| SYMBOL | COMMON_NAME | aka. SYNONYMS |
BRONZE STARLIGHT has been active since mid 2021 and targets organizations globally across a range of industry verticals. The group leverages HUI Loader to load Cobalt Strike and PlugX payloads for command and control. CTU researchers have observed BRONZE STARLIGHT deploying ransomware to compromised networks as part of name-and-shame ransomware schemes, and posted victim names to leak sites. CTU researchers assess with moderate confidence that BRONZE STARLIGHT is located in China based on observed tradecraft, including the use of HUI Loader and PlugX which are associated with China-based threat group activity. It is plausible that BRONZE STARLIGHT deploys ransomware as a smokescreen rather than for financial gain, with the underlying motivation of stealing intellectual property theft or conducting espionage.
There are currently no families associated with this actor.
| 2022-05-11 ⋅ TEAMT5 ⋅ To loot or Not to Loot? That Is Not a Question - When State-Nexus APT Targets Online Entertainment Industry APT27 BRONZE STARLIGHT SLIME29 TianWu |
| 2022-05-09 ⋅ Microsoft ⋅ Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT |
| 2022-04-27 ⋅ Sentinel LABS ⋅ LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility Cobalt Strike LockBit BRONZE STARLIGHT |
| 2022-01-11 ⋅ Twitter (@cglyer) ⋅ Tweet on CN based ransomware operator using log4shell to deploy NightSky NightSky BRONZE STARLIGHT |
| 2021-12-11 ⋅ Microsoft ⋅ Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability Khonsari NightSky BRONZE STARLIGHT |