| SYMBOL | COMMON_NAME | aka. SYNONYMS |
Tick is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group appears to have close ties to the Chinese National University of Defense and Technology, which is possibly linked to the PLA. This threat actor targets organizations in the critical infrastructure, heavy industry, manufacturing, and international relations sectors for espionage purposes. The attacks appear to be centered on political, media, and engineering sectors. STALKER PANDA has been observed conducting targeted attacks against Japan, Taiwan, Hong Kong, and the United States.
| 2025-04-06
⋅
Gridinsoft
⋅
How to Remove Lilith RAT: Complete Removal Guide Lilith puNK-003 |
| 2024-08-22
⋅
S2W Inc.
⋅
Analysis of the North Korea-backed puNK-003’s Lilith RAT ported to AutoIt Script Lilith puNK-003 |
| 2023-11-10
⋅
⋅
AhnLab
⋅
Detection of attacks exploiting asset management software (Andariel Group) Lilith Tiger RAT |
| 2023-04-05
⋅
Medium Ilandu
⋅
PortDoor - APT Backdoor analysis ACBackdoor 8.t Dropper PortDoor |
| 2023-03-07
⋅
Check Point Research
⋅
Pandas with a Soul: Chinese Espionage Attacks Against Southeast Asian Government Entities 5.t Downloader 8.t Dropper Soul |
| 2023-02-23
⋅
Symantec
⋅
Clasiopa: New Group Targets Materials Research Atharvan HazyLoad Lilith |
| 2023-02-07
⋅
MalGamy
⋅
The Approach of TA413 for Tibetan Targets 8.t Dropper LOWZERO |
| 2022-10-05
⋅
Zscaler
⋅
Analysis of LilithBot Malware and Eternity Threat Group Eternity Clipper Eternity Stealer Lilith |
| 2022-09-22
⋅
Recorded Future
⋅
Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets 8.t Dropper LOWZERO |
| 2022-07-18
⋅
Palo Alto Networks Unit 42
⋅
Stalker Taurus Tick |
| 2022-07-12
⋅
cyble
⋅
New Ransomware Groups On The Rise: “RedAlert,” LILITH And 0mega Leading A Wave Of Ransomware Campaigns RedAlert Ransomware Lilith |
| 2022-07-07
⋅
Sentinel LABS
⋅
Targets of Interest - Russian Organizations Increasingly Under Attack By Chinese APTs 8.t Dropper Korlia Tonto Team |
| 2022-05-18
⋅
Yoroi
⋅
A deep dive into Eternity Group: A new emerging Cyber Threat Eternity Ransomware Eternity Stealer Eternity Worm Lilith |
| 2021-12-14
⋅
Trend Micro
⋅
Collecting In the Dark: Tropic Trooper Targets Transportation and Government ChiserClient Ghost RAT Lilith Quasar RAT xPack APT23 |
| 2021-10-26
⋅
Kaspersky
⋅
APT attacks on industrial organizations in H1 2021 8.t Dropper AllaKore AsyncRAT GoldMax LimeRAT NjRAT NoxPlayer Raindrop ReverseRAT ShadowPad Zebrocy |
| 2021-07-07
⋅
Talos
⋅
InSideCopy: How this APT continues to evolve its arsenal (Network IOCs) AllaKore Lilith NjRAT |
| 2021-07-07
⋅
Talos
⋅
InSideCopy: How this APT continues to evolve its arsenal (IOCs) AllaKore Lilith NjRAT |
| 2021-07-07
⋅
Talos
⋅
InSideCopy: How this APT continues to evolve its arsenal AllaKore Lilith NjRAT |
| 2021-07-02
⋅
Cisco
⋅
InSideCopy: How this APT continues to evolve its arsenal AllaKore CetaRAT Lilith NjRAT ReverseRAT |
| 2021-04-20
⋅
Twitter (@iiyonite)
⋅
Tweet on Uniti 61419 Tick |
| 2021-03-10
⋅
ESET Research
⋅
Exchange servers under siege from at least 10 APT groups Microcin MimiKatz PlugX Winnti APT27 APT41 Calypso Tick ToddyCat Tonto Team Vicious Panda |
| 2021-02-28
⋅
PWC UK
⋅
Cyber Threats 2020: A Year in Retrospect elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team |
| 2021-01-13
⋅
AlienVault
⋅
A Global Perspective of the SideWinder APT 8.t Dropper Koadic SideWinder |
| 2021-01-04
⋅
nao_sec blog
⋅
Royal Road! Re:Dive 8.t Dropper Chinoxy FlowCloud FunnyDream Lookback |
| 2020-09-16
⋅
RiskIQ
⋅
RiskIQ: Adventures in Cookie Land - Part 2 8.t Dropper Chinoxy Poison Ivy |
| 2020-08-19
⋅
NTT Security
⋅
Operation LagTime IT: Colorful Panda Footprint 8.t Dropper Cotx RAT Poison Ivy TA428 |
| 2020-08-19
⋅
RiskIQ
⋅
RiskIQ Adventures in Cookie Land - Part 1 8.t Dropper Chinoxy |
| 2020-06-03
⋅
Kaspersky Labs
⋅
Cycldek: Bridging the (air) gap 8.t Dropper NewCore RAT PlugX USBCulprit GOBLIN PANDA Hellsing |
| 2020-03-21
⋅
MalwareLab.pl
⋅
On the Royal Road 8.t Dropper |
| 2020-03-20
⋅
Medium Sebdraven
⋅
New version of chinoxy backdoor using COVID19 alerts document lure 8.t Dropper Chinoxy |
| 2020-03-12
⋅
Check Point
⋅
Vicious Panda: The COVID Campaign 8.t Dropper BYEBY Enfal Korlia Poison Ivy |
| 2020-03-12
⋅
Check Point Research
⋅
Vicious Panda: The COVID Campaign 8.t Dropper Vicious Panda |
| 2020-03-11
⋅
Virus Bulletin
⋅
Attribution is in the object: using RTF object dimensions to track APT phishing weaponizers 8.t Dropper |
| 2020-03-04
⋅
CrowdStrike
⋅
2020 CrowdStrike Global Threat Report MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER |
| 2020-01-29
⋅
nao_sec blog
⋅
An Overhead View of the Royal Road BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader |
| 2020-01-28
⋅
⋅
Macnica Networks
⋅
Tick Group Aiming at Japanese Manufacturing Datper xxmm |
| 2020-01-17
⋅
JPCERT/CC
⋅
Looking back on the incidents in 2019 TSCookie NodeRAT Emotet PoshC2 Quasar RAT |
| 2020-01-01
⋅
Secureworks
⋅
BRONZE BUTLER Daserf xxmm Tick |
| 2019-11-29
⋅
Trend Micro
⋅
Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK Datper Lilith |
| 2019-11-29
⋅
Trend Micro
⋅
Operation ENDTRADE:TICK: 2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data BROLER |
| 2019-11-11
⋅
Virus Bulletin
⋅
APT cases exploiting vulnerabilities in region‑specific software NodeRAT Emdivi PlugX |
| 2019-10-01
⋅
⋅
Macnica Networks
⋅
Trends in Cyber Espionage Targeting Japan 1st Half of 2019 PLEAD TSCookie Datper PLEAD |
| 2019-09-22
⋅
Check Point Research
⋅
Rancor: The Year of The Phish 8.t Dropper Cobalt Strike |
| 2019-09-19
⋅
GitHub (werkamsus)
⋅
Lilith Lilith |
| 2019-07-23
⋅
Proofpoint
⋅
Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia 8.t Dropper Cotx RAT Poison Ivy TA428 |
| 2019-04-01
⋅
⋅
Macnica Networks
⋅
Trends in Cyber Espionage Targeting Japan 2nd Half of 2018 Anel Cobalt Strike Datper PLEAD Quasar RAT RedLeaves taidoor Zebrocy |
| 2019-03-05
⋅
Accenture
⋅
MUDCARP's Focus on Submarine Technologies 8.t Dropper APT40 |
| 2019-02-19
⋅
⋅
JPCERT/CC
⋅
攻撃グループTickによる日本の組織をターゲットにした攻撃活動 NodeRAT |
| 2019-01-18
⋅
Dell Secureworks
⋅
Understanding Command and Control - An Anatomy of xxmm Communication xxmm |
| 2019-01-03
⋅
⋅
Another malicious document with CVE-2017–11882 8.t Dropper |
| 2019-01-01
⋅
MITRE
⋅
Group description: BRONZE BUTLER Tick |
| 2019-01-01
⋅
Council on Foreign Relations
⋅
Bronze Butler Tick |
| 2018-11-03
⋅
⋅
Là 1937CN hay OceanLotus hay Lazarus … 8.t Dropper |
| 2018-10-01
⋅
⋅
Macnica Networks
⋅
Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018 Anel Cobalt Strike Datper FlawedAmmyy Quasar RAT RedLeaves taidoor Winnti xxmm |
| 2018-07-31
⋅
Medium Sebdraven
⋅
Malicious document targets Vietnamese officials 8.t Dropper PlugX 1937CN |
| 2018-07-31
⋅
Medium Sebdraven
⋅
Malicious document targets Vietnamese officials 8.t Dropper |
| 2017-11-07
⋅
Trend Micro
⋅
REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography Daserf Datper xxmm |
| 2017-11-07
⋅
Trend Micro
⋅
REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography Tick |
| 2017-10-12
⋅
Secureworks
⋅
BRONZE BUTLER Targets Japanese Enterprises Daserf Datper rarstar xxmm Tick |
| 2017-08-21
⋅
JPCERT/CC
⋅
Detecting Datper Malware from Proxy Logs Datper Tick |
| 2017-07-25
⋅
Palo Alto Networks Unit 42
⋅
“Tick” Group Continues Attacks Daserf Tick |
| 2017-06-28
⋅
⋅
Secureworks
⋅
日本企業を狙う高度なサイバー攻撃の全貌 – BRONZE BUTLER Tick |
| 2017-04-25
⋅
Cybereason
⋅
ShadowWali: New variant of the xxmm family of backdoors xxmm |
| 2016-04-28
⋅
Symantec
⋅
Tick cyberespionage group zeros in on Japan Tick |
| 2015-08-14
⋅
Raytheon Blackbird Technologies
⋅
Stalker Panda Tick |