| SYMBOL | COMMON_NAME | aka. SYNONYMS |
BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong. Based on the mutexes and domain names of some of their C&C servers, BlackTech’s campaigns are likely designed to steal their target’s technology. Following their activities and evolving tactics and techniques helped us uncover the proverbial red string of fate that connected three seemingly disparate campaigns: PLEAD, Shrouded Crossbow, and of late, Waterbear. PLEAD is an information theft campaign with a penchant for confidential documents. Active since 2012, it has so far targeted Taiwanese government agencies and private organizations. PLEAD’s toolset includes the self-named PLEAD backdoor and the DRIGO exfiltration tool. PLEAD uses spear-phishing emails to deliver and install their backdoor, either as an attachment or through links to cloud storage services. Some of the cloud storage accounts used to deliver PLEAD are also used as drop off points for exfiltrated documents stolen by DRIGO. PLEAD actors use a router scanner tool to scan for vulnerable routers, after which the attackers will enable the router’s VPN feature then register a machine as virtual server. This virtual server will be used either as a C&C server or an HTTP server that delivers PLEAD malware to their targets.
| 2023-07-18
⋅
Mandiant
⋅
Stealth Mode: Chinese Cyber Espionage Actors Continue to Evolve Tactics to Avoid Detection BPFDoor SALTWATER SEASPY SideWalk ZuoRAT Daxin HyperBro HyperSSL Waterbear |
| 2022-12-30
⋅
Cyber And Ramen blog
⋅
A Quick Look at ELF Bifrose (Part 1) Bifrost |
| 2022-11-24
⋅
Twitter (@strinsert1Na)
⋅
Tweet on recent Bifrose activity Bifrost |
| 2022-09-29
⋅
NTT
⋅
Report on APT Attacks by BlackTech Bifrost PLEAD TSCookie Flagpro Gh0stTimes SelfMake Loader SPIDERPIG RAT |
| 2022-09-15
⋅
JPCERT/CC
⋅
F5 BIG-IP Vulnerability (CVE-2022-1388) Exploited by BlackTech Hipid |
| 2022-07-18
⋅
Palo Alto Networks Unit 42
⋅
Manga Taurus BlackTech |
| 2022-04-28
⋅
PWC
⋅
Cyber Threats 2021: A Year in Retrospect BPFDoor APT15 APT31 APT41 APT9 BlackTech BRONZE EDGEWOOD DAGGER PANDA Earth Lusca HAFNIUM HAZY TIGER Inception Framework LOTUS PANDA QUILTED TIGER RedAlpha Red Dev 17 Red Menshen Red Nue VICEROY TIGER |
| 2022-03-22
⋅
JPCERT/CC
⋅
JSAC 2022 -Day 1- BlackTech |
| 2022-02-09
⋅
vmware
⋅
Exposing Malware in Linux-Based Multi-Cloud Environments ACBackdoor BlackMatter DarkSide Erebus HelloKitty Kinsing PLEAD QNAPCrypt RansomEXX REvil Sysrv-hello TeamTNT Vermilion Strike Cobalt Strike |
| 2022-01-25
⋅
Trend Micro
⋅
Ambiguously Black: The Current State of Earth Hundun's Arsenal Flagpro SPIDERPIG RAT |
| 2022-01-13
⋅
Twitter (@8th_grey_owl)
⋅
Tweet on SelfMake Loader SelfMake Loader |
| 2021-12-28
⋅
NTT
⋅
Flagpro: The new malware used by BlackTech Flagpro |
| 2021-12-16
⋅
Twitter (@nahamike01)
⋅
Tweet on SPIDERRAT malware used by CIRCUIT PANDA SPIDERPIG RAT |
| 2021-12-12
⋅
Cyber And Ramen blog
⋅
More Flagpro, More Problems Flagpro |
| 2021-10-08
⋅
⋅
NTT
⋅
Malware Flagpro used by targeted attack group BlackTech Flagpro |
| 2021-10-07
⋅
VB Localhost
⋅
Back to Black(Tech): an analysis of recent BlackTech operations and an open directory full of exploits Flagpro |
| 2021-09-01
⋅
YouTube (Black Hat)
⋅
Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network Cobalt Strike PlugX Waterbear |
| 2021-05-07
⋅
TEAMT5
⋅
Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network Cobalt Strike PlugX Waterbear |
| 2021-04-13
⋅
Twitter (@ESETresearch)
⋅
Tweet on TSCookie for FreeBSD platform TSCookie |
| 2021-02-28
⋅
PWC UK
⋅
Cyber Threats 2020: A Year in Retrospect elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team |
| 2021-02-11
⋅
Cyber And Ramen blog
⋅
BlackTech Updates Elf-Plead Backdoor PLEAD |
| 2020-12-24
⋅
IronNet
⋅
China cyber attacks: the current threat landscape PLEAD TSCookie FlowCloud Lookback PLEAD PlugX Quasar RAT Winnti |
| 2020-12-21
⋅
Intezer
⋅
Top Linux Cloud Threats of 2020 AgeLocker AnchorDNS Blackrota Cloud Snooper Dacls Doki FritzFrog IPStorm Kaiji Kinsing NOTROBIN Penquin Turla PLEAD Prometei RansomEXX Stantinko TeamTNT TSCookie WellMail elf.wellmess TeamTNT |
| 2020-12-19
⋅
Cyber And Ramen blog
⋅
Persistence Pays Off: A Brief Look at BlackTech’s 2020 PLEAD TSCookie PLEAD |
| 2020-11-16
⋅
JPCERT/CC
⋅
ELF_PLEAD - Linux Malware Used by BlackTech PLEAD |
| 2020-10-08
⋅
ZDNet
⋅
Waterbear malware used in attack wave against government agencies Waterbear |
| 2020-09-29
⋅
Symantec
⋅
Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors KIVARS PLEAD BlackTech |
| 2020-08-19
⋅
⋅
TEAMT5
⋅
調查局 08/19 公布中國對台灣政府機關駭侵事件說明 Cobalt Strike Waterbear |
| 2020-05-01
⋅
Macnica Networks
⋅
Cyber Espionage Tradecraft in the Real World Adversaries targeting Japan in the second half of 2019 TSCookie LODEINFO |
| 2020-04-15
⋅
⋅
TEAMT5
⋅
中國駭客 HUAPI 的惡意後門程式 BiFrost 分析 Bifrost |
| 2020-03-05
⋅
JPCERT/CC
⋅
ELF_TSCookie - Linux Malware Used by BlackTech TSCookie |
| 2020-03-04
⋅
CrowdStrike
⋅
2020 CrowdStrike Global Threat Report MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER |
| 2020-01-17
⋅
JPCERT/CC
⋅
Looking back on the incidents in 2019 TSCookie NodeRAT Emotet PoshC2 Quasar RAT |
| 2020-01-14
⋅
TEAMT5
⋅
Evil Hidden in Shellcode: The Evolution of Malware DBGPRINT Waterbear |
| 2020-01-03
⋅
⋅
DayDayNews
⋅
Waterbear, a cyber espionage virus, has a new variant with its own anti-virus function Waterbear |
| 2019-12-12
⋅
FireEye
⋅
Cyber Threat Landscape in Japan – Revealing Threat in the Shadow Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD POISONPLUG TrickBot BlackTech |
| 2019-12-11
⋅
Trend Micro
⋅
Waterbear Returns, Uses API Hooking to Evade Security Waterbear |
| 2019-11-22
⋅
SANS Cyber Security Summit
⋅
Need for PLEAD: BlackTech Pursuit BLUETHER PLEAD |
| 2019-11-21
⋅
JPCERT/CC
⋅
IconDown – Downloader Used by BlackTech IconDown |
| 2019-11-19
⋅
FireEye
⋅
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC POISONPLUG Poison Ivy pupy Quasar RAT ZXShell |
| 2019-10-01
⋅
⋅
Macnica Networks
⋅
Trends in Cyber Espionage Targeting Japan 1st Half of 2019 PLEAD TSCookie Datper PLEAD |
| 2019-09-18
⋅
JPCERT/CC
⋅
Malware Used by BlackTech after Network Intrusion PLEAD |
| 2019-08-01
⋅
Kaspersky Labs
⋅
APT trends report Q2 2019 ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy |
| 2019-05-30
⋅
JPCERT/CC
⋅
Bug in Malware “TSCookie” - Fails to Read Configuration - (Update) PLEAD |
| 2019-05-14
⋅
ESET Research
⋅
Plead malware distributed via MitM attacks at router level, misusing ASUS WebStorage PLEAD BlackTech |
| 2019-04-01
⋅
⋅
Macnica Networks
⋅
Trends in Cyber Espionage Targeting Japan 2nd Half of 2018 Anel Cobalt Strike Datper PLEAD Quasar RAT RedLeaves taidoor Zebrocy |
| 2018-11-12
⋅
JPCERT/CC
⋅
Bug in Malware “TSCookie” - Fails to Read Configuration PLEAD |
| 2018-07-09
⋅
ESET Research
⋅
Certificates stolen from Taiwanese tech‑companies misused in Plead malware campaign PLEAD BlackTech |
| 2018-06-08
⋅
JPCERT/CC
⋅
PLEAD Downloader Used by BlackTech PLEAD |
| 2018-03-06
⋅
Malware “TSCookie” PLEAD |
| 2018-01-10
⋅
Freebuf
⋅
Analysis of BlackTech's latest APT attack PLEAD |
| 2017-06-22
⋅
Trend Micro
⋅
The Trail of BlackTech’s Cyber Espionage Campaigns bifrose KIVARS PLEAD |
| 2017-06-22
⋅
Trend Micro
⋅
Following the Trail of BlackTech’s Cyber Espionage Campaigns PLEAD BlackTech |
| 2017-06-01
⋅
Trend Micro
⋅
Following the Trail of BlackTech’s Cyber Espionage Campaigns PLEAD |
| 2016-04-13
⋅
FireEye
⋅
Ghosts in the Endpoint PLEAD |
| 2014-08-28
⋅
Trend Micro
⋅
BIFROSE Now More Evasive Through Tor, Used for Targeted Attack bifrose |
| 2014-07-02
⋅
Trend Micro
⋅
KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support” FakeWord KIVARS PLEAD Poison RAT Zeus |