← threatfilter.dev / all groups / APT5
APT5
Also known as: Mulberry Typhoon · MANGANESE · BRONZE FLEETWOOD · Keyhole Panda · UNC2630
Overview
APT5 is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. APT5 has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.
Targets
Electronic · Technology · Telecommunications
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1190
- Custom malware/implant development — ATT&CK: 8 attributed custom malware families
TTPs — 29 techniques across 10 tactics
Resource Development
-
T1583.005Botnet
Initial Access
Execution
-
T1053.003Cron -
T1059.001PowerShell -
T1059.003Windows Command Shell
Persistence
-
T1098.007Additional Local or Domain Groups -
T1136.001Local Account -
T1505.003Web Shell -
T1554Compromise Host Software Binary
Stealth
-
T1036.005Match Legitimate Resource Name or Location -
T1055Process Injection -
T1070Indicator Removal -
T1070.003Clear Command History -
T1070.004File Deletion -
T1070.006Timestomp -
T1078.002Domain Accounts -
T1078.004Cloud Accounts
Defense Impairment
-
T1685Disable or Modify Tools
Credential Access
-
T1003.001LSASS Memory -
T1003.002Security Account Manager
Discovery
-
T1049System Network Connections Discovery -
T1057Process Discovery -
T1083File and Directory Discovery -
T1654Log Enumeration
Lateral Movement
-
T1021.001Remote Desktop Protocol -
T1021.004SSH
Collection
-
T1056.001Keylogging -
T1074.001Local Data Staging -
T1560.001Archive via Utility
Tools & malware (13)
Tasklist · PoisonIvy · RAPIDPULSE · PcShare · Mimikatz · SLOWPULSE · SLIGHTPULSE · Skeleton Key · Net · PACEMAKER · gh0st RAT · PULSECHECK · netstat
Reporting (3)
- Digital threats from East Asia increase in breadth and effectiveness — Microsoft Threat Intelligence
- How Microsoft names threat actors — Microsoft
- APT5: Citrix ADC Threat Hunting Guidance — National Security Agency