Bringing cybersecurity globally to critical and complex key activities
Alias: APT 27, APT27, Bronze Union, Emissary Panda, Group 35, HIPPOTeam, Iron Tiger, Iron Tiger APT, Lucky Mouse, LuckyMouse, Operation Iron Tiger, TEMP.Hippo, TG-3390, Threat Group-3390, Threat Group 3390, ZipToken
ATK15 (aka: Emissary Panda) is a cyber espionage group active since at least 2009 (first spearphishing spotted by TrendMicro on November 25, 2009) likely base in the People's Republic of China. The group has a preference for leveraging strategic web compromise (SWC) and scan-and-exploit techniques to compromise target systems.
The cyber-spies also used proprietary remote access tools in attacks observed since 2016, including SysUpdate and HyperBro. A multi-stage malware, SysUpdate is used exclusively by the group, being delivered via multiple methods, including malicious Word documents leveraging Dynamic Data Exchange (DDE), manual deployment via stolen credentials, or via a redirect from a strategic web compromise (SWC).
Access to government resources are abused to conduct their campaign attacks. The tools HyperBro and shikata_ga_nai compressor has been used in their recent campaigns. This group is known for their strategic web compromises, relies on whitelist to deliver payloads. The group also has tendency to compromise Microsoft exchange servers.
Malware & Tools
Tools used by multiple threat groups:
Tools that appear to be exclusive to ATK15:
Publicly available tools:
REFERENCES