SYMBOLCOMMON_NAMEaka. SYNONYMS

APT15  (Back to overview)

aka: VIXEN PANDA, Ke3Chang, Playful Dragon, Metushy, Lurid, Social Network Team, Royal APT, BRONZE PALACE, BRONZE DAVENPORT, BRONZE IDLEWOOD, NICKEL, G0004, Red Vulture

This threat actor uses phishing techniques to compromise the networks of foreign ministries of European countries for espionage purposes.


Associated Families
win.graphican

References
2023-06-21SymantecThreat Hunter Team
@online{team:20230621:graphican:2379d97, author = {Threat Hunter Team}, title = {{Graphican: Flea Uses New Backdoor in Attacks Targeting Foreign Ministries}}, date = {2023-06-21}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/flea-backdoor-microsoft-graph-apt15}, language = {English}, urldate = {2023-09-08} } Graphican: Flea Uses New Backdoor in Attacks Targeting Foreign Ministries
Graphican
2022-08-04MandiantMandiant
@online{mandiant:20220804:advanced:afb8956, author = {Mandiant}, title = {{Advanced Persistent Threats (APTs)}}, date = {2022-08-04}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/insights/apt-groups}, language = {English}, urldate = {2022-08-30} } Advanced Persistent Threats (APTs)
APT1 APT10 APT12 APT14 APT15 APT16 APT17 APT18 APT19 APT2 APT20 APT21 APT22 APT23 APT24 APT27 APT3 APT30 APT31 APT4 APT40 APT5 APT9 Naikon
2022-04-28PWCPWC UK
@techreport{uk:20220428:cyber:46707aa, author = {PWC UK}, title = {{Cyber Threats 2021: A Year in Retrospect}}, date = {2022-04-28}, institution = {PWC}, url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf}, language = {English}, urldate = {2023-07-02} } Cyber Threats 2021: A Year in Retrospect
BPFDoor APT15 APT31 APT41 APT9 BlackTech BRONZE EDGEWOOD DAGGER PANDA Earth Lusca HAFNIUM HAZY TIGER Inception Framework LOTUS PANDA QUILTED TIGER RedAlpha Red Dev 17 Red Menshen Red Nue VICEROY TIGER
2021-10-07MicrosoftMicrosoft
@online{microsoft:20211007:microsoft:793e473, author = {Microsoft}, title = {{Microsoft Digital Defense Report - October 2021}}, date = {2021-10-07}, organization = {Microsoft}, url = {https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi}, language = {English}, urldate = {2021-10-11} } Microsoft Digital Defense Report - October 2021
APT15 APT31 APT40 APT5 Earth Lusca HAFNIUM
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:134ec2b, author = {SecureWorks}, title = {{BRONZE PALACE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-palace}, language = {English}, urldate = {2020-05-23} } BRONZE PALACE
BS2005 Enfal Mirage RoyalCli Royal DNS APT15
2019-10-16Jay Rosenberg
@online{rosenberg:20191016:apt15:d226ae8, author = {Jay Rosenberg}, title = {{APT15}}, date = {2019-10-16}, url = {https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/}, language = {English}, urldate = {2019-10-16} } APT15
Mirage MirageFox APT15
2019MITREMITRE ATT&CK
@online{attck:2019:ke3chang:89a4a35, author = {MITRE ATT&CK}, title = {{Group description: Ke3chang}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0004/}, language = {English}, urldate = {2019-12-20} } Group description: Ke3chang
APT15
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:mirage:d5adee5, author = {Cyber Operations Tracker}, title = {{Mirage}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/mirage}, language = {English}, urldate = {2019-12-20} } Mirage
APT15
2018-03-16Github (nccgroup)NCC Group PLC
@online{plc:20180316:royal:7ff57f8, author = {NCC Group PLC}, title = {{Royal APT - APT15 Repository}}, date = {2018-03-16}, organization = {Github (nccgroup)}, url = {https://github.com/nccgroup/Royal_APT}, language = {English}, urldate = {2020-01-09} } Royal APT - APT15 Repository
BS2005 MS Exchange Tool RoyalCli Royal DNS APT15
2018-03-10NCC GroupRob Smallridge
@online{smallridge:20180310:apt15:e5e7ef0, author = {Rob Smallridge}, title = {{APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS}}, date = {2018-03-10}, organization = {NCC Group}, url = {https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/}, language = {English}, urldate = {2021-04-29} } APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS
BS2005 MS Exchange Tool RoyalCli Royal DNS APT15
2016-05-22Palo Alto Networks Unit 42Micah Yates, Mike Scott, Brandon Levene, Jen Miller-Osborn, Tom Keigher
@online{yates:20160522:operation:9cfd4ae, author = {Micah Yates and Mike Scott and Brandon Levene and Jen Miller-Osborn and Tom Keigher}, title = {{Operation Ke3chang Resurfaces With New TidePool Malware}}, date = {2016-05-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/}, language = {English}, urldate = {2020-01-06} } Operation Ke3chang Resurfaces With New TidePool Malware
APT15
2015-04-15Ars TechnicaDan Goodin
@online{goodin:20150415:elite:eaaea2d, author = {Dan Goodin}, title = {{Elite cyber crime group strikes back after attack by rival APT gang}}, date = {2015-04-15}, organization = {Ars Technica}, url = {http://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang/}, language = {English}, urldate = {2019-11-29} } Elite cyber crime group strikes back after attack by rival APT gang
APT15
2014-09-04FireEyeMike Scott, James T. Bennett
@online{scott:20140904:forced:c6ce09b, author = {Mike Scott and James T. Bennett}, title = {{Forced to Adapt: XSLCmd Backdoor Now on OS X}}, date = {2014-09-04}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html}, language = {English}, urldate = {2019-12-20} } Forced to Adapt: XSLCmd Backdoor Now on OS X
XSLCmd APT15
2014-08-13FireEyeFireEye
@techreport{fireeye:20140813:operation:acd2e2d, author = {FireEye}, title = {{Operation Saffron Rose}}, date = {2014-08-13}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf}, language = {English}, urldate = {2023-02-17} } Operation Saffron Rose
APT15
2013-12-12FireEye IncNart Villeneuve, James T. Bennett, Ned Moran, Thoufique Haq, Mike Scott, Kenneth Geers
@online{villeneuve:20131212:operation:70b2323, author = {Nart Villeneuve and James T. Bennett and Ned Moran and Thoufique Haq and Mike Scott and Kenneth Geers}, title = {{OPERATION “KE3CHANG”:Targeted Attacks Against Ministries of Foreign Affairs}}, date = {2013-12-12}, organization = {FireEye Inc}, url = {https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs}, language = {English}, urldate = {2023-01-25} } OPERATION “KE3CHANG”:Targeted Attacks Against Ministries of Foreign Affairs
Tidepool APT15

Credits: MISP Project