aka: Nian, BRONZE BUTLER, REDBALDKNIGHT, STALKER PANDA, G0060, Stalker Taurus, PLA Unit 61419
Tick is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group appears to have close ties to the Chinese National University of Defense and Technology, which is possibly linked to the PLA. This threat actor targets organizations in the critical infrastructure, heavy industry, manufacturing, and international relations sectors for espionage purposes. The attacks appear to be centered on political, media, and engineering sectors. STALKER PANDA has been observed conducting targeted attacks against Japan, Taiwan, Hong Kong, and the United States.
2023-04-05 ⋅ Medium Ilandu ⋅ Ilan Duhin
@online{duhin:20230405:portdoor:e39d907,
author = {Ilan Duhin},
title = {{PortDoor - APT Backdoor analysis}},
date = {2023-04-05},
organization = {Medium Ilandu},
url = {https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba},
language = {English},
urldate = {2023-04-06}
}
PortDoor - APT Backdoor analysis
ACBackdoor 8.t Dropper PortDoor |
2023-03-07 ⋅ Check Point Research ⋅ Check Point Research
@online{research:20230307:pandas:2e3c757,
author = {Check Point Research},
title = {{Pandas with a Soul: Chinese Espionage Attacks Against Southeast Asian Government Entities}},
date = {2023-03-07},
organization = {Check Point Research},
url = {https://research.checkpoint.com/2023/pandas-with-a-soul-chinese-espionage-attacks-against-southeast-asian-government-entities/},
language = {English},
urldate = {2023-07-24}
}
Pandas with a Soul: Chinese Espionage Attacks Against Southeast Asian Government Entities
5.t Downloader 8.t Dropper Soul |
2023-02-07 ⋅ MalGamy ⋅ MalGamy
@online{malgamy:20230207:approach:ef67110,
author = {MalGamy},
title = {{The Approach of TA413 for Tibetan Targets}},
date = {2023-02-07},
organization = {MalGamy},
url = {https://malgamy.github.io/malware-analysis/The-Approach-of-TA413-for-Tibetan-Targets/#third-stage},
language = {English},
urldate = {2023-02-09}
}
The Approach of TA413 for Tibetan Targets
8.t Dropper LOWZERO |
2022-10-05 ⋅ Zscaler ⋅ Shatak Jain, Aditya Sharma
@online{jain:20221005:analysis:6dd7539,
author = {Shatak Jain and Aditya Sharma},
title = {{Analysis of LilithBot Malware and Eternity Threat Group}},
date = {2022-10-05},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group},
language = {English},
urldate = {2023-03-23}
}
Analysis of LilithBot Malware and Eternity Threat Group
Eternity Clipper Eternity Stealer Lilith |
2022-09-22 ⋅ Recorded Future ⋅ Insikt Group®
@techreport{group:20220922:chinese:9349a24,
author = {Insikt Group®},
title = {{Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets}},
date = {2022-09-22},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0922.pdf},
language = {English},
urldate = {2022-09-26}
}
Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets
8.t Dropper LOWZERO |
2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
@online{42:20220718:stalker:29762e4,
author = {Unit 42},
title = {{Stalker Taurus}},
date = {2022-07-18},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/atoms/stalkertaurus/},
language = {English},
urldate = {2022-07-29}
}
Stalker Taurus
Tick |
2022-07-12 ⋅ cyble ⋅ Cyble Research Labs
@online{labs:20220712:new:4cf4a94,
author = {Cyble Research Labs},
title = {{New Ransomware Groups On The Rise: “RedAlert,” LILITH And 0mega Leading A Wave Of Ransomware Campaigns}},
date = {2022-07-12},
organization = {cyble},
url = {https://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/},
language = {English},
urldate = {2022-07-14}
}
New Ransomware Groups On The Rise: “RedAlert,” LILITH And 0mega Leading A Wave Of Ransomware Campaigns
RedAlert Ransomware Lilith |
2022-07-07 ⋅ Sentinel LABS ⋅ Tom Hegel
@online{hegel:20220707:targets:174ab91,
author = {Tom Hegel},
title = {{Targets of Interest - Russian Organizations Increasingly Under Attack By Chinese APTs}},
date = {2022-07-07},
organization = {Sentinel LABS},
url = {https://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/},
language = {English},
urldate = {2022-07-12}
}
Targets of Interest - Russian Organizations Increasingly Under Attack By Chinese APTs
8.t Dropper Korlia |
2022-05-18 ⋅ Yoroi ⋅ Yoroi Malware ZLab, Luigi Martire, Carmelo Ragusa
@online{zlab:20220518:deep:86d9bee,
author = {Yoroi Malware ZLab and Luigi Martire and Carmelo Ragusa},
title = {{A deep dive into Eternity Group: A new emerging Cyber Threat}},
date = {2022-05-18},
organization = {Yoroi},
url = {https://yoroi.company/research/a-deep-dive-into-eternity-group-a-new-emerging-cyber-threat/},
language = {English},
urldate = {2022-07-28}
}
A deep dive into Eternity Group: A new emerging Cyber Threat
Eternity Ransomware Eternity Stealer Eternity Worm Lilith |
2021-12-14 ⋅ Trend Micro ⋅ Nick Dai, Ted Lee, Vickie Su
@online{dai:20211214:collecting:3d6dd34,
author = {Nick Dai and Ted Lee and Vickie Su},
title = {{Collecting In the Dark: Tropic Trooper Targets Transportation and Government}},
date = {2021-12-14},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html},
language = {English},
urldate = {2022-03-30}
}
Collecting In the Dark: Tropic Trooper Targets Transportation and Government
ChiserClient Ghost RAT Lilith Quasar RAT xPack |
2021-10-26 ⋅ Kaspersky ⋅ Kaspersky Lab ICS CERT
@techreport{cert:20211026:attacks:6f30d0f,
author = {Kaspersky Lab ICS CERT},
title = {{APT attacks on industrial organizations in H1 2021}},
date = {2021-10-26},
institution = {Kaspersky},
url = {https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf},
language = {English},
urldate = {2021-11-08}
}
APT attacks on industrial organizations in H1 2021
8.t Dropper AllaKore AsyncRAT GoldMax LimeRAT NjRAT NoxPlayer Raindrop ReverseRAT ShadowPad Zebrocy |
2021-07-07 ⋅ Talos ⋅ Asheer Malhotra, Justin Thattil
@techreport{malhotra:20210707:insidecopy:107d438,
author = {Asheer Malhotra and Justin Thattil},
title = {{InSideCopy: How this APT continues to evolve its arsenal}},
date = {2021-07-07},
institution = {Talos},
url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf},
language = {English},
urldate = {2021-07-09}
}
InSideCopy: How this APT continues to evolve its arsenal
AllaKore Lilith NjRAT |
2021-07-07 ⋅ Talos ⋅ Asheer Malhotra, Justin Thattil
@online{malhotra:20210707:insidecopy:ac5b778,
author = {Asheer Malhotra and Justin Thattil},
title = {{InSideCopy: How this APT continues to evolve its arsenal (Network IOCs)}},
date = {2021-07-07},
organization = {Talos},
url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479},
language = {English},
urldate = {2021-07-09}
}
InSideCopy: How this APT continues to evolve its arsenal (Network IOCs)
AllaKore Lilith NjRAT |
2021-07-07 ⋅ Talos ⋅ Asheer Malhotra, Justin Thattil
@online{malhotra:20210707:insidecopy:e6b25bb,
author = {Asheer Malhotra and Justin Thattil},
title = {{InSideCopy: How this APT continues to evolve its arsenal (IOCs)}},
date = {2021-07-07},
organization = {Talos},
url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/592/original/Hashes_IOCs_for_coverage.txt},
language = {English},
urldate = {2021-07-09}
}
InSideCopy: How this APT continues to evolve its arsenal (IOCs)
AllaKore Lilith NjRAT |
2021-07-02 ⋅ Cisco ⋅ Asheer Malhotra, Justin Thattil
@online{malhotra:20210702:insidecopy:c85188c,
author = {Asheer Malhotra and Justin Thattil},
title = {{InSideCopy: How this APT continues to evolve its arsenal}},
date = {2021-07-02},
organization = {Cisco},
url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388},
language = {English},
urldate = {2022-01-25}
}
InSideCopy: How this APT continues to evolve its arsenal
AllaKore CetaRAT Lilith NjRAT ReverseRAT |
2021-04-20 ⋅ Twitter (@iiyonite) ⋅ Stefan Soesanto
@online{soesanto:20210420:uniti:f7c817b,
author = {Stefan Soesanto},
title = {{Tweet on Uniti 61419}},
date = {2021-04-20},
organization = {Twitter (@iiyonite)},
url = {https://twitter.com/iiyonite/status/1384431491485155331},
language = {English},
urldate = {2022-09-12}
}
Tweet on Uniti 61419
Tick |
2021-03-10 ⋅ ESET Research ⋅ Thomas Dupuy, Matthieu Faou, Mathieu Tartare
@online{dupuy:20210310:exchange:8f65a1f,
author = {Thomas Dupuy and Matthieu Faou and Mathieu Tartare},
title = {{Exchange servers under siege from at least 10 APT groups}},
date = {2021-03-10},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/},
language = {English},
urldate = {2021-03-11}
}
Exchange servers under siege from at least 10 APT groups
Microcin MimiKatz PlugX Winnti APT27 APT41 Calypso Tick ToddyCat Tonto Team Vicious Panda |
2021-02-28 ⋅ PWC UK ⋅ PWC UK
@techreport{uk:20210228:cyber:bd780cd,
author = {PWC UK},
title = {{Cyber Threats 2020: A Year in Retrospect}},
date = {2021-02-28},
institution = {PWC UK},
url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf},
language = {English},
urldate = {2021-03-04}
}
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team |
2021-01-13 ⋅ AlienVault ⋅ Tom Hegel
@techreport{hegel:20210113:global:72b7b9d,
author = {Tom Hegel},
title = {{A Global Perspective of the SideWinder APT}},
date = {2021-01-13},
institution = {AlienVault},
url = {https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf},
language = {English},
urldate = {2021-01-18}
}
A Global Perspective of the SideWinder APT
8.t Dropper Koadic SideWinder |
2021-01-04 ⋅ nao_sec blog ⋅ nao_sec
@online{naosec:20210104:royal:041b9d3,
author = {nao_sec},
title = {{Royal Road! Re:Dive}},
date = {2021-01-04},
organization = {nao_sec blog},
url = {https://nao-sec.org/2021/01/royal-road-redive.html},
language = {English},
urldate = {2021-01-05}
}
Royal Road! Re:Dive
8.t Dropper Chinoxy FlowCloud FunnyDream Lookback |
2020-09-16 ⋅ RiskIQ ⋅ Jon Gross
@online{gross:20200916:riskiq:da4b864,
author = {Jon Gross},
title = {{RiskIQ: Adventures in Cookie Land - Part 2}},
date = {2020-09-16},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/56fa1b2f},
language = {English},
urldate = {2020-09-23}
}
RiskIQ: Adventures in Cookie Land - Part 2
8.t Dropper Chinoxy Poison Ivy |
2020-08-19 ⋅ RiskIQ ⋅ Jon Gross, Cory Kennedy
@online{gross:20200819:riskiq:94e5ccf,
author = {Jon Gross and Cory Kennedy},
title = {{RiskIQ Adventures in Cookie Land - Part 1}},
date = {2020-08-19},
organization = {RiskIQ},
url = {https://community.riskiq.com/article/5fe2da7f},
language = {English},
urldate = {2020-09-23}
}
RiskIQ Adventures in Cookie Land - Part 1
8.t Dropper Chinoxy |
2020-08-19 ⋅ NTT Security ⋅ Fumio Ozawa, Shogo Hayashi, Rintaro Koike
@techreport{ozawa:20200819:operation:445be8c,
author = {Fumio Ozawa and Shogo Hayashi and Rintaro Koike},
title = {{Operation LagTime IT: Colorful Panda Footprint}},
date = {2020-08-19},
institution = {NTT Security},
url = {https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf},
language = {English},
urldate = {2022-07-29}
}
Operation LagTime IT: Colorful Panda Footprint
8.t Dropper Cotx RAT Poison Ivy TA428 |
2020-06-03 ⋅ Kaspersky Labs ⋅ GReAT, Mark Lechtik, Giampaolo Dedola
@online{great:20200603:cycldek:ed9a830,
author = {GReAT and Mark Lechtik and Giampaolo Dedola},
title = {{Cycldek: Bridging the (air) gap}},
date = {2020-06-03},
organization = {Kaspersky Labs},
url = {https://securelist.com/cycldek-bridging-the-air-gap/97157/},
language = {English},
urldate = {2020-06-03}
}
Cycldek: Bridging the (air) gap
8.t Dropper NewCore RAT PlugX USBCulprit GOBLIN PANDA Hellsing |
2020-03-21 ⋅ MalwareLab.pl ⋅ Maciej Kotowicz
@online{kotowicz:20200321:royal:da8fd16,
author = {Maciej Kotowicz},
title = {{On the Royal Road}},
date = {2020-03-21},
organization = {MalwareLab.pl},
url = {https://blog.malwarelab.pl/posts/on_the_royal_road/},
language = {English},
urldate = {2020-03-24}
}
On the Royal Road
8.t Dropper |
2020-03-20 ⋅ Medium Sebdraven ⋅ Sébastien Larinier
@online{larinier:20200320:new:3da1211,
author = {Sébastien Larinier},
title = {{New version of chinoxy backdoor using COVID19 alerts document lure}},
date = {2020-03-20},
organization = {Medium Sebdraven},
url = {https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746},
language = {English},
urldate = {2020-03-26}
}
New version of chinoxy backdoor using COVID19 alerts document lure
8.t Dropper Chinoxy |
2020-03-12 ⋅ Check Point Research ⋅ Check Point
@online{point:20200312:vicious:1d97e93,
author = {Check Point},
title = {{Vicious Panda: The COVID Campaign}},
date = {2020-03-12},
organization = {Check Point Research},
url = {https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign},
language = {English},
urldate = {2022-07-25}
}
Vicious Panda: The COVID Campaign
8.t Dropper Vicious Panda |
2020-03-12 ⋅ Check Point ⋅ Check Point Research
@online{research:20200312:vicious:3218bb8,
author = {Check Point Research},
title = {{Vicious Panda: The COVID Campaign}},
date = {2020-03-12},
organization = {Check Point},
url = {https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/},
language = {English},
urldate = {2020-03-13}
}
Vicious Panda: The COVID Campaign
8.t Dropper BYEBY Enfal Korlia Poison Ivy |
2020-03-11 ⋅ Virus Bulletin ⋅ Ghareeb Saad, Michael Raggi
@online{saad:20200311:attribution:3efcc0a,
author = {Ghareeb Saad and Michael Raggi},
title = {{Attribution is in the object: using RTF object dimensions to track APT phishing weaponizers}},
date = {2020-03-11},
organization = {Virus Bulletin},
url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/},
language = {English},
urldate = {2020-03-13}
}
Attribution is in the object: using RTF object dimensions to track APT phishing weaponizers
8.t Dropper |
2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f,
author = {CrowdStrike},
title = {{2020 CrowdStrike Global Threat Report}},
date = {2020-03-04},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf},
language = {English},
urldate = {2020-07-24}
}
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER |
2020-01-29 ⋅ nao_sec blog ⋅ nao_sec
@online{naosec:20200129:overhead:ec0aeb5,
author = {nao_sec},
title = {{An Overhead View of the Royal Road}},
date = {2020-01-29},
organization = {nao_sec blog},
url = {https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html},
language = {English},
urldate = {2020-02-03}
}
An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader |
2020-01-28 ⋅ Macnica Networks ⋅ Macnica Networks
@online{networks:20200128:tick:e511a29,
author = {Macnica Networks},
title = {{Tick Group Aiming at Japanese Manufacturing}},
date = {2020-01-28},
organization = {Macnica Networks},
url = {https://www.macnica.net/mpressioncss/feature_05.html/},
language = {Japanese},
urldate = {2021-01-01}
}
Tick Group Aiming at Japanese Manufacturing
Datper xxmm |
2020-01-17 ⋅ JPCERT/CC ⋅ Takayoshi Shiigi
@techreport{shiigi:20200117:looking:bf71db1,
author = {Takayoshi Shiigi},
title = {{Looking back on the incidents in 2019}},
date = {2020-01-17},
institution = {JPCERT/CC},
url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf},
language = {English},
urldate = {2020-04-06}
}
Looking back on the incidents in 2019
TSCookie NodeRAT Emotet PoshC2 Quasar RAT |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:ef493d6,
author = {SecureWorks},
title = {{BRONZE BUTLER}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-butler},
language = {English},
urldate = {2020-05-23}
}
BRONZE BUTLER
Daserf xxmm Tick |
2019-11-29 ⋅ Trend Micro ⋅ Joey Chen, Hiroyuki Kakara, Masaoki Shoji
@techreport{chen:20191129:operation:16f5aaa,
author = {Joey Chen and Hiroyuki Kakara and Masaoki Shoji},
title = {{Operation ENDTRADE:TICK: 2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data}},
date = {2019-11-29},
institution = {Trend Micro},
url = {https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf},
language = {English},
urldate = {2020-06-02}
}
Operation ENDTRADE:TICK: 2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data
BROLER |
2019-11-29 ⋅ Trend Micro ⋅ Joey Chen, Hiroyuki Kakara, Masaoki Shoji
@online{chen:20191129:operation:749d75d,
author = {Joey Chen and Hiroyuki Kakara and Masaoki Shoji},
title = {{Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK}},
date = {2019-11-29},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/},
language = {English},
urldate = {2019-12-17}
}
Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK
Datper Lilith |
2019-11-11 ⋅ Virus Bulletin ⋅ Shusei Tomonaga, Tomoaki Tani, Hiroshi Soeda, Wataru Takahashi
@online{tomonaga:20191111:cases:ac5f1b3,
author = {Shusei Tomonaga and Tomoaki Tani and Hiroshi Soeda and Wataru Takahashi},
title = {{APT cases exploiting vulnerabilities in region‑specific software}},
date = {2019-11-11},
organization = {Virus Bulletin},
url = {https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/},
language = {English},
urldate = {2020-05-13}
}
APT cases exploiting vulnerabilities in region‑specific software
NodeRAT Emdivi PlugX |
2019-10-01 ⋅ Macnica Networks ⋅ Macnica Networks
@techreport{networks:20191001:trends:30fb713,
author = {Macnica Networks},
title = {{Trends in Cyber Espionage Targeting Japan 1st Half of 2019}},
date = {2019-10-01},
institution = {Macnica Networks},
url = {https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf},
language = {Japanese},
urldate = {2021-03-02}
}
Trends in Cyber Espionage Targeting Japan 1st Half of 2019
PLEAD TSCookie Datper PLEAD |
2019-09-22 ⋅ Check Point Research ⋅ Check Point Research
@online{research:20190922:rancor:e834f67,
author = {Check Point Research},
title = {{Rancor: The Year of The Phish}},
date = {2019-09-22},
organization = {Check Point Research},
url = {https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/},
language = {English},
urldate = {2020-03-04}
}
Rancor: The Year of The Phish
8.t Dropper Cobalt Strike |
2019-09-19 ⋅ GitHub (werkamsus) ⋅ werkamsus
@online{werkamsus:20190919:lilith:686f3cb,
author = {werkamsus},
title = {{Lilith}},
date = {2019-09-19},
organization = {GitHub (werkamsus)},
url = {https://github.com/werkamsus/Lilith},
language = {English},
urldate = {2021-02-24}
}
Lilith
Lilith |
2019-07-23 ⋅ Proofpoint ⋅ Michael Raggi, Dennis Schwarz, Proofpoint Threat Insight Team
@online{raggi:20190723:chinese:804ec1c,
author = {Michael Raggi and Dennis Schwarz and Proofpoint Threat Insight Team},
title = {{Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia}},
date = {2019-07-23},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology},
language = {English},
urldate = {2021-02-06}
}
Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia
8.t Dropper Cotx RAT Poison Ivy TA428 |
2019-04-01 ⋅ Macnica Networks ⋅ Macnica Networks
@techreport{networks:20190401:trends:cf738dc,
author = {Macnica Networks},
title = {{Trends in Cyber Espionage Targeting Japan 2nd Half of 2018}},
date = {2019-04-01},
institution = {Macnica Networks},
url = {https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf},
language = {Japanese},
urldate = {2021-03-02}
}
Trends in Cyber Espionage Targeting Japan 2nd Half of 2018
Anel Cobalt Strike Datper PLEAD Quasar RAT RedLeaves taidoor Zebrocy |
2019-03-05 ⋅ Accenture ⋅ Accenture
@techreport{accenture:20190305:mudcarps:2e785cc,
author = {Accenture},
title = {{MUDCARP's Focus on Submarine Technologies}},
date = {2019-03-05},
institution = {Accenture},
url = {https://www.accenture.com/_acnmedia/pdf-96/accenture-security-mudcarp.pdf},
language = {English},
urldate = {2022-09-12}
}
MUDCARP's Focus on Submarine Technologies
8.t Dropper APT40 |
2019-02-19 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
@online{tomonaga:20190219:tick:83ca850,
author = {Shusei Tomonaga},
title = {{攻撃グループTickによる日本の組織をターゲットにした攻撃活動}},
date = {2019-02-19},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html},
language = {Japanese},
urldate = {2020-04-01}
}
攻撃グループTickによる日本の組織をターゲットにした攻撃活動
NodeRAT |
2019-01-18 ⋅ Dell Secureworks ⋅ You Nakatsuru
@techreport{nakatsuru:20190118:understanding:15cc8b9,
author = {You Nakatsuru},
title = {{Understanding Command and Control - An Anatomy of xxmm Communication}},
date = {2019-01-18},
institution = {Dell Secureworks},
url = {https://jsac.jpcert.or.jp/archive/2019/pdf/JSAC2019_8_nakatsuru_en.pdf},
language = {English},
urldate = {2019-12-10}
}
Understanding Command and Control - An Anatomy of xxmm Communication
xxmm |
2019-01-03 ⋅ m4n0w4r
@online{m4n0w4r:20190103:another:2f48120,
author = {m4n0w4r},
title = {{Another malicious document with CVE-2017–11882}},
date = {2019-01-03},
url = {https://tradahacking.vn/another-malicious-document-with-cve-2017-11882-839e9c0bbf2f},
language = {Vietnamese},
urldate = {2020-03-11}
}
Another malicious document with CVE-2017–11882
8.t Dropper |
2019 ⋅ MITRE ⋅ MITRE ATT&CK
@online{attck:2019:bronze:b7965ff,
author = {MITRE ATT&CK},
title = {{Group description: BRONZE BUTLER}},
date = {2019},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0060/},
language = {English},
urldate = {2019-12-20}
}
Group description: BRONZE BUTLER
Tick |
2019 ⋅ Council on Foreign Relations ⋅ Cyber Operations Tracker
@online{tracker:2019:bronze:9c4af73,
author = {Cyber Operations Tracker},
title = {{Bronze Butler}},
date = {2019},
organization = {Council on Foreign Relations},
url = {https://www.cfr.org/interactive/cyber-operations/bronze-butler},
language = {English},
urldate = {2019-12-20}
}
Bronze Butler
Tick |
2018-11-03 ⋅ m4n0w4r
@online{m4n0w4r:20181103:l:d496fbd,
author = {m4n0w4r},
title = {{Là 1937CN hay OceanLotus hay Lazarus …}},
date = {2018-11-03},
url = {https://tradahacking.vn/l%C3%A0-1937cn-hay-oceanlotus-hay-lazarus-6ca15fe1b241},
language = {Vietnamese},
urldate = {2020-03-11}
}
Là 1937CN hay OceanLotus hay Lazarus …
8.t Dropper |
2018-10-01 ⋅ Macnica Networks ⋅ Macnica Networks
@techreport{networks:20181001:trends:17b1db5,
author = {Macnica Networks},
title = {{Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018}},
date = {2018-10-01},
institution = {Macnica Networks},
url = {https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf},
language = {Japanese},
urldate = {2021-03-02}
}
Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018
Anel Cobalt Strike Datper FlawedAmmyy Quasar RAT RedLeaves taidoor Winnti xxmm |
2018-07-31 ⋅ Medium Sebdraven ⋅ Sébastien Larinier
@online{larinier:20180731:malicious:571d2df,
author = {Sébastien Larinier},
title = {{Malicious document targets Vietnamese officials}},
date = {2018-07-31},
organization = {Medium Sebdraven},
url = {https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?},
language = {English},
urldate = {2020-03-04}
}
Malicious document targets Vietnamese officials
8.t Dropper |
2017-11-07 ⋅ Trend Micro ⋅ Trendmicro
@online{trendmicro:20171107:redbaldknightbronze:f7c817f,
author = {Trendmicro},
title = {{REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography}},
date = {2017-11-07},
organization = {Trend Micro},
url = {http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/},
language = {English},
urldate = {2019-11-27}
}
REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography
Daserf Datper xxmm |
2017-11-07 ⋅ Trend Micro ⋅ Joey Chen, MingYen Hsieh
@online{chen:20171107:redbaldknightbronze:63a08fe,
author = {Joey Chen and MingYen Hsieh},
title = {{REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography}},
date = {2017-11-07},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/},
language = {English},
urldate = {2020-01-09}
}
REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography
Tick |
2017-10-12 ⋅ Secureworks ⋅ CTU Research Team
@online{team:20171012:bronze:7b9ae02,
author = {CTU Research Team},
title = {{BRONZE BUTLER Targets Japanese Enterprises}},
date = {2017-10-12},
organization = {Secureworks},
url = {https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses},
language = {English},
urldate = {2020-01-07}
}
BRONZE BUTLER Targets Japanese Enterprises
Daserf Datper rarstar xxmm Tick |
2017-08-21 ⋅ JPCERT/CC ⋅ Yu Nakamura
@online{nakamura:20170821:detecting:98daf4d,
author = {Yu Nakamura},
title = {{Detecting Datper Malware from Proxy Logs}},
date = {2017-08-21},
organization = {JPCERT/CC},
url = {http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html},
language = {English},
urldate = {2020-01-13}
}
Detecting Datper Malware from Proxy Logs
Datper Tick |
2017-07-25 ⋅ Palo Alto Networks Unit 42 ⋅ Kaoru Hayashi
@online{hayashi:20170725:tick:d89ab89,
author = {Kaoru Hayashi},
title = {{“Tick” Group Continues Attacks}},
date = {2017-07-25},
organization = {Palo Alto Networks Unit 42},
url = {https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/},
language = {English},
urldate = {2019-12-20}
}
“Tick” Group Continues Attacks
Daserf Tick |
2017-06-28 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:20170628:bronze:41e2c3b,
author = {SecureWorks},
title = {{日本企業を狙う高度なサイバー攻撃の全貌 – BRONZE BUTLER}},
date = {2017-06-28},
organization = {Secureworks},
url = {https://www.secureworks.jp/resources/rp-bronze-butler},
language = {Japanese},
urldate = {2019-11-27}
}
日本企業を狙う高度なサイバー攻撃の全貌 – BRONZE BUTLER
Tick |
2017-04-25 ⋅ Cybereason ⋅ Assaf Dahan
@online{dahan:20170425:shadowwali:565d1c1,
author = {Assaf Dahan},
title = {{ShadowWali: New variant of the xxmm family of backdoors}},
date = {2017-04-25},
organization = {Cybereason},
url = {https://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors},
language = {English},
urldate = {2020-02-11}
}
ShadowWali: New variant of the xxmm family of backdoors
xxmm |
2016-04-28 ⋅ Symantec ⋅ Jon DiMaggio
@online{dimaggio:20160428:tick:9fec91a,
author = {Jon DiMaggio},
title = {{Tick cyberespionage group zeros in on Japan}},
date = {2016-04-28},
organization = {Symantec},
url = {https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan},
language = {English},
urldate = {2020-01-10}
}
Tick cyberespionage group zeros in on Japan
Tick |
2015-08-14 ⋅ Raytheon Blackbird Technologies ⋅ Raytheon Blackbird Technologies
@techreport{technologies:20150814:stalker:58aaafe,
author = {Raytheon Blackbird Technologies},
title = {{Stalker Panda}},
date = {2015-08-14},
institution = {Raytheon Blackbird Technologies},
url = {https://wikileaks.org/vault7/document/2015-08-20150814-256-CSIR-15005-Stalker-Panda/2015-08-20150814-256-CSIR-15005-Stalker-Panda.pdf},
language = {English},
urldate = {2020-01-10}
}
Stalker Panda
Tick |