← threatfilter.dev / all groups / admin@338
admin@338
Overview
admin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors.
Targets
Activists · Civil society · Finance · Government · Political party · Private sector · Trade
Regions
Hong Kong · United States
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1203
- Custom malware/implant development — ATT&CK: 3 attributed custom malware families
TTPs — 12 techniques across 4 tactics
Initial Access
-
T1566.001Spearphishing Attachment
Execution
-
T1059.003Windows Command Shell -
T1203Exploitation for Client Execution -
T1204.002Malicious File
Stealth
Discovery
-
T1007System Service Discovery -
T1016System Network Configuration Discovery -
T1049System Network Connections Discovery -
T1069.001Local Groups -
T1082System Information Discovery -
T1083File and Directory Discovery -
T1087.001Local Account
Tools & malware (7)
BUBBLEWRAP · LOWBALL · Systeminfo · PoisonIvy · Net · netstat · ipconfig
Reporting (1)
- China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets — FireEye Threat Intelligence