SYMBOLCOMMON_NAMEaka. SYNONYMS

APT16  (Back to overview)

aka: G0023, SVCMONDR

Between November 26, 2015, and December 1, 2015, known and suspected China-based APT groups launched several spear-phishing attacks targeting Japanese and Taiwanese organizations in the high-tech, government services, media and financial services industries. Each campaign delivered a malicious Microsoft Word document exploiting the aforementioned EPS dict copy use-after-free vulnerability, and the local Windows privilege escalation vulnerability CVE-2015-1701. The successful exploitation of both vulnerabilities led to the delivery of either a downloader that we refer to as IRONHALO, or a backdoor that we refer to as ELMER.


Associated Families

There are currently no families associated with this actor.


References
2022-08-04MandiantMandiant
Advanced Persistent Threats (APTs)
APT1 APT10 APT12 APT14 APT15 APT16 APT17 APT18 APT19 APT2 APT20 APT21 APT22 APT23 APT24 APT27 APT3 APT30 APT31 APT4 APT40 APT5 APT9 Naikon
2019-01-01Council on Foreign RelationsCyber Operations Tracker
APT 16
APT16
2017-05-31MITREMITRE ATT&CK
APT16
ELMER APT16
2016-05-25Kaspersky LabsGReAT
CVE-2015-2545: overview of current threats
APT16 Danti
2015-12-16FireEyeDan Caselden, Genwei Jiang, Ryann Winters
The EPS Awakens
IRONHALO APT16

Credits: MISP Project