← threatfilter.dev / all groups / Cinnamon Tempest
Cinnamon Tempest
Also known as: DEV-0401 · Emperor Dragonfly · BRONZE STARLIGHT
Overview
Cinnamon Tempest is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked Babuk source code. Cinnamon Tempest does not operate their ransomware on an affiliate model or purchase access but appears to act independently in all stages of the attack lifecycle. Based on victimology, the short lifespan of each ransomware variant, and use of malware attributed to government-sponsored threat groups, Cinnamon Tempest may be motivated by intellectual property theft or cyberespionage rather than financial gain.
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1190
- Custom malware/implant development — ATT&CK: 5 attributed custom malware families
TTPs — 19 techniques across 10 tactics
Resource Development
-
T1588.002Tool
Initial Access
Execution
-
T1047Windows Management Instrumentation -
T1059.001PowerShell -
T1059.003Windows Command Shell -
T1059.006Python
Persistence
-
T1543.003Windows Service
Stealth
-
T1078Valid Accounts -
T1078.002Domain Accounts -
T1140Deobfuscate/Decode Files or Information -
T1574.001DLL
Defense Impairment
-
T1484.001Group Policy Modification
Lateral Movement
-
T1021.002SMB/Windows Admin Shares -
T1080Taint Shared Content
Command and Control
-
T1090Proxy -
T1105Ingress Tool Transfer -
T1572Protocol Tunneling
Exfiltration
-
T1567.002Exfiltration to Cloud Storage
Impact
-
T1657Financial Theft
Tools & malware (8)
Sliver · Pandora · PlugX · Cheerscrypt · Impacket · Cobalt Strike · HUI Loader · Rclone
Reporting (3)
- How Microsoft names threat actors — Microsoft
- REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP — Biderman, O. et al
- BRONZE STARLIGHT RANSOMWARE OPERATIONS USE HUI LOADER — Counter Threat Unit Research Team