SYMBOLCOMMON_NAMEaka. SYNONYMS

APT9  (Back to overview)

aka: Group 27, NIGHTSHADE PANDA, Red Pegasus

APT9 engages in cyber operations where the goal is data theft, usually focusing on the data and projects that make a particular organization competitive within its field. APT9 was historically very active in the pharmaceuticals and biotechnology industry. We have observed this actor use spearphishing, valid accounts, as well as remote services for Initial Access. On at least one occasion, Mandiant observed APT9 at two companies in the biotechnology industry and suspect that APT9 actors may have gained initial access to one of the companies by using a trusted relationship between the two companies. APT9 use a wide range of backdoors, including publicly available backdoors, as well as backdoors that are believed to be custom, but are used by multiple APT groups.


Associated Families
win.9002

References
2024-07-09TG SoftGianfranco Tonello, Michele Zuin
Italian government agencies and companies in the target of a Chinese APT
9002 RAT
2024-02-21YouTube (SentinelOne)Kris McConkey
LABSCon23 Replay | Chasing Shadows | The rise of a prolific espionage actor
9002 RAT PlugX ShadowPad Spyder Earth Lusca
2022-09-15SymantecThreat Hunter Team
Webworm: Espionage Attackers Testing and Using Older Modified RATs
9002 RAT Ghost RAT Trochilus RAT
2022-08-04MandiantMandiant
Advanced Persistent Threats (APTs)
APT1 APT10 APT12 APT14 APT15 APT16 APT17 APT18 APT19 APT2 APT20 APT21 APT22 APT23 APT24 APT27 APT3 APT30 APT31 APT4 APT40 APT5 APT9 Naikon
2022-04-28PWCPWC UK
Cyber Threats 2021: A Year in Retrospect
BPFDoor APT15 APT31 APT41 APT9 BlackTech BRONZE EDGEWOOD DAGGER PANDA Earth Lusca HAFNIUM HAZY TIGER Inception Framework LOTUS PANDA QUILTED TIGER RedAlpha Red Dev 17 Red Menshen Red Nue VICEROY TIGER
2021-09-02MandiantMandiant
Advanced Persistent Threats (APTs)
APT9
2020-01-01SecureworksSecureWorks
BRONZE EXPRESS
9002 RAT CHINACHOPPER IsSpace NewCT PlugX smac APT26
2020-01-01SecureworksSecureWorks
BRONZE UNION
9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell APT27
2020-01-01SecureworksSecureWorks
BRONZE FIRESTONE
9002 RAT Derusbi Empire Downloader PlugX Poison Ivy APT19
2020-01-01SecureworksSecureWorks
BRONZE KEYSTONE
9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell APT17
2018-08-21Trend MicroJaromír Hořejší, Joseph C Chen, Kawabata Kohei, Kenney Lu
Operation Red Signature Targets South Korean Companies
9002 RAT PlugX Operation Red Signature
2018-08-21Trend MicroJaromír Hořejší, Joseph C. Chen, Kawabata Kohei, Kenney Lu
Supply Chain Attack Operation Red Signature Targets South Korean Organizations
9002 RAT
2018-03-01CrySyS LabBoldizsar Bencsath
Territorial Dispute – NSA’s perspective on APT landscape
9002 RAT Agent.BTZ DuQu EYService Flame FlowerShop Stuxnet Uroburos
2017-08-25ProofpointDarien Huss, Matthew Mesa
Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures
9002 RAT
2017-05-31MITREMITRE ATT&CK
Axiom
Derusbi 9002 RAT BLACKCOFFEE Derusbi Ghost RAT HiKit PlugX ZXShell APT17
2017-03-30Palo Alto Networks Unit 42Jen Miller-Osborn, Josh Grunzweig
Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations
APT9
2016-01-12Softpedia NewsCatalin Cimpanu
Trochilus RAT Evades Antivirus Detection, Used for Cyber-Espionage in South-East Asia
APT9
2015-09-23Palo Alto Networks Unit 42Jen Miller-Osborn, Robert Falcone
Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media
9002 RAT
2015-08-01Arbor NetworksASERT Team
Uncovering the Seven Pointed Dagger
9002 RAT EvilGrab PlugX Trochilus RAT APT9
2015-07-31AlienVault OTXKMEROLLA
OTX: FBI Flash #68 (PlugX)
APT9
2013-11-10FireEyeMike Scott, Ned Moran, Sai Omkar Vashisht, Thoufique Haq
Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method
9002 RAT
2013-09-17SymantecBranko Spasojevic, Jonell Baltazar, Jozsef Gegeny, Stephen Doherty
Hidden Lynx – Professional Hackers for Hire
9002 RAT HiKit APT17
2013-05-20FireEyeNed Moran
Ready for Summer: The Sunshop Campaign
9002 RAT
2013-02-07FireEyeJ. Gomez, Thoufique Haq
LadyBoyle Comes to Town with a New Exploit
9002 RAT
2012-09-07SymantecGavin O'Gorman, Geoff McDonald
The Elderwood Project
9002 RAT Beijing Group

Credits: MISP Project