Group description: Naikon

Naikon, Group G0019 | MITRE ATT&CK® ATT&CK v19 will be released April 28th! Check out this blog post for information on the planned deprecation of Enterprise's Defense Evasion tactic in the upcoming release. Home Groups Naikon Naikon Naikon is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020). [1] Active since at least 2010, Naikon has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN). [1] [2] While Naikon shares some characteristics with APT30 , the two groups do not appear to be exact matches. [3] ID:  G0019 Contributors : Kyaw Pyiyt Htet, @KyawPyiytHtet Version : 2.0 Created:  31 May 2017 Last Modified:  25 April 2025 Version Permalink Live Version ATT&CK ® Navigator Layers Enterprise Layer download view Techniques Used Domain ID Name Use Enterprise T1547 .001 Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder Naikon has modified a victim's Windows Run registry to establish persistence. [4] Enterprise T1574 .001 Hijack Execution Flow : DLL Naikon has used DLL side-loading to load malicious DLL's into legitimate executables. [5] Enterprise T1036 .004 Masquerading : Masquerade Task or Service Naikon renamed a malicious service taskmgr to appear to be a legitimate version of Task Manager. [4] .005 Masquerading : Match Legitimate Resource Name or Location Naikon has disguised malicious programs as Google Chrome, Adobe, and VMware executables. [4] Enterprise T1046 Network Service Discovery Naikon has used the LadonGo scanner to scan target networks. [4] Enterprise T1137 .006 Office Application Startup : Add-ins Naikon has used the RoyalRoad exploit builder to drop a second stage loader, intel.wll, into the Word Startup folder on the compromised host. [5] Enterprise T1566 .001 Phishing : Spearphishing Attachment Naikon has used malicious e-mail attachments to deliver malware. [5] Enterprise T1018 Remote System Discovery Naikon has used a netbios scanner for remote machine identification. [4] Enterprise T1053 .005 Scheduled Task/Job : Scheduled Task Naikon has used schtasks.exe for lateral movement in compromised networks. [4] Enterprise T1518 .001 Software Discovery : Security Software Discovery Naikon uses commands such as netsh advfirewall firewall to discover local firewall settings. [2] Enterprise T1016 System Network Configuration Discovery Naikon uses commands such as netsh interface show to discover network interface settings. [2] Enterprise T1204 .002 User Execution : Malicious File Naikon has convinced victims to open malicious attachments to execute malware. [5] Enterprise T1078 .002 Valid Accounts : Domain Accounts Naikon has used administrator credentials for lateral movement in compromised networks. [4] Enterprise T1047 Windows Management Instrumentation Naikon has used WMIC.exe for lateral movement. [4] Software ID Name References Techniques S0456 Aria-body [5] [4] Access Token Manipulation : Create Process with Token , Access Token Manipulation : Token Impersonation/Theft , Application Layer Protocol : Web Protocols , Application Window Discovery , Archive Collected Data , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Data from Removable Media , Deobfuscate/Decode Files or Information , Dynamic Resolution : Domain Generation Algorithms , File and Directory Discovery , Indicator Removal : File Deletion , Ingress Tool Transfer , Local Storage Discovery , Native API , Non-Application Layer Protocol , Obfuscated Files or Information : Encrypted/Encoded File , Process Discovery , Process Injection : Dynamic-link Library Injection , Proxy , Screen Capture , System Information Discovery , System Network Configuration Discovery , System Network Connections Discovery , System Owner/User Discovery S0095 ftp [2] Exfiltration Over Alternative Protocol : Exfiltration Over Unencrypted Non-C2 Protocol , Ingress Tool Transfer , Lateral Tool Transfer S0061 HDoor [2] Impair Defenses : Disable or Modify Tools , Network Service Discovery S0630 Nebulae [4] Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Command and Scripting Interpreter : Windows Command Shell , Create or Modify System Process : Windows Service , Data from Local System , Encrypted Channel : Symmetric Cryptography , File and Directory Discovery , Hijack Execution Flow : DLL , Indicator Removal : File Deletion , Ingress Tool Transfer , Local Storage Discovery , Masquerading : Masquerade Task or Service , Masquerading : Match Legitimate Resource Name or Location , Native API , Non-Application Layer Protocol , Process Discovery S0039 Net [2] [4] Account Discovery : Domain Account , Account Discovery : Local Account , Account Manipulation : Additional Local or Domain Groups , Create Account : Local Account , Create Account : Domain Account , Indicator Removal : Network Share Connection Removal , Network Share Discovery , Password Policy Discovery , Permission Groups Discovery : Domain Groups , Permission Groups Discovery : Local Groups , Remote Services : SMB/Windows Admin Shares , Remote System Discovery , System Network Connections Discovery , System Service Discovery , System Services : Service Execution , System Time Discovery S0108 netsh [2] Event Triggered Execution : Netsh Helper DLL , Impair Defenses : Disable or Modify System Firewall , Proxy , Software Discovery : Security Software Discovery S0097 Ping [2] [4] Remote System Discovery S0029 PsExec [2] Create Account : Domain Account , Create or Modify System Process : Windows Service , Lateral Tool Transfer , Remote Services : SMB/Windows Admin Shares , System Services : Service Execution S0629 RainyDay [4] Application Layer Protocol : Web Protocols , Command and Scripting Interpreter : Windows Command Shell , Create or Modify System Process : Windows Service , Credentials from Password Stores : Credentials from Web Browsers , Credentials from Password Stores : Windows Credential Manager , Data from Local System , Data Staged : Local Data Staging , Deobfuscate/Decode Files or Information , Encrypted Channel : Symmetric Cryptography , Exfiltration Over Web Service : Exfiltration to Cloud Storage , Fallback Channels , File and Directory Discovery , Hijack Execution Flow : DLL , Indicator Removal : File Deletion , Ingress Tool Transfer , Masquerading : Match Legitimate Resource Name or Location , Masquerading : Masquerade Task or Service , Native API , Non-Application Layer Protocol , Obfuscated Files or Information : Encrypted/Encoded File , Process Discovery , Proxy , Scheduled Task/Job : Scheduled Task , Screen Capture , System Service Discovery S0055 RARSTONE [2] [1] File and Directory Discovery , Ingress Tool Transfer , Non-Application Layer Protocol , Process Injection : Dynamic-link Library Injection S0058 SslMM [2] [1] Access Token Manipulation , Boot or Logon Autostart Execution : Shortcut Modification , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Fallback Channels , Impair Defenses : Disable or Modify Tools , Input Capture : Keylogging , Masquerading : Match Legitimate Resource Name or Location , System Information Discovery , System Owner/User Discovery S0060 Sys10 [2] Application Layer Protocol : Web Protocols , Encrypted Channel : Symmetric Cryptography , Permission Groups Discovery : Local Groups , System Information Discovery , System Network Configuration Discovery , System Owner/User Discovery S0096 Systeminfo [2] System Information Discovery S0057 Tasklist [2] Process Discovery , Software Discovery : Security Software Discovery , System Service Discovery S0059 WinMM [2] [1] Application Layer Protocol : Web Protocols , Fallback Channels , File and Directory Discovery , Process Discovery , System Information Discovery , System Owner/User Discovery References ThreatConnect Inc. and Defense Group Inc. (DGI). (2015, September 23). Project CameraShy: Closing the Aperture on China's Unit 78020. Retrieved December 17, 2015. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019. Baumgartner, K., Golovkin, M.. (2015, May 14). The Naikon APT. Retrieved January 14, 2015. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020. × load more results