| SYMBOL | COMMON_NAME | aka. SYNONYMS |
APT9 engages in cyber operations where the goal is data theft, usually focusing on the data and projects that make a particular organization competitive within its field. APT9 was historically very active in the pharmaceuticals and biotechnology industry. We have observed this actor use spearphishing, valid accounts, as well as remote services for Initial Access. On at least one occasion, Mandiant observed APT9 at two companies in the biotechnology industry and suspect that APT9 actors may have gained initial access to one of the companies by using a trusted relationship between the two companies. APT9 use a wide range of backdoors, including publicly available backdoors, as well as backdoors that are believed to be custom, but are used by multiple APT groups.
| 2024-07-09
⋅
TG Soft
⋅
Italian government agencies and companies in the target of a Chinese APT 9002 RAT |
| 2024-02-21
⋅
YouTube (SentinelOne)
⋅
LABSCon23 Replay | Chasing Shadows | The rise of a prolific espionage actor 9002 RAT PlugX ShadowPad Spyder Earth Lusca |
| 2022-09-15
⋅
Symantec
⋅
Webworm: Espionage Attackers Testing and Using Older Modified RATs 9002 RAT Ghost RAT Trochilus RAT |
| 2022-08-04
⋅
Mandiant
⋅
Advanced Persistent Threats (APTs) APT1 APT10 APT12 APT14 APT15 APT16 APT17 APT18 APT19 APT2 APT20 APT21 APT22 APT23 APT24 APT27 APT3 APT30 APT31 APT4 APT40 APT5 APT9 Naikon |
| 2022-04-28
⋅
PWC
⋅
Cyber Threats 2021: A Year in Retrospect BPFDoor APT15 APT31 APT41 APT9 BlackTech BRONZE EDGEWOOD DAGGER PANDA Earth Lusca HAFNIUM HAZY TIGER Inception Framework LOTUS PANDA QUILTED TIGER RedAlpha Red Dev 17 Red Menshen Red Nue VICEROY TIGER |
| 2021-09-02
⋅
Mandiant
⋅
Advanced Persistent Threats (APTs) APT9 |
| 2020-01-01
⋅
Secureworks
⋅
BRONZE EXPRESS 9002 RAT CHINACHOPPER IsSpace NewCT PlugX smac APT26 |
| 2020-01-01
⋅
Secureworks
⋅
BRONZE UNION 9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell APT27 |
| 2020-01-01
⋅
Secureworks
⋅
BRONZE FIRESTONE 9002 RAT Derusbi Empire Downloader PlugX Poison Ivy APT19 |
| 2020-01-01
⋅
Secureworks
⋅
BRONZE KEYSTONE 9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell APT17 |
| 2018-08-21
⋅
Trend Micro
⋅
Operation Red Signature Targets South Korean Companies 9002 RAT PlugX Operation Red Signature |
| 2018-08-21
⋅
Trend Micro
⋅
Supply Chain Attack Operation Red Signature Targets South Korean Organizations 9002 RAT |
| 2018-03-01
⋅
CrySyS Lab
⋅
Territorial Dispute – NSA’s perspective on APT landscape 9002 RAT Agent.BTZ DuQu EYService Flame FlowerShop Stuxnet Uroburos |
| 2017-08-25
⋅
Proofpoint
⋅
Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures 9002 RAT |
| 2017-05-31
⋅
MITRE
⋅
Axiom Derusbi 9002 RAT BLACKCOFFEE Derusbi Ghost RAT HiKit PlugX ZXShell APT17 |
| 2017-03-30
⋅
Palo Alto Networks Unit 42
⋅
Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations APT9 |
| 2016-01-12
⋅
Softpedia News
⋅
Trochilus RAT Evades Antivirus Detection, Used for Cyber-Espionage in South-East Asia APT9 |
| 2015-09-23
⋅
Palo Alto Networks Unit 42
⋅
Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media 9002 RAT |
| 2015-08-01
⋅
Arbor Networks
⋅
Uncovering the Seven Pointed Dagger 9002 RAT EvilGrab PlugX Trochilus RAT APT9 |
| 2015-07-31
⋅
AlienVault OTX
⋅
OTX: FBI Flash #68 (PlugX) APT9 |
| 2013-11-10
⋅
FireEye
⋅
Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method 9002 RAT |
| 2013-09-17
⋅
Symantec
⋅
Hidden Lynx – Professional Hackers for Hire 9002 RAT HiKit APT17 |
| 2013-05-20
⋅
FireEye
⋅
Ready for Summer: The Sunshop Campaign 9002 RAT |
| 2013-02-07
⋅
FireEye
⋅
LadyBoyle Comes to Town with a New Exploit 9002 RAT |
| 2012-09-07
⋅
Symantec
⋅
The Elderwood Project 9002 RAT Beijing Group |