admin@338

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Admin@338 is a threat actor or group that has been identified as originating from China and is known for executing cyber-attacks with malicious intent. Tracked by FireEye as an uncategorized Advanced Persistent Threat (APT) group, this actor has been linked to multiple cybersecurity incidents. One notable activity involved the use of a malware payload named LOWBALL, which was embedded in email messages containing malicious documents. This specific operation was targeted towards Hong Kong, despite differing sponsorship, indicating that penetration of media organizations based in Hong Kong and Taiwan remains a high priority for China-based threat groups. In another incident, admin@338 was observed uploading a second-stage malware known as BUBBLEWRAP (also referred to as Backdoor.APT.FakeWinHTTPHelper) to their Dropbox account. The command sequence used during this operation included renaming and starting certain files, directing system information to a download file, and deleting original commands. This is not the first time that admin@338 has utilized BUBBLEWRAP, suggesting a preference or specialty in using this particular type of malware. To sum up, admin@338 presents a significant cybersecurity threat, particularly to organizations based in Hong Kong and Taiwan. Their use of sophisticated malware such as LOWBALL and BUBBLEWRAP, coupled with advanced techniques like multi-stage attacks, underscores the level of their capabilities. It's essential for organizations to remain vigilant against such threats, employing robust security measures and staying abreast of the latest developments in the cybersecurity landscape.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Fireeye
Dropbox
Apt
China
Malware
Taiwan
Malware Payl...
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BUBBLEWRAPUnspecified
1
Bubblewrap is a malware that was observed being uploaded by the admin@338 threat group to their Dropbox account. The malware is a second stage backdoor that can communicate using HTTP, HTTPS, or a SOCKS proxy and is set to run when the system boots. The admin@338 group has been previously seen using
LOWBALLUnspecified
1
LOWBALL is a sophisticated malware payload that was utilized by a China-based cyber threat group, often referred to as "admin@338". This advanced persistent threat (APT) group used LOWBALL in their operations targeting media organizations in Hong Kong and Taiwan. The malware's first stage allows the
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the admin@338 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets | Mandiant
MITRE
a year ago
The EPS Awakens - Part 2 « Threat Research