SYMBOLCOMMON_NAMEaka. SYNONYMS

APT16  (Back to overview)

aka: SVCMONDR, G0023

Between November 26, 2015, and December 1, 2015, known and suspected China-based APT groups launched several spear-phishing attacks targeting Japanese and Taiwanese organizations in the high-tech, government services, media and financial services industries. Each campaign delivered a malicious Microsoft Word document exploiting the aforementioned EPS dict copy use-after-free vulnerability, and the local Windows privilege escalation vulnerability CVE-2015-1701. The successful exploitation of both vulnerabilities led to the delivery of either a downloader that we refer to as IRONHALO, or a backdoor that we refer to as ELMER.


Associated Families

There are currently no families associated with this actor.


References
2022-08-04MandiantMandiant
@online{mandiant:20220804:advanced:afb8956, author = {Mandiant}, title = {{Advanced Persistent Threats (APTs)}}, date = {2022-08-04}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/insights/apt-groups}, language = {English}, urldate = {2022-08-30} } Advanced Persistent Threats (APTs)
APT1 APT10 APT12 APT14 APT15 APT16 APT17 APT18 APT19 APT2 APT20 APT21 APT22 APT23 APT24 APT27 APT3 APT30 APT31 APT4 APT40 APT5 APT9
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:16:9483ad1, author = {Cyber Operations Tracker}, title = {{APT 16}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/apt-16}, language = {English}, urldate = {2019-12-20} } APT 16
APT16
2017-05-31MITREMITRE ATT&CK
@online{attck:20170531:apt16:a615343, author = {MITRE ATT&CK}, title = {{APT16}}, date = {2017-05-31}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0023}, language = {English}, urldate = {2022-07-05} } APT16
ELMER APT16
2016-05-25Kaspersky LabsGReAT
@online{great:20160525:cve20152545:7006bff, author = {GReAT}, title = {{CVE-2015-2545: overview of current threats}}, date = {2016-05-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/}, language = {English}, urldate = {2019-12-20} } CVE-2015-2545: overview of current threats
APT16 Danti
2015-12-16FireEyeGenwei Jiang, Dan Caselden, Ryann Winters
@online{jiang:20151216:eps:3db357c, author = {Genwei Jiang and Dan Caselden and Ryann Winters}, title = {{The EPS Awakens}}, date = {2015-12-16}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html}, language = {English}, urldate = {2019-12-20} } The EPS Awakens
IRONHALO APT16

Credits: MISP Project