| SYMBOL | COMMON_NAME | aka. SYNONYMS |
Proofpoint researchers have identified a targeted APT campaign that utilized malicious RTF documents to deliver custom malware to unsuspecting victims. We dubbed this campaign “Operation LagTime IT” based on entities that were targeted and the distinctive domains registered to C&C IP infrastructure. Beginning in early 2019, these threat actors targeted a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development, and political processes. We determined that the infection vector observed in this campaign was spear phishing, with emails originating from both free email accounts and compromised user accounts. Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT. Additionally, this APT group utilizes Poison Ivy payloads that share overlapping command and control (C&C) infrastructure with the newly identified Cotx campaigns. Based on infrastructure overlaps, post-exploitation techniques, and historic TTPs utilized in this operation, Proofpoint analysts attribute this activity to the Chinese APT group tracked internally as TA428. Researchers believe that this activity has an operational and tactical resemblance to the Maudi Surveillance Operation which was previously reported in 2013.
| 2023-04-05
⋅
Medium Ilandu
⋅
PortDoor - APT Backdoor analysis ACBackdoor 8.t Dropper PortDoor |
| 2023-03-07
⋅
Check Point Research
⋅
Pandas with a Soul: Chinese Espionage Attacks Against Southeast Asian Government Entities 5.t Downloader 8.t Dropper Soul |
| 2023-02-07
⋅
MalGamy
⋅
The Approach of TA413 for Tibetan Targets 8.t Dropper LOWZERO |
| 2022-11-30
⋅
⋅
FFRI Security
⋅
Evolution of the PlugX loader PlugX Poison Ivy |
| 2022-09-22
⋅
Recorded Future
⋅
Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets 8.t Dropper LOWZERO |
| 2022-08-22
⋅
Fortinet
⋅
A Tale of PivNoxy and Chinoxy Puppeteer Chinoxy Poison Ivy |
| 2022-08-08
⋅
Kaspersky
⋅
Targeted attack on industrial enterprises and public institutions Cotx RAT Logtu nccTrojan PortDoor |
| 2022-07-31
⋅
BushidoToken Blog
⋅
Space Invaders: Cyber Threats That Are Out Of This World Poison Ivy Raindrop SUNBURST TEARDROP WastedLocker |
| 2022-07-18
⋅
Palo Alto Networks Unit 42
⋅
Shallow Taurus FormerFirstRAT IsSpace NewCT PlugX Poison Ivy Tidepool DragonOK |
| 2022-07-18
⋅
Palo Alto Networks Unit 42
⋅
Crawling Taurus Poison Ivy APT20 |
| 2022-07-07
⋅
Sentinel LABS
⋅
Targets of Interest - Russian Organizations Increasingly Under Attack By Chinese APTs 8.t Dropper Korlia Tonto Team |
| 2022-05-17
⋅
Positive Technologies
⋅
Space Pirates: analyzing the tools and connections of a new hacker group FormerFirstRAT PlugX Poison Ivy Rovnix ShadowPad Zupdax |
| 2022-05-16
⋅
JPCERT/CC
⋅
Analysis of HUI Loader HUI Loader PlugX Poison Ivy Quasar RAT |
| 2021-11-17
⋅
Trend Micro
⋅
Analyzing ProxyShell-related Incidents via Trend Micro Managed XDR Cobalt Strike Cotx RAT |
| 2021-10-26
⋅
Kaspersky
⋅
APT attacks on industrial organizations in H1 2021 8.t Dropper AllaKore AsyncRAT GoldMax LimeRAT NjRAT NoxPlayer Raindrop ReverseRAT ShadowPad Zebrocy |
| 2021-09-23
⋅
ESET Research
⋅
Tweet on C# variant of the nccTrojan nccTrojan |
| 2021-08-03
⋅
Group-IB
⋅
The Art of Cyberwarfare: Chinese APTs attack Russia Albaniiutas TaskMasters |
| 2021-08-03
⋅
Group-IB
⋅
The Art of Cyberwarfare Chinese APTs attack Russia Albaniiutas Mail-O SManager TA428 |
| 2021-06-16
⋅
Recorded Future
⋅
Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries Icefog PcShare PlugX Poison Ivy QuickHeal DAGGER PANDA |
| 2021-06-08
⋅
Sentinel LABS
⋅
ThunderCats Hack the FSB | Your Taxes Didn’t Pay For This Op Mail-O Tmanger TA428 |
| 2021-06-08
⋅
SentinelOne
⋅
ThunderCats Hack the FSB | Your Taxes Didn’t Pay For This Op Mail-O SManager Tmanger |
| 2021-04-02
⋅
Dr.Web
⋅
Study of targeted attacks on Russian research institutes Cotx RAT Ghost RAT TA428 |
| 2021-03-17
⋅
Recorded Future
⋅
China-linked TA428 Continues to Target Russia and Mongolia IT Companies PlugX Poison Ivy TA428 |
| 2021-02-28
⋅
PWC UK
⋅
Cyber Threats 2020: A Year in Retrospect elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team |
| 2021-02-18
⋅
⋅
NTT Security
⋅
nccTrojan used in targeted attack by TA428 group against defense and aviation organizations nccTrojan |
| 2021-02-01
⋅
ESET Research
⋅
Operation NightScout: Supply‑chain attack targets online gaming in Asia Ghost RAT NoxPlayer Poison Ivy Red Dev 17 |
| 2021-01-15
⋅
Swisscom
⋅
Cracking a Soft Cell is Harder Than You Think Ghost RAT MimiKatz PlugX Poison Ivy Trochilus RAT |
| 2021-01-13
⋅
AlienVault
⋅
A Global Perspective of the SideWinder APT 8.t Dropper Koadic SideWinder |
| 2021-01-08
⋅
Youtube (Virus Bulletin)
⋅
Operation LagTime IT: colourful Panda footprint Cotx RAT nccTrojan Poison Ivy Tmanger TA428 |
| 2021-01-04
⋅
nao_sec blog
⋅
Royal Road! Re:Dive 8.t Dropper Chinoxy FlowCloud FunnyDream Lookback |
| 2020-12-11
⋅
⋅
NTT Security
⋅
Panda’s New Arsenal: Part 3 Smanager FunnyDream SManager Tmanger |
| 2020-12-10
⋅
ESET Research
⋅
Operation StealthyTrident: corporate software under attack HyperBro PlugX ShadowPad Tmanger |
| 2020-12-10
⋅
ESET Research
⋅
Operation StealthyTrident: corporate software under attack HyperBro PlugX Tmanger TA428 |
| 2020-12-09
⋅
Avast Decoded
⋅
APT Group Targeting Governmental Agencies in East Asia Albaniiutas HyperBro PlugX PolPo Tmanger |
| 2020-12-09
⋅
Avast Decoded
⋅
APT Group Targeting Governmental Agencies in East Asia LaZagne Albaniiutas HyperBro MimiKatz PolPo Tmanger TaskMasters |
| 2020-12-09
⋅
Avast Decoded
⋅
APT Group Targeting Governmental Agencies in East Asia Albaniiutas HyperBro PlugX Tmanger TA428 |
| 2020-11-26
⋅
Medium Sebdraven
⋅
Actor behind Operation LagTime targets Russia nccTrojan |
| 2020-11-18
⋅
⋅
NTT Security
⋅
Panda’s New Arsenal: Part 2 Albaniiutas Albaniiutas |
| 2020-10-30
⋅
YouTube (Kaspersky Tech)
⋅
Around the world in 80 days 4.2bn packets Cobalt Strike Derusbi HyperBro Poison Ivy ShadowPad Winnti |
| 2020-10-15
⋅
⋅
NTT Security
⋅
Panda’s New Arsenal: Part 1 Tmanger Tmanger |
| 2020-10-01
⋅
US-CERT
⋅
Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions CHINACHOPPER Cobalt Strike Empire Downloader MimiKatz Poison Ivy |
| 2020-09-30
⋅
NTT Security
⋅
Operation LagTime IT: colourful Panda footprint (Slides) Cotx RAT nccTrojan Poison Ivy Tmanger |
| 2020-09-30
⋅
NTT Security
⋅
Operation LagTime IT: colourful Panda footprint Cotx RAT nccTrojan Poison Ivy Tmanger |
| 2020-09-16
⋅
RiskIQ
⋅
RiskIQ: Adventures in Cookie Land - Part 2 8.t Dropper Chinoxy Poison Ivy |
| 2020-08-28
⋅
NTT
⋅
Operation Lagtime IT: Colourful Panda Footprint Cotx RAT Poison Ivy TA428 |
| 2020-08-19
⋅
NTT Security
⋅
Operation LagTime IT: Colorful Panda Footprint 8.t Dropper Cotx RAT Poison Ivy TA428 |
| 2020-08-19
⋅
RiskIQ
⋅
RiskIQ Adventures in Cookie Land - Part 1 8.t Dropper Chinoxy |
| 2020-06-03
⋅
Kaspersky Labs
⋅
Cycldek: Bridging the (air) gap 8.t Dropper NewCore RAT PlugX USBCulprit GOBLIN PANDA Hellsing |
| 2020-03-21
⋅
MalwareLab.pl
⋅
On the Royal Road 8.t Dropper |
| 2020-03-20
⋅
Medium Sebdraven
⋅
New version of chinoxy backdoor using COVID19 alerts document lure 8.t Dropper Chinoxy |
| 2020-03-12
⋅
Check Point
⋅
Vicious Panda: The COVID Campaign 8.t Dropper BYEBY Enfal Korlia Poison Ivy |
| 2020-03-12
⋅
Check Point Research
⋅
Vicious Panda: The COVID Campaign 8.t Dropper Vicious Panda |
| 2020-03-11
⋅
Virus Bulletin
⋅
Attribution is in the object: using RTF object dimensions to track APT phishing weaponizers 8.t Dropper |
| 2020-03-04
⋅
CrowdStrike
⋅
2020 CrowdStrike Global Threat Report MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER |
| 2020-03-02
⋅
Virus Bulletin
⋅
Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary HenBox Farseer PlugX Poison Ivy |
| 2020-01-29
⋅
nao_sec blog
⋅
An Overhead View of the Royal Road BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader |
| 2020-01-09
⋅
Lab52
⋅
TA428 Group abusing recent conflict between Iran and USA Poison Ivy |
| 2020-01-01
⋅
Secureworks
⋅
ALUMINUM SARATOGA BlackShades DarkComet Xtreme RAT Poison Ivy Quasar RAT Molerats |
| 2020-01-01
⋅
Secureworks
⋅
BRONZE RIVERSIDE Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves APT10 |
| 2020-01-01
⋅
Secureworks
⋅
BRONZE FIRESTONE 9002 RAT Derusbi Empire Downloader PlugX Poison Ivy APT19 |
| 2020-01-01
⋅
Secureworks
⋅
BRONZE UNION 9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell APT27 |
| 2020-01-01
⋅
Secureworks
⋅
BRONZE KEYSTONE 9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell APT17 |
| 2019-12-12
⋅
Microsoft
⋅
GALLIUM: Targeting global telecom CHINACHOPPER Ghost RAT HTran MimiKatz Poison Ivy GALLIUM |
| 2019-11-19
⋅
FireEye
⋅
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell |
| 2019-09-22
⋅
Check Point Research
⋅
Rancor: The Year of The Phish 8.t Dropper Cobalt Strike |
| 2019-07-23
⋅
Proofpoint
⋅
Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia 8.t Dropper Cotx RAT Poison Ivy TA428 |
| 2019-06-25
⋅
Cybereason
⋅
OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS CHINACHOPPER HTran MimiKatz Poison Ivy Operation Soft Cell |
| 2019-03-05
⋅
Accenture
⋅
MUDCARP's Focus on Submarine Technologies 8.t Dropper APT40 |
| 2019-01-03
⋅
⋅
Another malicious document with CVE-2017–11882 8.t Dropper |
| 2019-01-01
⋅
Virus Bulletin
⋅
A vine climbing over the Great Firewall: A long-term attack against China Poison Ivy ZXShell |
| 2018-11-03
⋅
⋅
Là 1937CN hay OceanLotus hay Lazarus … 8.t Dropper |
| 2018-09-21
⋅
Qihoo 360 Technology
⋅
Poison Ivy Group and the Cyberespionage Campaign Against Chinese Military and Goverment Poison Ivy |
| 2018-07-31
⋅
Medium Sebdraven
⋅
Malicious document targets Vietnamese officials 8.t Dropper |
| 2018-07-31
⋅
Medium Sebdraven
⋅
Malicious document targets Vietnamese officials 8.t Dropper PlugX 1937CN |
| 2018-05-15
⋅
BSides Detroit
⋅
IR in Heterogeneous Environment Korlia Poison Ivy |
| 2017-09-15
⋅
Fortinet
⋅
Deep Analysis of New Poison Ivy/PlugX Variant - Part II Poison Ivy |
| 2017-08-31
⋅
NCC Group
⋅
Analysing a recent Poison Ivy sample Poison Ivy |
| 2017-08-23
⋅
Fortinet
⋅
Deep Analysis of New Poison Ivy Variant Poison Ivy |
| 2017-05-31
⋅
MITRE
⋅
PittyTiger Enfal Ghost RAT MimiKatz Poison Ivy APT24 |
| 2016-11-22
⋅
Palo Alto Networks Unit 42
⋅
Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy Poison Ivy |
| 2016-04-26
⋅
Github (CyberMonitor)
⋅
New Poison Ivy Activity Targeting Myanmar, Asian Countries Poison Ivy |
| 2016-04-22
⋅
Palo Alto Networks Unit 42
⋅
New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists Poison Ivy |
| 2015-02-06
⋅
CrowdStrike
⋅
CrowdStrike Global Threat Intel Report 2014 BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor |
| 2014-09-19
⋅
Palo Alto Networks Unit 42
⋅
Recent Watering Hole Attacks Attributed to APT Group “th3bug” Using Poison Ivy Poison Ivy |
| 2014-01-01
⋅
FireEye
⋅
Operation Quantum Entanglement IsSpace NewCT Poison Ivy SysGet |
| 2013-10-31
⋅
FireEye
⋅
Know Your Enemy: Tracking A Rapidly Evolving APT Actor Bozok Poison Ivy TEMPER PANDA |
| 2013-08-23
⋅
FireEye
⋅
Operation Molerats: Middle East Cyber Attacks Using Poison Ivy Poison Ivy Molerats |
| 2011-01-01
⋅
Symantec
⋅
The Nitro Attacks: Stealing Secrets from the Chemical Industry Poison Ivy Nitro |
| 2010-01-01
⋅
Mandiant
⋅
State of Malware: Family Ties Bredolab Conficker Cutwail KoobFace Oderoor Poison Ivy Rustock Sinowal Szribi Zeus |