← threatfilter.dev / all groups / BlackTech
BlackTech
Also known as: Palmerworm
Overview
BlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. BlackTech has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1190, T1203
- Custom malware/implant development — ATT&CK: 5 attributed custom malware families
TTPs — 14 techniques across 6 tactics
Resource Development
-
T1588.002Tool -
T1588.003Code Signing Certificates -
T1588.004Digital Certificates
Initial Access
-
T1190Exploit Public-Facing Application -
T1566.001Spearphishing Attachment -
T1566.002Spearphishing Link
Execution
-
T1106Native API -
T1203Exploitation for Client Execution -
T1204.001Malicious Link -
T1204.002Malicious File
Stealth
-
T1036.002Right-to-Left Override -
T1574.001DLL
Discovery
Lateral Movement
-
T1021.004SSH
Tools & malware (6)
PLEAD · Kivars · PsExec · TSCookie · Flagpro · Waterbear
Reporting (3)
- China cyber attacks: the current threat landscape — Demboski, M., et al
- Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors — Threat Intelligence
- Taiwan says China behind cyberattacks on government agencies, emails — Lee, Y