SYMBOLCOMMON_NAMEaka. SYNONYMS

BlackTech  (Back to overview)

aka: CIRCUIT PANDA, G0098, HUAPI, Manga Taurus, Palmerworm, Red Djinn, T-APT-03, Temp.Overboard

BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong. Based on the mutexes and domain names of some of their C&C servers, BlackTech’s campaigns are likely designed to steal their target’s technology. Following their activities and evolving tactics and techniques helped us uncover the proverbial red string of fate that connected three seemingly disparate campaigns: PLEAD, Shrouded Crossbow, and of late, Waterbear. PLEAD is an information theft campaign with a penchant for confidential documents. Active since 2012, it has so far targeted Taiwanese government agencies and private organizations. PLEAD’s toolset includes the self-named PLEAD backdoor and the DRIGO exfiltration tool. PLEAD uses spear-phishing emails to deliver and install their backdoor, either as an attachment or through links to cloud storage services. Some of the cloud storage accounts used to deliver PLEAD are also used as drop off points for exfiltrated documents stolen by DRIGO. PLEAD actors use a router scanner tool to scan for vulnerable routers, after which the attackers will enable the router’s VPN feature then register a machine as virtual server. This virtual server will be used either as a C&C server or an HTTP server that delivers PLEAD malware to their targets.


Associated Families
elf.bifrost elf.hipid elf.plead elf.tscookie win.bifrose win.bluether win.waterbear win.flagpro win.icondown win.plead win.selfmake win.spider_rat

References
2023-07-18MandiantMandiant Intelligence
Stealth Mode: Chinese Cyber Espionage Actors Continue to Evolve Tactics to Avoid Detection
BPFDoor SALTWATER SEASPY SideWalk ZuoRAT Daxin HyperBro HyperSSL Waterbear
2022-12-30Cyber And Ramen blogCYBER&RAMEN
A Quick Look at ELF Bifrose (Part 1)
Bifrost
2022-11-24Twitter (@strinsert1Na)MigawariIV
Tweet on recent Bifrose activity
Bifrost
2022-09-29NTTNTT Security Holdings Corporation
Report on APT Attacks by BlackTech
Bifrost PLEAD TSCookie Flagpro Gh0stTimes SelfMake Loader SPIDERPIG RAT
2022-09-15JPCERT/CCShusei Tomonaga
F5 BIG-IP Vulnerability (CVE-2022-1388) Exploited by BlackTech
Hipid
2022-07-18Palo Alto Networks Unit 42Unit 42
Manga Taurus
BlackTech
2022-04-28PWCPWC UK
Cyber Threats 2021: A Year in Retrospect
BPFDoor APT15 APT31 APT41 APT9 BlackTech BRONZE EDGEWOOD DAGGER PANDA Earth Lusca HAFNIUM HAZY TIGER Inception Framework LOTUS PANDA QUILTED TIGER RedAlpha Red Dev 17 Red Menshen Red Nue VICEROY TIGER
2022-02-09vmwareVMWare
Exposing Malware in Linux-Based Multi-Cloud Environments
ACBackdoor BlackMatter DarkSide Erebus HelloKitty Kinsing PLEAD QNAPCrypt RansomEXX REvil Sysrv-hello TeamTNT Vermilion Strike Cobalt Strike
2022-01-25Trend MicroHara Hiroaki
Ambiguously Black: The Current State of Earth Hundun's Arsenal
Flagpro SPIDERPIG RAT
2022-01-13Twitter (@8th_grey_owl)8thGreyOwl
Tweet on SelfMake Loader
SelfMake Loader
2021-12-28NTTHiroki Hada
Flagpro: The new malware used by BlackTech
Flagpro
2021-12-16Twitter (@nahamike01)MikeR
Tweet on SPIDERRAT malware used by CIRCUIT PANDA
SPIDERPIG RAT
2021-12-12Cyber And Ramen blogMike R
More Flagpro, More Problems
Flagpro
2021-10-08NTTFumio Ozawa, Hiroki Hada, Rintaro Koike
Malware Flagpro used by targeted attack group BlackTech
Flagpro
2021-10-07VB LocalhostAdam Prescott, Sveva Vittoria Scenarelli
Back to Black(Tech): an analysis of recent BlackTech operations and an open directory full of exploits
Flagpro
2021-09-01YouTube (Black Hat)Aragorn Tseng, Charles Li
Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network
Cobalt Strike PlugX Waterbear
2021-05-07TEAMT5Aragorn Tseng, Charles Li
Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network
Cobalt Strike PlugX Waterbear
2021-04-13Twitter (@ESETresearch)ESET Research
Tweet on TSCookie for FreeBSD platform
TSCookie
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-02-11Cyber And Ramen blogMike R
BlackTech Updates Elf-Plead Backdoor
PLEAD
2020-12-24IronNetAdam Hlavek
China cyber attacks: the current threat landscape
PLEAD TSCookie FlowCloud Lookback PLEAD PlugX Quasar RAT Winnti
2020-12-21IntezerIntezer
Top Linux Cloud Threats of 2020
AgeLocker AnchorDNS Blackrota Cloud Snooper Dacls Doki FritzFrog IPStorm Kaiji Kinsing NOTROBIN Penquin Turla PLEAD Prometei RansomEXX Stantinko TeamTNT TSCookie WellMail elf.wellmess TeamTNT
2020-12-19Cyber And Ramen blogMike R
Persistence Pays Off: A Brief Look at BlackTech’s 2020
PLEAD TSCookie PLEAD
2020-11-16JPCERT/CCShusei Tomonaga
ELF_PLEAD - Linux Malware Used by BlackTech
PLEAD
2020-10-08ZDNetCharlie Osborne
Waterbear malware used in attack wave against government agencies
Waterbear
2020-09-29SymantecThreat Hunter Team
Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors
KIVARS PLEAD BlackTech
2020-08-19TEAMT5TeamT5
調查局 08/19 公布中國對台灣政府機關駭侵事件說明
Cobalt Strike Waterbear
2020-05-01Macnica NetworksMacnica Networks, TeamT5
Cyber Espionage Tradecraft in the Real World Adversaries targeting Japan in the second half of 2019
TSCookie LODEINFO
2020-04-15TEAMT5TeamT5
中國駭客 HUAPI 的惡意後門程式 BiFrost 分析
Bifrost
2020-03-05JPCERT/CCShusei Tomonaga
ELF_TSCookie - Linux Malware Used by BlackTech
TSCookie
2020-03-04CrowdStrikeCrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-01-17JPCERT/CCTakayoshi Shiigi
Looking back on the incidents in 2019
TSCookie NodeRAT Emotet PoshC2 Quasar RAT
2020-01-14TEAMT5Aragorn Tseng, CiYi Yu
Evil Hidden in Shellcode: The Evolution of Malware DBGPRINT
Waterbear
2020-01-03DayDayNewsDayDayNews
Waterbear, a cyber espionage virus, has a new variant with its own anti-virus function
Waterbear
2019-12-12FireEyeChi-en Shen, Oleg Bondarenko
Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech
2019-12-11Trend MicroAnita Hsieh, Dove Chiu, Vickie Su
Waterbear Returns, Uses API Hooking to Evade Security
Waterbear
2019-11-22SANS Cyber Security SummitRachel Mullan, Sveva Vittoria Scenarelli
Need for PLEAD: BlackTech Pursuit
BLUETHER PLEAD
2019-11-21JPCERT/CC田中 信太郎(Shintaro Tanaka)
IconDown – Downloader Used by BlackTech
IconDown
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2019-10-01Macnica NetworksMacnica Networks
Trends in Cyber ​​Espionage Targeting Japan 1st Half of 2019
PLEAD TSCookie Datper PLEAD
2019-09-18JPCERT/CCShusei Tomonaga
Malware Used by BlackTech after Network Intrusion
PLEAD
2019-08-01Kaspersky LabsGReAT
APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy
2019-05-30JPCERT/CCShusei Tomonaga
Bug in Malware “TSCookie” - Fails to Read Configuration - (Update)
PLEAD
2019-05-14ESET ResearchAnton Cherepanov
Plead malware distributed via MitM attacks at router level, misusing ASUS WebStorage
PLEAD BlackTech
2019-04-01Macnica NetworksMacnica Networks
Trends in Cyber ​​Espionage Targeting Japan 2nd Half of 2018
Anel Cobalt Strike Datper PLEAD Quasar RAT RedLeaves taidoor Zebrocy
2018-11-12JPCERT/CCShusei Tomonaga
Bug in Malware “TSCookie” - Fails to Read Configuration
PLEAD
2018-07-09ESET ResearchAnton Cherepanov
Certificates stolen from Taiwanese tech‑companies misused in Plead malware campaign
PLEAD BlackTech
2018-06-08JPCERT/CCShusei Tomonaga
PLEAD Downloader Used by BlackTech
PLEAD
2018-03-06Shusei Tomonaga
Malware “TSCookie”
PLEAD
2018-01-10FreebufTencent Computer Manager
Analysis of BlackTech's latest APT attack
PLEAD
2017-06-22Trend MicroCH Lei, Lenart Bermejo, Razor Huang
The Trail of BlackTech’s Cyber Espionage Campaigns
bifrose KIVARS PLEAD
2017-06-22Trend MicroCH Lei, Lenart Bermejo, Razor Huang
Following the Trail of BlackTech’s Cyber Espionage Campaigns
PLEAD BlackTech
2017-06-01Trend MicroCH Lei, Lenart Bermejo, Razor Huang
Following the Trail of BlackTech’s Cyber Espionage Campaigns
PLEAD
2016-04-13FireEyeDaniel Regalado, Erye Hernandez, Taha Karim, Varun Jian
Ghosts in the Endpoint
PLEAD
2014-08-28Trend MicroChristopher Daniel So
BIFROSE Now More Evasive Through Tor, Used for Targeted Attack
bifrose
2014-07-02Trend MicroKervin Alintanahin, Ronnie Giagone
KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support”
FakeWord KIVARS PLEAD Poison RAT Zeus

Credits: MISP Project