SharePoint Exploitation in the Middle East
Between April 1–16, 2019, Emissary Panda breached three SharePoint servers across two Middle East government organizations. Initial access was assessed with high confidence to be via CVE-2019-0604, after which the actors planted multiple web shells — Antak (error2.aspx) and China Chopper–style one-liners (stylecs.aspx, stylecss.aspx, test.aspx, plus two errr.aspx instances).
Using the shells as a foothold, they uploaded a mixed toolkit and began post-exploitation activities: credential dumping (e.g., Mimikatz/pwdump), network discovery (nbtscan, a netview-like etool.exe), and lateral movement via Impacket (psexec, smbexec) and custom SMB backdoors, including attempts to execute remote batch jobs with domain credentials. They scanned for and abused MS17-010 / CVE-2017-0144 (EternalBlue) where possible.
A HyperBro backdoor was deployed (via a self-extracting archive) and configured to talk over HTTPS to 185.12.45[.]134/ajax; HyperBro runs in daemon/worker modes, communicates over a named pipe, supports file/service management, screenshots, command/script execution, and shellcode injection into msiexec.exe.
For evasion, the operators used DLL sideloading with legitimate apps:
- Sublime Text’s plugin_host.exe loading a malicious PYTHON33.dll,
- Microsoft System Center’s CreateMedia.exe loading CreateTsMediaAdm.dll.
These DLLs decrypted obfuscated shellcode and attempted to load corresponding .hlp files for further execution.
March–September 2021 – Microsoft Exchange ProxyLogon Campaign
APT27 used Microsoft Exchange Server ProxyLogon vulnerabilities (CVE-2021-26855/-26857/-26858/-27065), affecting Exchange 2013/2016/2019, to exploit multiple flaws and deploy HyperBro. In early March 2021, the ProxyLogon vulnerabilities were exploited —seizing control of unpatched Exchange servers worldwide and stealing data.
2021 — Zoho ManageEngine ADSelfService Plus campaign
In 2021, APT27 targeted multiple industries, including healthcare, defense, energy, technology, education, higher education, consulting, and IT. by exploiting REST API authentication bypass in Zoho ManageEngine ADSelfService Plus (CVE-2021-40539), resulting in the compromise of at least nine organizations worldwide.
Operators scanned vulnerable ADSelfService Plus servers (at least 370 in the U.S.; 11,000+ internet-exposed worldwide), then delivered Godzilla web shells, the NGLite trojan, and the KdcSponge information stealer.
Post-exploitation actions included credential dumping, installing custom binaries, dropping malware for persistence and lateral movement.
On October 25, 2021, the operation shifted to exploiting Zoho ManageEngine ServiceDesk Plus (CVE-2021-44077) as patches for CVE-2021-40539 were released on September 7.
January 2022 — HyperBro backdoors in Germany
In January 2022, APT27 conducted an ongoing cyber-espionage campaign against German companies, deploying HyperBro and exploiting Microsoft Exchange 2013/2016/2019 (CVE-2021-26855/-26857/-26858/-27065) and Zoho ManageEngine ADSelfService Plus (CVE-2021-40539) for initial access. The operation focused on stealing trade secrets and intellectual property.
Mid-2022 — Supply-Chain Attack via MiMi Chat Application (multi-platform)
Iron Tiger carried out a supply-chain compromise of the MiMi chat application by taking control of the servers that host its desktop installers, turning legitimate downloads into delivery vehicles for HyperBro on Windows and a new rshell backdoor on macOS (with related Linux builds also found). The campaign surfaced when a server was seen hosting both HyperBro and a malicious Mach-O “rshell,” and further analysis showed MiMi installers fetching these payloads.
On the timeline, the first compromised macOS installer was v2.3.0 (May 26, 2022); v2.2.10 (May 6, 2022) was clean. For Windows, v2.2.0 and v2.2.1 (both Nov 23, 2021) already contained injected code. In some cases the attackers modified a clean installer in about 90 minutes, inserting obfuscated JavaScript into electron-main.js.
On Windows, the injected code dropped an EXE, DLL, and a binary to the temp directory and used DLL sideloading (via a DESlock+ executable) to load HyperBro. On macOS, users had to bypass repeated “unverified developer” prompts; notably, both clean and trojanized installers were unsigned.
The rshell backdoor collects OS details, communicates with its C2 using BSON over TCP, supports interactive command execution and file operations, and was seen in macOS (Mach-O) and Linux (ELF) builds, with the oldest sample traced to June 2021.
Targeting observed in telemetry centered on Taiwan and the Philippines (13 targets total); one identified victim was a Taiwanese game developer, and related traffic touched veryssl[.]org subdomains used as C2.
October 2022 – Iron Tiger updates SysUpdate, adds Linux targeting.
Iron Tiger refreshed its custom backdoor SysUpdate, adding Linux support and retooling its loader to complicate analysis. The oldest updated sample dates to July 2022. Notable code changes include removal of RTTI classes and a switch to the ASIO C++ library. A campaign timeline shows C2 and build activity ramping from April–July 2022.
The multi-stage loading chain abuses DLL sideloading with legitimate executables (e.g., Microsoft’s rc.exe, INISafeWebSSO, DESlock, Ubisoft’s installer, and Wazuh components). A malicious DLL decrypts Shikata Ga Nai shellcode, which installs, persists (registry/service), and process-hollows the next stage. Researchers highlight the first observed abuse of a Wazuh-signed executable, likely to blend into victim environments.
Capabilities mirror prior versions (service/process managers, file manager, screenshots, command exec) and now include DNS TXT–based C2; the malware queries system DNS (fallback 8.8.8.8) and encodes identifiers to drive TXT lookups, with configuration and host details DES-encrypted in transit. A stolen code-signing certificate (linked to a VMProtect demo) was used to sign samples; it was later revoked.
October 2022 — Budworm operations in U.S., Middle East, and Asia
In October 2022, Budworm was documented conducting a six-month campaign against strategically significant targets: a Middle East government, a multinational electronics manufacturer, and a U.S. state legislature.
Initial access leveraged Log4j vulnerabilities (CVE-2021-44228, CVE-2021-45105) in Apache Tomcat services to install web shells. The group then abused the CyberArk Viewfinity software for DLL sideloading to load their custom HyperBro backdoor, also deploying PlugX/Korplug at times, and used tools including Cobalt Strike, LaZagne, IOX proxy/port-forwarding tool, Fast Reverse Proxy, and Fscan.
August 2023 — Budworm updates SysUpdate in attacks on telecoms and government
In August 2023, Budworm (aka LuckyMouse / Emissary Panda / APT27) targeted a Middle Eastern telecommunications organization and an Asian government, deploying a previously unseen variant of its SysUpdate backdoor (inicore_v2.3.30.dll). In both intrusions, investigators only observed credential harvesting, suggesting the activity may have been interrupted early in the attack chain.
Budworm executed SysUpdate via DLL sideloading using the legitimate INISafeWebSSO application—a technique the group has used for years—while leaning on living-off-the-land and public tools for discovery and theft, including AdFind, curl, SecretsDump, and a PasswordDumper utility.
July 2024 — BfV warns of APT27 activity in Europe
On July 11, 2024, Germany’s domestic intelligence service (Bundesamt für Verfassungsschutz) posted a tweet warning that APT 27 was likely attacking entities in Europe, using new versions of the known RSHELL malware, and shared a YARA rule for defenders.
June 12, 2025 — Iron Taurus (APT27) still active in 2025
Unit 42 confirmed that Iron Taurus (APT27) continues to operate and remains an active threat and uses the custom malware family SysUpdate. Over the past two years, devices in 45 countries have been observed connecting to the group’s SysUpdate C2 infrastructure.
Top 10 countries with the most observed connections
- Taiwan (TW)
- Afghanistan (AF)
- India (IN)
- China (CN)
- Lithuania (LT)
- Pakistan (PK)
- United States (US)
- Hong Kong (HK)
- Singapore (SG)
- Iran (IR)
Critical Vulnerabilities Exploited by APT27
APT27 exploited multiple Microsoft Exchange Server 2013, 2016, and 2019 ProxyLogon vulnerabilities CVE‑2021‑26855, CVE‑2021‑26857, CVE‑2021‑26858, and CVE‑2021‑27065 to gain unauthenticated access and deploy HYPERBRO.
Between March and mid‑September 2021, the group leveraged a Zoho ManageEngine ADSelfService Plus vulnerability (CVE‑2021‑40539) for unauthorized access; from late October 2021, they moved to exploit CVE‑2021‑44077 in Zoho’s ServiceDesk Plus
APT27 also exploited a SharePoint server vulnerability, CVE‑2019‑0604, in April 2019 to deploy web shells on government-related SharePoint servers in the Middle East.
In late 2022, APT27 (also tracked as “Budworm”) exploited high-severity Log4j vulnerabilities (CVE‑2021‑44228 and CVE‑2021‑45105) to infect systems running Apache Tomcat and install web shells.
In earlier operations, BRONZE UNION leveraged the Kekeo credential tool to exploit CVE-2014-6324 (Microsoft Kerberos) for domain privilege escalation.
The group has also used weaponized Microsoft Office documents exploiting Equation Editor CVE-2018-0798 to achieve code execution and payload delivery.
Law Enforcement Actions and Recent Indictments
On March 5, 2025, the U.S. Department of Justice unsealed charges against 12 Chinese nationals involved in global intrusion campaigns. The defendants included two MPS officers, eight i-Soon employees, including Yin Kecheng and Zhou Shuai (also known as “Coldface”). According to the indictment, both individuals are members of APT27.
The DOJ stated that between August 2013 and December 2024, Yin, Zhou, and their co-conspirators conducted unauthorized intrusions into victim networks by exploiting software vulnerabilities, conducting internal reconnaissance, and deploying malware such as PlugX to establish persistent access. The indictment alleges that the group stole data from compromised networks and transferred it to servers under their control.
According to the indictment, Yin and Zhou brokered stolen data for sale and provided it to various customers, only some of whom had connections to the PRC government and military. The DOJ stated that Zhou sold data stolen by Yin through i-Soon, whose primary customers were PRC government agencies, including the Ministry of State Security (MSS) and Ministry of Public Security (MPS).
The group’s operations were financially motivated, and their targeting extended beyond intelligence requirements, affecting U.S. technology firms, law firms, defense contractors, healthcare systems, universities, local governments, and think tanks. The DOJ noted that the intrusions caused millions of dollars in damages.
The indictment further states that Yin continued hacking activity through at least December 2024, including involvement in a cyber intrusion targeting the U.S. Department of the Treasury. The DOJ reported that the FBI seized infrastructure—including virtual private servers—used by the actors to facilitate this and other operations.
As part of a coordinated action, the U.S. Department of the Treasury sanctioned Yin, Zhou, and Zhou’s company, Shanghai Heiying Information Technology Co., Ltd.
The Department of State also announced reward offers of up to $2 million each for information leading to the arrests of Yin and Zhou. Both individuals remain at large in China.
The FBI’s Internet Crime Complaint Center (IC3) also issued a public alert on the same day (I-030525-PSA), identifying APT27 and i-Soon as key players in China’s state-sponsored hacking ecosystem and detailing their role in the broader strategy of cyber-enabled repression and data theft.
Suspected Ransomware Activity
Polar ransomware (April 2020)
Incident responders traced mass file encryption to an intrusion that began in early 2018 via a vulnerable perimeter server. The operators maintained access with China Chopper / TwoFace web shells, performed credential dumping (including LSASS), scanned for Eternal* SMB flaws, and installed SysUpdate and HyperBro for persistence. On April 29, 2020, they pivoted to monetization by pushing Polar via a DLL-hijack chain: a legitimate GDFInstall.exe loaded a malicious GameuxInstallHelper.dll, which decrypted and ran Sysurl.Hex (the Polar payload). The ransomware cleared logs and shadow copies, used .locked / .cryptd extensions, dropped an HTML note, and beaconed host names over HTTP; responders recovered data due to weaknesses in its crypto.
Researchers noted that Tooling and tradecraft overlapped with APT27/Emissary Panda—notably prior use of SysUpdate and HyperBro for persistence—yet the target type (a media org), the presence of cryptomining and ransomware, and infrastructure details introduce doubt. They noted strong indicators pointing at APT27 but not conclusive proof.
Gaming-sector incident (December 2020) — BitLocker, Clambling, PlugX
Incident responders documented a breach at a major gaming company where the operators encrypted core servers using Windows BitLocker (native “living-off-the-land” encryption rather than dropping a commodity ransomware binary). Initial access came via a compromised third-party service provider; the operators deployed ASPXSpy web shells, then side-loaded PlugX and a “Clambling” backdoor through a signed Google Updater executable (GoogleUpdate.exe + malicious goopdate.dll, payload in license.rtf/English.rtf). Post-exploitation included credential dumping (Mimikatz/WCE) and privilege escalation using CVE-2017-0213, followed by process injection into msiexec.exe and svchost.exe, command/control over TCP/UDP/HTTP, and backdoor features such as keylogging, screenshotting, file management, and clean-up. The activity aligns with the broader DRBControl/Clambling campaign that targeted gaming firms and was previously linked in reporting to Chinese intrusion sets.
The operation shows strong overlaps with APT27/Emissary Panda (PlugX/“Clambling” side-loaded via a signed GoogleUpdate chain, ASPXSpy, and a familiar post-ex playbook), but it also exhibits Winnti-family hallmarks (infrastructure/mutex patterns and post-ex commands). No HyperBro sample was recovered in this case; overall attribution remains unresolved (APT27 vs. Winnti remains plausible).
False Flag Identity on Twitter
In August 2022, during U.S. House Speaker Nancy Pelosi’s visit to Taiwan, a Twitter account using the handle @APT27_Attack announced a “cyber war” against Taiwan. The group carried out distributed denial-of-service (DDoS) operations that temporarily disrupted several Taiwanese government websites, alongside defacements at convenience stores and train stations displaying anti-Pelosi messages.
Because of its name, APT27_Attack was initially associated with the espionage group APT27, but its operators publicly denied any link. In a tweet posted on August 3, 2022, the account stated:
“We don’t belong to the government, we come from countries all over the world, about people comparing us to the notorious APT27, what I want to say is that we are 27 Attack, you can call us 27, we have completed the task, we will not be publishing anything, good luck :)”
Security researchers assessed that the group was a hacktivist collective rather than the authentic APT27, noting their public declarations, short-lived operations, and reliance on unsophisticated tools contrasted with APT27’s hallmark tradecraft of long-term covert espionage. Comparative analysis of tactics, techniques, and procedures (TTPs) showed no overlap between the two.
MITRE ATT&CK®
| Tactic | Technique | ID |
|---|---|---|
| Initial Access | Exploit Public-Facing Application | T1190 |
| Spearphishing Attachment | T1566.001 | |
| Drive-by Compromise (watering hole) | T1189 | |
| External Remote Services | T1133 | |
| Execution | Command & Scripting Interpreter: PowerShell | T1059.001 |
| Command & Scripting Interpreter: Windows Cmd | T1059.003 | |
| Process Injection: Process Hollowing | T1055.012 | |
| Windows Management Instrumentation | T1047 | |
| Exploitation for Client Execution | T1203 | |
| Persistence | Server Software Component: Web Shell | T1505.003 |
| Create/Modify System Process: Windows Service | T1543.003 | |
| Registry Run Keys/Startup Folder | T1547.001 | |
| Scheduled Task/Job | T1053 | |
| Modify Registry | T1112 | |
| Privilege Escalation | Exploitation for Privilege Escalation | T1068 |
| Bypass User Account Control | T1548.002 | |
| Credential Access | OS Credential Dumping | T1003 |
| Credentials from Password Stores | T1555 | |
| Input Capture: Keylogging | T1056.001 | |
| Collection | Screen Capture | T1113 |
| Discovery | Network Service Scanning | T1046 |
| Remote System / Account Discovery | T1018 / T1033 | |
| Account Discovery: Local Account | T1087 | |
| System Network Configuration Discovery | T1016 | |
| System Network Connections Discovery | T1049 | |
| Data from Local System | T1005 | |
| Lateral Movement | Exploitation of Remote Services | T1210 |
| Lateral Tool Transfer | T1570 | |
| Resource Development | Obtain Capabilities: Code Signing Certificates | T1588.003 |
| Obtain Capabilities: Tool | T1588.002 | |
| Stage Capabilities: Upload Malware | T1608.001 | |
| Stage Capabilities: Upload Tool | T1608.002 | |
| Stage Capabilities: Drive-by Target | T1608.004 | |
| Command and Control | Application Layer Protocol: Web Protocols | T1071.001 |
| Exfiltration | Data Staged: Local | T1074.001 |
| Data Staged: Remote | T1074.002 | |
| Archive Collected Data | T1560.001 | |
| Exfiltration Over Web Service: To Cloud Storage (Dropbox) | T1567.002 | |
| Exfiltration Over C2 Channel | T1041 | |
| Defense Evasion | DLL Side-Loading | T1574.001 |
| Obfuscated/Compressed Files & Info | T1027 | |
| Indicator Removal | T1070 | |
| Impair Defenses: Disable Windows Event Logging | T1562.002 | |
| Deobfuscate/Decode Files or Information | T1140 |
Indicators of Compromise (IOCs)
| Description / Type | Hash / IOC |
|---|---|
| HyperBro C2 | hxxps://185.12.45[.]134:443/ajax |
| Malicious lure document | 4fce3d38e0a308088cd75c2ef1bb5aa312e83447d63a82f62839d3609a283b02 |
| Malicious lure document | 3e04eb55095ad6a45905564d91f2ab6500e07afcdf9d6c710d6166d4eef28185 |
| Malicious lure document | 4123a19cda491f4d31a855e932b8b7afdcf3faf5b448f892da624c768205a289 |
| HyperBro | 04f48ed27a83a57a971e73072ac5c769709306f2714022770fb364fd575fd462 |
| stylecs.aspx | 2feae7574a2cc4dea2bff4eceb92e3a77cf682c0a1e78ee70be931a251794b86 |
| stylecss.aspx | d1ab0dff44508bac9005e95299704a887b0ffc42734a34b30ebf6d3916053dbe |
| test.aspx | 6b3f835acbd954af168184f57c9d8e6798898e9ee650bd543ea6f2e9d5cf6378 |
| error2.aspx | 006569f0a7e501e58fe15a4323eedc08f9865239131b28dc5f95f750b4767b38 |
| OwaAuth web shell | 0e823a5b64ee761b70315548d484b5b9c4b61968b5068f9a8687c612ddbfeb80 |
| Pandora rootkit | af31c16dcd54ee11d425eb3a579ad0606a05b36c0605cc16007f3d3c84d8e291 |
| SysUpdate | b39e2cf333b9f854bcdf993aa6c1f357d2a7042139e4c6ca47ed504090006a61 |
| HyperBro | e74056a729e004031b78007708bb98d759ff94b46866898c5a05d87013cd643c |
| HyperBro | 52072a8f99dacd5c293fccd051eab95516d8b880cd2bc5a7e0f4a30d008e22a7 |
| Linux Sysupdate | 6d9031eb617096439bc8c8f7c32f4a11ffefc4326d99229fc78722873092e400 |
| Windows Sysupdate DLL | d950cc937f4df9ab0bad44513d23ea7ecdfae2b0de8ba351018de5fb5d7b1382 |
| Windows Sysupdate payload | 123880edc91f7dc033a769d9523f783f7b426673ee95e9e33654cdfa95a6462c |
| Trojanized Able Desktop | 07f87f7b3313acd772f77d35d11fc12d3eb7ca1a2cd7e5cef810f9fb657694a0 |
| Korplug | c2dc17bdf16a609cdb5a93bf153011d67c6206f7608931b1ca1c1d316b5ad54f |
References
– https://www.ic3.gov/PSA/2025/PSA250305
– https://www.justice.gov/opa/pr/justice-department-charges-12-chinese-contract-hackers-and-law-enforcement-officers-global
– https://www.hhs.gov/sites/default/files/chinese-cyberspionage-campaign-targets-multiple-industries.pdf
– https://www.trellix.com/blogs/research/cyber-tools-and-foreign-policy/
– https://cloud.google.com/security/resources/insights/apt-groups
– https://scythe.io/threat-thursday/apt27
– https://attack.mitre.org/groups/G0027/
– https://hivepro.com/threat-advisory/apt27-group-uses-the-hyperbro-remote-access-trojan-to-inject-backdoors-into-victims-network/
– https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/
– https://atheniantech.com/reports/Athenian-tech-APT-27-Threat-Analysis-Report.pdf
– https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html
– https://sed-cms.broadcom.com/system/files/threat-hunter-whitepaper/2025-04/2025_04_ChinaLinked_Espionage_Actors.pdf
– https://www.anomali.com/blog/anomali-cyber-watch-ransom-cartel-uses-dpapi-dumping-unknown-china-sponsored-group-targeted-telecommunications-alchimist-c2-framework-targets-multiple-operating-systems-and-more
– https://x.com/Unit42_Intel/status/1933565063736021372
– https://x.com/BfV_Bund/status/1811364839656185985
– https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
– https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2022-01-bfv-cyber-brief.pdf?__blob=publicationFile&v=10
– https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/
– https://web.archive.org/web/20210104144857/https%3A//shared-public-reports.s3-eu-west-1.amazonaws.com/APT27%2Bturns%2Bto%2Bransomware.pdf
– https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage
– https://www.cfr.org/cyber-operations/targeting-german-pharmaceutical-and-technology-firms
– https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop
– https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html
– https://www.secureworks.com/research/bronze-union
– https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop
