Tick (Threat Actor)

SYMBOL	COMMON_NAME	aka. SYNONYMS

Tick (Back to overview)

aka: BRONZE BUTLER, G0060, Nian, PLA Unit 61419, REDBALDKNIGHT, STALKER PANDA, Stalker Taurus

Tick is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group appears to have close ties to the Chinese National University of Defense and Technology, which is possibly linked to the PLA. This threat actor targets organizations in the critical infrastructure, heavy industry, manufacturing, and international relations sectors for espionage purposes. The attacks appear to be centered on political, media, and engineering sectors. STALKER PANDA has been observed conducting targeted attacks against Japan, Taiwan, Hong Kong, and the United States.

Associated Families

js.node_rat win.8t_dropper win.broler win.daserf win.datper win.lilith win.rarstar win.xxmm

References

2023-11-10 ⋅ ⋅ AhnLab ⋅ ASEC Analysis Team
Detection of attacks exploiting asset management software (Andariel Group)
Lilith Tiger RAT

2023-04-05 ⋅ Medium Ilandu ⋅ Ilan Duhin
PortDoor - APT Backdoor analysis
ACBackdoor 8.t Dropper PortDoor

2023-03-07 ⋅ Check Point Research ⋅ Check Point Research
Pandas with a Soul: Chinese Espionage Attacks Against Southeast Asian Government Entities
5.t Downloader 8.t Dropper Soul

2023-02-23 ⋅ Symantec ⋅ Threat Hunter Team
Clasiopa: New Group Targets Materials Research
Atharvan HazyLoad Lilith

2023-02-07 ⋅ MalGamy ⋅ MalGamy
The Approach of TA413 for Tibetan Targets
8.t Dropper LOWZERO

2022-10-05 ⋅ Zscaler ⋅ Aditya Sharma, Shatak Jain
Analysis of LilithBot Malware and Eternity Threat Group
Eternity Clipper Eternity Stealer Lilith

2022-09-22 ⋅ Recorded Future ⋅ Insikt Group®
Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets
8.t Dropper LOWZERO

2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
Stalker Taurus
Tick

2022-07-12 ⋅ cyble ⋅ Cyble Research Labs
New Ransomware Groups On The Rise: “RedAlert,” LILITH And 0mega Leading A Wave Of Ransomware Campaigns
RedAlert Ransomware Lilith

2022-07-07 ⋅ Sentinel LABS ⋅ Tom Hegel
Targets of Interest - Russian Organizations Increasingly Under Attack By Chinese APTs
8.t Dropper Korlia Tonto Team

2022-05-18 ⋅ Yoroi ⋅ Carmelo Ragusa, Luigi Martire, Yoroi Malware ZLab
A deep dive into Eternity Group: A new emerging Cyber Threat
Eternity Ransomware Eternity Stealer Eternity Worm Lilith

2021-12-14 ⋅ Trend Micro ⋅ Nick Dai, Ted Lee, Vickie Su
Collecting In the Dark: Tropic Trooper Targets Transportation and Government
ChiserClient Ghost RAT Lilith Quasar RAT xPack APT23

2021-10-26 ⋅ Kaspersky ⋅ Kaspersky Lab ICS CERT
APT attacks on industrial organizations in H1 2021
8.t Dropper AllaKore AsyncRAT GoldMax LimeRAT NjRAT NoxPlayer Raindrop ReverseRAT ShadowPad Zebrocy

2021-07-07 ⋅ Talos ⋅ Asheer Malhotra, Justin Thattil
InSideCopy: How this APT continues to evolve its arsenal
AllaKore Lilith NjRAT

2021-07-07 ⋅ Talos ⋅ Asheer Malhotra, Justin Thattil
InSideCopy: How this APT continues to evolve its arsenal (IOCs)
AllaKore Lilith NjRAT

2021-07-07 ⋅ Talos ⋅ Asheer Malhotra, Justin Thattil
InSideCopy: How this APT continues to evolve its arsenal (Network IOCs)
AllaKore Lilith NjRAT

2021-07-02 ⋅ Cisco ⋅ Asheer Malhotra, Justin Thattil
InSideCopy: How this APT continues to evolve its arsenal
AllaKore CetaRAT Lilith NjRAT ReverseRAT

2021-04-20 ⋅ Twitter (@iiyonite) ⋅ Stefan Soesanto
Tweet on Uniti 61419
Tick

2021-03-10 ⋅ ESET Research ⋅ Mathieu Tartare, Matthieu Faou, Thomas Dupuy
Exchange servers under siege from at least 10 APT groups
Microcin MimiKatz PlugX Winnti APT27 APT41 Calypso Tick ToddyCat Tonto Team Vicious Panda

2021-02-28 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team

2021-01-13 ⋅ AlienVault ⋅ Tom Hegel
A Global Perspective of the SideWinder APT
8.t Dropper Koadic SideWinder

2021-01-04 ⋅ nao_sec blog ⋅ nao_sec
Royal Road! Re:Dive
8.t Dropper Chinoxy FlowCloud FunnyDream Lookback

2020-09-16 ⋅ RiskIQ ⋅ Jon Gross
RiskIQ: Adventures in Cookie Land - Part 2
8.t Dropper Chinoxy Poison Ivy

2020-08-19 ⋅ RiskIQ ⋅ Cory Kennedy, Jon Gross
RiskIQ Adventures in Cookie Land - Part 1
8.t Dropper Chinoxy

2020-08-19 ⋅ NTT Security ⋅ Fumio Ozawa, Rintaro Koike, Shogo Hayashi
Operation LagTime IT: Colorful Panda Footprint
8.t Dropper Cotx RAT Poison Ivy TA428

2020-06-03 ⋅ Kaspersky Labs ⋅ Giampaolo Dedola, GReAT, Mark Lechtik
Cycldek: Bridging the (air) gap
8.t Dropper NewCore RAT PlugX USBCulprit GOBLIN PANDA Hellsing

2020-03-21 ⋅ MalwareLab.pl ⋅ Maciej Kotowicz
On the Royal Road
8.t Dropper

2020-03-20 ⋅ Medium Sebdraven ⋅ Sébastien Larinier
New version of chinoxy backdoor using COVID19 alerts document lure
8.t Dropper Chinoxy

2020-03-12 ⋅ Check Point ⋅ Check Point Research
Vicious Panda: The COVID Campaign
8.t Dropper BYEBY Enfal Korlia Poison Ivy

2020-03-12 ⋅ Check Point Research ⋅ Check Point
Vicious Panda: The COVID Campaign
8.t Dropper Vicious Panda

2020-03-11 ⋅ Virus Bulletin ⋅ Ghareeb Saad, Michael Raggi
Attribution is in the object: using RTF object dimensions to track APT phishing weaponizers
8.t Dropper

2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER

2020-01-29 ⋅ nao_sec blog ⋅ nao_sec
An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader

2020-01-28 ⋅ ⋅ Macnica Networks ⋅ Macnica Networks
Tick Group Aiming at Japanese Manufacturing
Datper xxmm

2020-01-17 ⋅ JPCERT/CC ⋅ Takayoshi Shiigi
Looking back on the incidents in 2019
TSCookie NodeRAT Emotet PoshC2 Quasar RAT

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
BRONZE BUTLER
Daserf xxmm Tick

2019-11-29 ⋅ Trend Micro ⋅ Hiroyuki Kakara, Joey Chen, Masaoki Shoji
Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK
Datper Lilith

2019-11-29 ⋅ Trend Micro ⋅ Hiroyuki Kakara, Joey Chen, Masaoki Shoji
Operation ENDTRADE:TICK: 2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data
BROLER

2019-11-11 ⋅ Virus Bulletin ⋅ Hiroshi Soeda, Shusei Tomonaga, Tomoaki Tani, Wataru Takahashi
APT cases exploiting vulnerabilities in region‑specific software
NodeRAT Emdivi PlugX

2019-10-01 ⋅ ⋅ Macnica Networks ⋅ Macnica Networks
Trends in Cyber Espionage Targeting Japan 1st Half of 2019
PLEAD TSCookie Datper PLEAD

2019-09-22 ⋅ Check Point Research ⋅ Check Point Research
Rancor: The Year of The Phish
8.t Dropper Cobalt Strike

2019-09-19 ⋅ GitHub (werkamsus) ⋅ werkamsus
Lilith
Lilith

2019-07-23 ⋅ Proofpoint ⋅ Dennis Schwarz, Michael Raggi, Proofpoint Threat Insight Team
Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia
8.t Dropper Cotx RAT Poison Ivy TA428

2019-04-01 ⋅ ⋅ Macnica Networks ⋅ Macnica Networks
Trends in Cyber Espionage Targeting Japan 2nd Half of 2018
Anel Cobalt Strike Datper PLEAD Quasar RAT RedLeaves taidoor Zebrocy

2019-03-05 ⋅ Accenture ⋅ Accenture
MUDCARP's Focus on Submarine Technologies
8.t Dropper APT40

2019-02-19 ⋅ ⋅ JPCERT/CC ⋅ Shusei Tomonaga
攻撃グループTickによる日本の組織をターゲットにした攻撃活動
NodeRAT

2019-01-18 ⋅ Dell Secureworks ⋅ You Nakatsuru
Understanding Command and Control - An Anatomy of xxmm Communication
xxmm

2019-01-03 ⋅ ⋅ m4n0w4r
Another malicious document with CVE-2017–11882
8.t Dropper

2019-01-01 ⋅ MITRE ⋅ MITRE ATT&CK
Group description: BRONZE BUTLER
Tick

2019-01-01 ⋅ Council on Foreign Relations ⋅ Cyber Operations Tracker
Bronze Butler
Tick

2018-11-03 ⋅ ⋅ m4n0w4r
Là 1937CN hay OceanLotus hay Lazarus …
8.t Dropper

2018-10-01 ⋅ ⋅ Macnica Networks ⋅ Macnica Networks
Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018
Anel Cobalt Strike Datper FlawedAmmyy Quasar RAT RedLeaves taidoor Winnti xxmm

2018-07-31 ⋅ Medium Sebdraven ⋅ Sébastien Larinier
Malicious document targets Vietnamese officials
8.t Dropper PlugX 1937CN

2018-07-31 ⋅ Medium Sebdraven ⋅ Sébastien Larinier
Malicious document targets Vietnamese officials
8.t Dropper

2017-11-07 ⋅ Trend Micro ⋅ Trendmicro
REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography
Daserf Datper xxmm

2017-11-07 ⋅ Trend Micro ⋅ Joey Chen, MingYen Hsieh
REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography
Tick

2017-10-12 ⋅ Secureworks ⋅ CTU Research Team
BRONZE BUTLER Targets Japanese Enterprises
Daserf Datper rarstar xxmm Tick

2017-08-21 ⋅ JPCERT/CC ⋅ Yu Nakamura
Detecting Datper Malware from Proxy Logs
Datper Tick

2017-07-25 ⋅ Palo Alto Networks Unit 42 ⋅ Kaoru Hayashi
“Tick” Group Continues Attacks
Daserf Tick

2017-06-28 ⋅ ⋅ Secureworks ⋅ SecureWorks
日本企業を狙う高度なサイバー攻撃の全貌 – BRONZE BUTLER
Tick

2017-04-25 ⋅ Cybereason ⋅ Assaf Dahan
ShadowWali: New variant of the xxmm family of backdoors
xxmm

2016-04-28 ⋅ Symantec ⋅ Jon DiMaggio
Tick cyberespionage group zeros in on Japan
Tick

2015-08-14 ⋅ Raytheon Blackbird Technologies ⋅ Raytheon Blackbird Technologies
Stalker Panda
Tick

Credits: MISP Project