aka: CIRCUIT PANDA, Temp.Overboard, HUAPI, Palmerworm, G0098, T-APT-03, Manga Taurus, Red Djinn
BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong. Based on the mutexes and domain names of some of their C&C servers, BlackTech’s campaigns are likely designed to steal their target’s technology.
Following their activities and evolving tactics and techniques helped us uncover the proverbial red string of fate that connected three seemingly disparate campaigns: PLEAD, Shrouded Crossbow, and of late, Waterbear.
PLEAD is an information theft campaign with a penchant for confidential documents. Active since 2012, it has so far targeted Taiwanese government agencies and private organizations. PLEAD’s toolset includes the self-named PLEAD backdoor and the DRIGO exfiltration tool. PLEAD uses spear-phishing emails to deliver and install their backdoor, either as an attachment or through links to cloud storage services. Some of the cloud storage accounts used to deliver PLEAD are also used as drop off points for exfiltrated documents stolen by DRIGO.
PLEAD actors use a router scanner tool to scan for vulnerable routers, after which the attackers will enable the router’s VPN feature then register a machine as virtual server. This virtual server will be used either as a C&C server or an HTTP server that delivers PLEAD malware to their targets.
2023-07-18 ⋅ Mandiant ⋅ Mandiant Intelligence @online{intelligence:20230718:stealth:789e8b1,
author = {Mandiant Intelligence},
title = {{Stealth Mode: Chinese Cyber Espionage Actors Continue to Evolve Tactics to Avoid Detection}},
date = {2023-07-18},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/blog/chinese-espionage-tactics},
language = {English},
urldate = {2023-07-19}
}
Stealth Mode: Chinese Cyber Espionage Actors Continue to Evolve Tactics to Avoid Detection BPFDoor SALTWATER SEASPY SideWalk ZuoRAT Daxin HyperBro HyperSSL Waterbear |
2022-12-30 ⋅ Cyber And Ramen blog ⋅ CYBER&RAMEN @online{cyberramen:20221230:quick:b75a34c,
author = {CYBER&RAMEN},
title = {{A Quick Look at ELF Bifrose (Part 1)}},
date = {2022-12-30},
organization = {Cyber And Ramen blog},
url = {https://cyberandramen.net/2022/12/30/a-quick-look-at-elf-bifrose/},
language = {English},
urldate = {2023-02-06}
}
A Quick Look at ELF Bifrose (Part 1) Bifrost |
2022-11-24 ⋅ Twitter (@strinsert1Na) ⋅ MigawariIV @online{migawariiv:20221124:recent:98d1c2e,
author = {MigawariIV},
title = {{Tweet on recent Bifrose activity}},
date = {2022-11-24},
organization = {Twitter (@strinsert1Na)},
url = {https://twitter.com/strinsert1Na/status/1595553530579890176},
language = {English},
urldate = {2022-11-25}
}
Tweet on recent Bifrose activity Bifrost |
2022-09-29 ⋅ NTT ⋅ NTT Security Holdings Corporation @techreport{corporation:20220929:report:1615dab,
author = {NTT Security Holdings Corporation},
title = {{Report on APT Attacks by BlackTech}},
date = {2022-09-29},
institution = {NTT},
url = {https://jp.security.ntt/resources/EN-BlackTech_2021.pdf},
language = {English},
urldate = {2022-09-30}
}
Report on APT Attacks by BlackTech Bifrost PLEAD TSCookie Flagpro Gh0stTimes SelfMake Loader SPIDERPIG RAT |
2022-09-15 ⋅ JPCERT/CC ⋅ Shusei Tomonaga @online{tomonaga:20220915:f5:717ee99,
author = {Shusei Tomonaga},
title = {{F5 BIG-IP Vulnerability (CVE-2022-1388) Exploited by BlackTech}},
date = {2022-09-15},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2022/09/bigip-exploit.html},
language = {English},
urldate = {2022-09-19}
}
F5 BIG-IP Vulnerability (CVE-2022-1388) Exploited by BlackTech Hipid |
2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42 @online{42:20220718:manga:5eaad04,
author = {Unit 42},
title = {{Manga Taurus}},
date = {2022-07-18},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/atoms/mangataurus/},
language = {English},
urldate = {2022-07-29}
}
Manga Taurus BlackTech |
2022-04-28 ⋅ PWC ⋅ PWC UK @techreport{uk:20220428:cyber:46707aa,
author = {PWC UK},
title = {{Cyber Threats 2021: A Year in Retrospect}},
date = {2022-04-28},
institution = {PWC},
url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf},
language = {English},
urldate = {2023-07-02}
}
Cyber Threats 2021: A Year in Retrospect BPFDoor APT15 APT31 APT41 APT9 BlackTech BRONZE EDGEWOOD DAGGER PANDA Earth Lusca HAFNIUM HAZY TIGER Inception Framework LOTUS PANDA QUILTED TIGER RedAlpha Red Dev 17 Red Menshen Red Nue VICEROY TIGER |
2022-02-09 ⋅ vmware ⋅ VMWare @techreport{vmware:20220209:exposing:7b5f76e,
author = {VMWare},
title = {{Exposing Malware in Linux-Based Multi-Cloud Environments}},
date = {2022-02-09},
institution = {vmware},
url = {https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf},
language = {English},
urldate = {2022-02-10}
}
Exposing Malware in Linux-Based Multi-Cloud Environments ACBackdoor BlackMatter DarkSide Erebus HelloKitty Kinsing PLEAD QNAPCrypt RansomEXX REvil Sysrv-hello TeamTNT Vermilion Strike Cobalt Strike |
2022-01-25 ⋅ Trend Micro ⋅ Hara Hiroaki @techreport{hiroaki:20220125:ambiguously:a846748,
author = {Hara Hiroaki},
title = {{Ambiguously Black: The Current State of Earth Hundun's Arsenal}},
date = {2022-01-25},
institution = {Trend Micro},
url = {https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_8_hara_en.pdf},
language = {English},
urldate = {2022-04-04}
}
Ambiguously Black: The Current State of Earth Hundun's Arsenal Flagpro SPIDERPIG RAT |
2022-01-13 ⋅ Twitter (@8th_grey_owl) ⋅ 8thGreyOwl @online{8thgreyowl:20220113:selfmake:b0e52ab,
author = {8thGreyOwl},
title = {{Tweet on SelfMake Loader}},
date = {2022-01-13},
organization = {Twitter (@8th_grey_owl)},
url = {https://twitter.com/8th_grey_owl/status/1481433481485844483},
language = {English},
urldate = {2022-01-19}
}
Tweet on SelfMake Loader SelfMake Loader |
2021-12-28 ⋅ NTT ⋅ Hiroki Hada @online{hada:20211228:flagpro:1263fb7,
author = {Hiroki Hada},
title = {{Flagpro: The new malware used by BlackTech}},
date = {2021-12-28},
organization = {NTT},
url = {https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech},
language = {English},
urldate = {2021-12-31}
}
Flagpro: The new malware used by BlackTech Flagpro |
2021-12-16 ⋅ Twitter (@nahamike01) ⋅ MikeR @online{miker:20211216:spiderrat:e0c4858,
author = {MikeR},
title = {{Tweet on SPIDERRAT malware used by CIRCUIT PANDA}},
date = {2021-12-16},
organization = {Twitter (@nahamike01)},
url = {https://twitter.com/nahamike01/status/1471496800582664193?s=20},
language = {English},
urldate = {2022-01-17}
}
Tweet on SPIDERRAT malware used by CIRCUIT PANDA SPIDERPIG RAT |
2021-12-12 ⋅ Cyber And Ramen blog ⋅ Mike R @online{r:20211212:more:9f9c952,
author = {Mike R},
title = {{More Flagpro, More Problems}},
date = {2021-12-12},
organization = {Cyber And Ramen blog},
url = {https://cyberandramen.net/2021/12/12/more-flagpro-more-problems/},
language = {English},
urldate = {2022-04-05}
}
More Flagpro, More Problems Flagpro |
2021-10-08 ⋅ NTT ⋅ Hiroki Hada, Rintaro Koike, Fumio Ozawa @online{hada:20211008:malware:bfcbd46,
author = {Hiroki Hada and Rintaro Koike and Fumio Ozawa},
title = {{Malware Flagpro used by targeted attack group BlackTech}},
date = {2021-10-08},
organization = {NTT},
url = {https://insight-jp.nttsecurity.com/post/102h7vx/blacktechflagpro},
language = {Japanese},
urldate = {2021-10-24}
}
Malware Flagpro used by targeted attack group BlackTech Flagpro |
2021-10-07 ⋅ VB Localhost ⋅ Sveva Vittoria Scenarelli, Adam Prescott @techreport{scenarelli:20211007:back:d7e0e71,
author = {Sveva Vittoria Scenarelli and Adam Prescott},
title = {{Back to Black(Tech): an analysis of recent BlackTech operations and an open directory full of exploits}},
date = {2021-10-07},
institution = {VB Localhost},
url = {https://vblocalhost.com/uploads/VB2021-50.pdf},
language = {English},
urldate = {2022-06-29}
}
Back to Black(Tech): an analysis of recent BlackTech operations and an open directory full of exploits Flagpro |
2021-09-01 ⋅ YouTube (Black Hat) ⋅ Aragorn Tseng, Charles Li @online{tseng:20210901:mem2img:7817a5d,
author = {Aragorn Tseng and Charles Li},
title = {{Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network}},
date = {2021-09-01},
organization = {YouTube (Black Hat)},
url = {https://www.youtube.com/watch?v=6SDdUVejR2w},
language = {English},
urldate = {2021-09-12}
}
Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network Cobalt Strike PlugX Waterbear |
2021-05-07 ⋅ TEAMT5 ⋅ Aragorn Tseng, Charles Li @techreport{tseng:20210507:mem2img:494799d,
author = {Aragorn Tseng and Charles Li},
title = {{Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network}},
date = {2021-05-07},
institution = {TEAMT5},
url = {https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf},
language = {English},
urldate = {2021-09-12}
}
Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network Cobalt Strike PlugX Waterbear |
2021-04-13 ⋅ Twitter (@ESETresearch) ⋅ ESET Research @online{research:20210413:tscookie:affc5a0,
author = {ESET Research},
title = {{Tweet on TSCookie for FreeBSD platform}},
date = {2021-04-13},
organization = {Twitter (@ESETresearch)},
url = {https://twitter.com/ESETresearch/status/1382054011264700416},
language = {English},
urldate = {2021-04-14}
}
Tweet on TSCookie for FreeBSD platform TSCookie |
2021-02-28 ⋅ PWC UK ⋅ PWC UK @techreport{uk:20210228:cyber:bd780cd,
author = {PWC UK},
title = {{Cyber Threats 2020: A Year in Retrospect}},
date = {2021-02-28},
institution = {PWC UK},
url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf},
language = {English},
urldate = {2021-03-04}
}
Cyber Threats 2020: A Year in Retrospect elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team |
2021-02-11 ⋅ Cyber And Ramen blog ⋅ Mike R @online{r:20210211:blacktech:829b971,
author = {Mike R},
title = {{BlackTech Updates Elf-Plead Backdoor}},
date = {2021-02-11},
organization = {Cyber And Ramen blog},
url = {https://cyberandramen.net/2021/02/11/blacktech-updates-elf-plead-backdoor/},
language = {English},
urldate = {2022-04-05}
}
BlackTech Updates Elf-Plead Backdoor PLEAD |
2020-12-24 ⋅ IronNet ⋅ Adam Hlavek @online{hlavek:20201224:china:723bed3,
author = {Adam Hlavek},
title = {{China cyber attacks: the current threat landscape}},
date = {2020-12-24},
organization = {IronNet},
url = {https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape},
language = {English},
urldate = {2021-01-01}
}
China cyber attacks: the current threat landscape PLEAD TSCookie FlowCloud Lookback PLEAD PlugX Quasar RAT Winnti |
2020-12-21 ⋅ Intezer ⋅ Intezer @online{intezer:20201221:top:9529707,
author = {Intezer},
title = {{Top Linux Cloud Threats of 2020}},
date = {2020-12-21},
organization = {Intezer},
url = {https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/},
language = {English},
urldate = {2020-12-26}
}
Top Linux Cloud Threats of 2020 AgeLocker AnchorDNS Blackrota Cloud Snooper Dacls Doki FritzFrog IPStorm Kaiji Kinsing NOTROBIN Penquin Turla PLEAD Prometei RansomEXX Stantinko TeamTNT TSCookie WellMail elf.wellmess TeamTNT |
2020-12-19 ⋅ Cyber And Ramen blog ⋅ Mike R @online{r:20201219:persistence:b9043d9,
author = {Mike R},
title = {{Persistence Pays Off: A Brief Look at BlackTech’s 2020}},
date = {2020-12-19},
organization = {Cyber And Ramen blog},
url = {https://www.cyberandramen.net/home/blacktech-doesnt-miss-a-step-a-quick-analysis-of-a-busy-2020},
language = {English},
urldate = {2021-01-01}
}
Persistence Pays Off: A Brief Look at BlackTech’s 2020 PLEAD TSCookie PLEAD |
2020-11-16 ⋅ JPCERT/CC ⋅ Shusei Tomonaga @online{tomonaga:20201116:elfplead:3bb79c4,
author = {Shusei Tomonaga},
title = {{ELF_PLEAD - Linux Malware Used by BlackTech}},
date = {2020-11-16},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html},
language = {English},
urldate = {2020-11-17}
}
ELF_PLEAD - Linux Malware Used by BlackTech PLEAD |
2020-10-08 ⋅ ZDNet ⋅ Charlie Osborne @online{osborne:20201008:waterbear:9d810b3,
author = {Charlie Osborne},
title = {{Waterbear malware used in attack wave against government agencies}},
date = {2020-10-08},
organization = {ZDNet},
url = {https://www.zdnet.com/article/waterbear-malware-used-in-attack-wave-against-government-agencies/},
language = {English},
urldate = {2021-04-20}
}
Waterbear malware used in attack wave against government agencies Waterbear |
2020-09-29 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20200929:palmerworm:4a96e3b,
author = {Threat Hunter Team},
title = {{Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors}},
date = {2020-09-29},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt},
language = {English},
urldate = {2020-10-04}
}
Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors KIVARS PLEAD BlackTech |
2020-08-19 ⋅ TEAMT5 ⋅ TeamT5 @online{teamt5:20200819:0819:e955419,
author = {TeamT5},
title = {{調查局 08/19 公布中國對台灣政府機關駭侵事件說明}},
date = {2020-08-19},
organization = {TEAMT5},
url = {https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/},
language = {Chinese},
urldate = {2021-05-03}
}
調查局 08/19 公布中國對台灣政府機關駭侵事件說明 Cobalt Strike Waterbear |
2020-05-01 ⋅ Macnica Networks ⋅ TeamT5, Macnica Networks @techreport{teamt5:20200501:cyber:70c9cbc,
author = {TeamT5 and Macnica Networks},
title = {{Cyber Espionage Tradecraft in the Real World Adversaries targeting Japan in the second half of 2019}},
date = {2020-05-01},
institution = {Macnica Networks},
url = {https://www.macnica.net/pdf/mpressioncss_ta_report_2019_4_en.pdf},
language = {English},
urldate = {2021-02-26}
}
Cyber Espionage Tradecraft in the Real World Adversaries targeting Japan in the second half of 2019 TSCookie LODEINFO |
2020-04-15 ⋅ TEAMT5 ⋅ TeamT5 @online{teamt5:20200415:huapi:c45f871,
author = {TeamT5},
title = {{中國駭客 HUAPI 的惡意後門程式 BiFrost 分析}},
date = {2020-04-15},
organization = {TEAMT5},
url = {https://teamt5.org/tw/posts/technical-analysis-on-backdoor-bifrost-of-the-Chinese-apt-group-huapi/},
language = {Chinese (Traditional)},
urldate = {2021-03-31}
}
中國駭客 HUAPI 的惡意後門程式 BiFrost 分析 Bifrost |
2020-03-05 ⋅ JPCERT/CC ⋅ Shusei Tomonaga @online{tomonaga:20200305:elftscookie:f49b873,
author = {Shusei Tomonaga},
title = {{ELF_TSCookie - Linux Malware Used by BlackTech}},
date = {2020-03-05},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html},
language = {English},
urldate = {2020-03-09}
}
ELF_TSCookie - Linux Malware Used by BlackTech TSCookie |
2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike @techreport{crowdstrike:20200304:2020:818c85f,
author = {CrowdStrike},
title = {{2020 CrowdStrike Global Threat Report}},
date = {2020-03-04},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf},
language = {English},
urldate = {2020-07-24}
}
2020 CrowdStrike Global Threat Report MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER |
2020-01-17 ⋅ JPCERT/CC ⋅ Takayoshi Shiigi @techreport{shiigi:20200117:looking:bf71db1,
author = {Takayoshi Shiigi},
title = {{Looking back on the incidents in 2019}},
date = {2020-01-17},
institution = {JPCERT/CC},
url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf},
language = {English},
urldate = {2020-04-06}
}
Looking back on the incidents in 2019 TSCookie NodeRAT Emotet PoshC2 Quasar RAT |
2020-01-14 ⋅ TEAMT5 ⋅ CiYi Yu, Aragorn Tseng @techreport{yu:20200114:evil:20b2d83,
author = {CiYi Yu and Aragorn Tseng},
title = {{Evil Hidden in Shellcode: The Evolution of Malware DBGPRINT}},
date = {2020-01-14},
institution = {TEAMT5},
url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_2_ycy-aragorn_en.pdf},
language = {English},
urldate = {2021-04-21}
}
Evil Hidden in Shellcode: The Evolution of Malware DBGPRINT Waterbear |
2020-01-03 ⋅ DayDayNews ⋅ DayDayNews @online{daydaynews:20200103:waterbear:b4818c4,
author = {DayDayNews},
title = {{Waterbear, a cyber espionage virus, has a new variant with its own anti-virus function}},
date = {2020-01-03},
organization = {DayDayNews},
url = {https://daydaynews.cc/zh-tw/technology/297265.html},
language = {Chinese},
urldate = {2021-04-20}
}
Waterbear, a cyber espionage virus, has a new variant with its own anti-virus function Waterbear |
2019-12-12 ⋅ FireEye ⋅ Chi-en Shen, Oleg Bondarenko @online{shen:20191212:cyber:e01baca,
author = {Chi-en Shen and Oleg Bondarenko},
title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}},
date = {2019-12-12},
organization = {FireEye},
url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko},
language = {English},
urldate = {2020-04-16}
}
Cyber Threat Landscape in Japan – Revealing Threat in the Shadow Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech |
2019-12-11 ⋅ Trend Micro ⋅ Vickie Su, Anita Hsieh, Dove Chiu @online{su:20191211:waterbear:3538eb5,
author = {Vickie Su and Anita Hsieh and Dove Chiu},
title = {{Waterbear Returns, Uses API Hooking to Evade Security}},
date = {2019-12-11},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/19/l/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection.html},
language = {English},
urldate = {2021-04-20}
}
Waterbear Returns, Uses API Hooking to Evade Security Waterbear |
2019-11-22 ⋅ SANS Cyber Security Summit ⋅ Sveva Vittoria Scenarelli, Rachel Mullan @techreport{scenarelli:20191122:need:00f7cef,
author = {Sveva Vittoria Scenarelli and Rachel Mullan},
title = {{Need for PLEAD: BlackTech Pursuit}},
date = {2019-11-22},
institution = {SANS Cyber Security Summit},
url = {https://web.archive.org/web/20200229012206/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf},
language = {English},
urldate = {2021-01-25}
}
Need for PLEAD: BlackTech Pursuit BLUETHER PLEAD |
2019-11-21 ⋅ JPCERT/CC ⋅ 田中 信太郎(Shintaro Tanaka) @online{tanaka:20191121:icondown:cb082bf,
author = {田中 信太郎(Shintaro Tanaka)},
title = {{IconDown – Downloader Used by BlackTech}},
date = {2019-11-21},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html},
language = {English},
urldate = {2020-01-08}
}
IconDown – Downloader Used by BlackTech IconDown |
2019-11-19 ⋅ FireEye ⋅ Kelli Vanderlee, Nalani Fraser @techreport{vanderlee:20191119:achievement:6be19eb,
author = {Kelli Vanderlee and Nalani Fraser},
title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}},
date = {2019-11-19},
institution = {FireEye},
url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf},
language = {English},
urldate = {2021-03-02}
}
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell |
2019-10-01 ⋅ Macnica Networks ⋅ Macnica Networks @techreport{networks:20191001:trends:30fb713,
author = {Macnica Networks},
title = {{Trends in Cyber Espionage Targeting Japan 1st Half of 2019}},
date = {2019-10-01},
institution = {Macnica Networks},
url = {https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf},
language = {Japanese},
urldate = {2021-03-02}
}
Trends in Cyber Espionage Targeting Japan 1st Half of 2019 PLEAD TSCookie Datper PLEAD |
2019-09-18 ⋅ JPCERT/CC ⋅ Shusei Tomonaga @online{tomonaga:20190918:malware:67390e7,
author = {Shusei Tomonaga},
title = {{Malware Used by BlackTech after Network Intrusion}},
date = {2019-09-18},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html},
language = {English},
urldate = {2019-11-16}
}
Malware Used by BlackTech after Network Intrusion PLEAD |
2019-08-01 ⋅ Kaspersky Labs ⋅ GReAT @online{great:20190801:trends:5e25d5b,
author = {GReAT},
title = {{APT trends report Q2 2019}},
date = {2019-08-01},
organization = {Kaspersky Labs},
url = {https://securelist.com/apt-trends-report-q2-2019/91897/},
language = {English},
urldate = {2020-08-13}
}
APT trends report Q2 2019 ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy |
2019-05-30 ⋅ JPCERT/CC ⋅ Shusei Tomonaga @online{tomonaga:20190530:bug:cf70c8d,
author = {Shusei Tomonaga},
title = {{Bug in Malware “TSCookie” - Fails to Read Configuration - (Update)}},
date = {2019-05-30},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2019/05/tscookie3.html},
language = {English},
urldate = {2020-01-13}
}
Bug in Malware “TSCookie” - Fails to Read Configuration - (Update) PLEAD |
2019-05-14 ⋅ ESET Research ⋅ Anton Cherepanov @online{cherepanov:20190514:plead:3140588,
author = {Anton Cherepanov},
title = {{Plead malware distributed via MitM attacks at router level, misusing ASUS WebStorage}},
date = {2019-05-14},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/},
language = {English},
urldate = {2019-11-14}
}
Plead malware distributed via MitM attacks at router level, misusing ASUS WebStorage PLEAD BlackTech |
2019-04-01 ⋅ Macnica Networks ⋅ Macnica Networks @techreport{networks:20190401:trends:cf738dc,
author = {Macnica Networks},
title = {{Trends in Cyber Espionage Targeting Japan 2nd Half of 2018}},
date = {2019-04-01},
institution = {Macnica Networks},
url = {https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf},
language = {Japanese},
urldate = {2021-03-02}
}
Trends in Cyber Espionage Targeting Japan 2nd Half of 2018 Anel Cobalt Strike Datper PLEAD Quasar RAT RedLeaves taidoor Zebrocy |
2018-11-12 ⋅ JPCERT/CC ⋅ Shusei Tomonaga @online{tomonaga:20181112:bug:fe13af3,
author = {Shusei Tomonaga},
title = {{Bug in Malware “TSCookie” - Fails to Read Configuration}},
date = {2018-11-12},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2018/11/tscookie2.html},
language = {English},
urldate = {2019-10-28}
}
Bug in Malware “TSCookie” - Fails to Read Configuration PLEAD |
2018-07-09 ⋅ ESET Research ⋅ Anton Cherepanov @online{cherepanov:20180709:certificates:ae214b6,
author = {Anton Cherepanov},
title = {{Certificates stolen from Taiwanese tech‑companies misused in Plead malware campaign}},
date = {2018-07-09},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/},
language = {English},
urldate = {2019-11-14}
}
Certificates stolen from Taiwanese tech‑companies misused in Plead malware campaign PLEAD BlackTech |
2018-06-08 ⋅ JPCERT/CC ⋅ Shusei Tomonaga @online{tomonaga:20180608:plead:046d5bc,
author = {Shusei Tomonaga},
title = {{PLEAD Downloader Used by BlackTech}},
date = {2018-06-08},
organization = {JPCERT/CC},
url = {https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html},
language = {English},
urldate = {2020-01-06}
}
PLEAD Downloader Used by BlackTech PLEAD |
2018-03-06 ⋅ Shusei Tomonaga @online{tomonaga:20180306:malware:f5fea73,
author = {Shusei Tomonaga},
title = {{Malware “TSCookie”}},
date = {2018-03-06},
url = {http://blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html},
language = {English},
urldate = {2020-01-07}
}
Malware “TSCookie” PLEAD |
2018-01-10 ⋅ Freebuf ⋅ Tencent Computer Manager @online{manager:20180110:analysis:3a5fe83,
author = {Tencent Computer Manager},
title = {{Analysis of BlackTech's latest APT attack}},
date = {2018-01-10},
organization = {Freebuf},
url = {http://www.freebuf.com/column/159865.html},
language = {English},
urldate = {2020-01-08}
}
Analysis of BlackTech's latest APT attack PLEAD |
2017-06-22 ⋅ Trend Micro ⋅ Lenart Bermejo, Razor Huang, CH Lei @online{bermejo:20170622:trail:ba78447,
author = {Lenart Bermejo and Razor Huang and CH Lei},
title = {{The Trail of BlackTech’s Cyber Espionage Campaigns}},
date = {2017-06-22},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html},
language = {English},
urldate = {2021-01-29}
}
The Trail of BlackTech’s Cyber Espionage Campaigns bifrose KIVARS PLEAD |
2017-06-22 ⋅ Trend Micro ⋅ Lenart Bermejo, Razor Huang, CH Lei @online{bermejo:20170622:following:7126b3b,
author = {Lenart Bermejo and Razor Huang and CH Lei},
title = {{Following the Trail of BlackTech’s Cyber Espionage Campaigns}},
date = {2017-06-22},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/},
language = {English},
urldate = {2019-12-24}
}
Following the Trail of BlackTech’s Cyber Espionage Campaigns PLEAD BlackTech |
2017-06 ⋅ Trend Micro ⋅ Lenart Bermejo, Razor Huang, CH Lei @techreport{bermejo:201706:following:61e6dae,
author = {Lenart Bermejo and Razor Huang and CH Lei},
title = {{Following the Trail of BlackTech’s Cyber Espionage Campaigns}},
date = {2017-06},
institution = {Trend Micro},
url = {https://documents.trendmicro.com/assets/appendix-following-the-trail-of-blacktechs-cyber-espionage-campaigns.pdf},
language = {English},
urldate = {2020-01-07}
}
Following the Trail of BlackTech’s Cyber Espionage Campaigns PLEAD |
2016-04-13 ⋅ FireEye ⋅ Daniel Regalado, Taha Karim, Varun Jian, Erye Hernandez @online{regalado:20160413:ghosts:5d2944f,
author = {Daniel Regalado and Taha Karim and Varun Jian and Erye Hernandez},
title = {{Ghosts in the Endpoint}},
date = {2016-04-13},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2016/04/ghosts_in_the_endpoi.html},
language = {English},
urldate = {2020-04-20}
}
Ghosts in the Endpoint PLEAD |
2014-08-28 ⋅ Trend Micro ⋅ Christopher Daniel So @online{so:20140828:bifrose:e63b72a,
author = {Christopher Daniel So},
title = {{BIFROSE Now More Evasive Through Tor, Used for Targeted Attack}},
date = {2014-08-28},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/bifrose-now-more-evasive-through-tor-used-for-targeted-attack/},
language = {English},
urldate = {2021-01-27}
}
BIFROSE Now More Evasive Through Tor, Used for Targeted Attack bifrose |
2014-07-02 ⋅ Trend Micro ⋅ Kervin Alintanahin, Ronnie Giagone @online{alintanahin:20140702:kivars:4fe6877,
author = {Kervin Alintanahin and Ronnie Giagone},
title = {{KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support”}},
date = {2014-07-02},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/},
language = {English},
urldate = {2020-06-19}
}
KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support” FakeWord KIVARS PLEAD Poison RAT Zeus |