APT27

Threat Actor updated a day ago (2024-11-20T17:35:22.035Z)
Download STIX
Preview STIX
APT27, also known as Emissary Panda or Iron Taurus, is a threat actor suspected to be associated with China and has been involved in cyber operations primarily aimed at intellectual property theft. The group targets organizations globally, including those in North and South America, Europe, and the Middle East, focusing on data and projects that give these organizations a competitive edge within their respective fields. APT27 uses various malware such as PANDORA, SOGU, ZXSHELL, GHOST, WIDEBERTH, QUICKPULSE, and FLOWERPOT, often employing spear phishing as its initial compromise method. The group's activities were notably highlighted in Operation Diplomatic Specter, where it was discovered that the malicious actions originated from a shared Chinese Advanced Persistent Threat (APT) operational infrastructure. This infrastructure is exclusively used by Chinese nation-state threat actors, including APT27 and other groups like Winnti (aka Starchy Taurus) and Mustang Panda (aka Stately Taurus). Various reports have noted the use of hTran, a connection proxy tool often associated with Chinese threat actors, by APT27 and other groups such as APT3 and DragonOK. Recent campaigns identified by Kaspersky, dubbed EastWind, targeted Russian organizations using CloudSorcerer, a backdoor that downloads additional malware, along with tools associated with APT31 and APT27. The adversary manually executes this backdoor to download PlugY, an implant with code that overlaps with APT27. Notably, the EastWind campaign showed traces of malware from both APT27 and APT31, suggesting possible collaboration or shared resources among these threat groups.
Description last updated: 2024-11-15T16:03:55.790Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Emissary Panda is a possible alias for APT27. Emissary Panda, also known as APT27, Iron Tiger, Bronze Union, Budworm, Lucky Mouse, and Red Phoenix, is a threat actor linked to China. This group has been involved in cyberespionage activities with the primary goal of stealing intellectual property from organizations in sectors that China perceive
7
LuckyMouse is a possible alias for APT27. LuckyMouse, also known as Budworm, Emissary Panda, and APT27, is a threat actor that has been involved in several high-profile cyber-espionage activities. The group has demonstrated its ability to develop and deploy advanced cyber tools, targeting various operating systems including MacOS, Linux, an
4
Iron Tiger is a possible alias for APT27. Iron Tiger, also known as Iron Taurus or APT27, is a threat actor group believed to be aligned with China. The group has been involved in numerous cyber-espionage campaigns, targeting various entities including United States defense contractors and other international organizations. Their activities
4
SysUpdate is a possible alias for APT27. SysUpdate is a malicious software (malware) predominantly utilized by the Budworm group, also known as APT27, Emissary Panda, LuckyMouse, among other names. This malware variant is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites w
3
Lucky Mouse is a possible alias for APT27. Lucky Mouse, also known as Emissary Panda, APT27, Threat Group 3390, Bronze Union, and several other names, is a malicious software (malware) attributed to a China-linked Advanced Persistent Threat (APT) group. This malware has been active since at least 2013, targeting various industry verticals fo
3
Cobra Docguard is a possible alias for APT27. Cobra DocGuard, a software produced by Chinese firm EsafeNet for protecting, encrypting, and decrypting software, has been exploited in a series of malware attacks. The attackers compromised the software's update files to deliver malicious updates that infected targeted systems. The first known inst
2
PlugY is a possible alias for APT27. PlugY is a type of malware, or malicious software, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data host
2
BRONZE UNION is a possible alias for APT27. Bronze Union, also known as APT27, Emissary Panda, Lucky Mouse, Iron Tiger, and Red Phoenix, is a threat actor with alleged connections to the Chinese government. The group has been observed targeting organizations across Europe, North and South America, Africa, the Middle East, and the Asia-Pacific
2
Budworm is a possible alias for APT27. Budworm, also known as LuckyMouse or APT 27, is a threat actor that has been associated with various high-profile cyber attacks. This group has been found to utilize tools such as the Korplug backdoor, which is commonly used by multiple Advanced Persistent Threats (APTs) including Budworm and APT41,
2
Iron Taurus is a possible alias for APT27. Iron Taurus, also known as APT27, is a malware that has been linked to various cyber-espionage activities. This malicious software is designed to infiltrate systems surreptitiously through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operatio
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Malware
Backdoor
Phishing
Implant
Espionage
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Cobra Malware is associated with APT27. Cobra is a type of malware, short for malicious software, designed to exploit and damage computer systems or devices. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Cobra has the potential to steal personal information, disrupUnspecified
2
The Stately Taurus Malware is associated with APT27. Stately Taurus, also known as Mustang Panda, Bronze President, Camaro Dragon, Earth Preta, Luminous Moth, and Red Delta, is a sophisticated malware that has been used in cyber-espionage campaigns primarily targeting government entities in Southeast Asia. It is believed to be associated with China's Unspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Mustang Panda Threat Actor is associated with APT27. Mustang Panda, a China-aligned Advanced Persistent Threat (APT) group, has been identified as a significant cyber threat actor involved in a series of malicious activities. Notably, Mustang Panda was found to be associated with the BRONZE PRESIDENT phishing lure, which delivered PlugX and used modifUnspecified
4
The APT31 Threat Actor is associated with APT27. APT31, also known as Zirconium, is a threat actor believed to be linked to the Chinese government. This group has been associated with numerous cyber attacks, including a significant exploit of CVE-2017-0005. This exploit, dubbed "Jian," was initially attributed to APT31 but upon further analysis byUnspecified
4
The Cloudsorcerer Threat Actor is associated with APT27. CloudSorcerer, a threat actor group known for its malicious activities, has been identified by Kaspersky as the entity behind a new EastWind campaign targeting Russian organizations. The group updated their CloudSorcerer backdoor after it was initially described in a blog post by Kaspersky in early Unspecified
2
The Ke3chang Threat Actor is associated with APT27. Ke3chang, also known as APT15, Mirage, Vixen Panda GREF, and Playful Dragon, is a prominent threat actor that has been active since at least 2010. According to the European Union Agency for Cybersecurity (ENISA), this group has consistently targeted energy, government, and military sectors. Ke3changUnspecified
2
The GALLIUM Threat Actor is associated with APT27. Gallium, also known as Alloy Taurus, is a threat actor group that has been associated with significant cyber-espionage campaigns and is believed to have ties with China. The group has been linked to multiple intrusion sets targeting network devices, including routers and servers. Gallium notably tarUnspecified
2
The APT30 Threat Actor is associated with APT27. APT30, a threat actor suspected to be attributed to China, has been active since at least 2005. This group primarily targets members of the Association of Southeast Asian Nations (ASEAN). APT30 is notable for its sustained activity over an extended period and its ability to adapt and modify source cUnspecified
2
Source Document References
Information about the APT27 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securelist
6 days ago
Securelist
a month ago
Securelist
a month ago
DARKReading
3 months ago
Securelist
3 months ago
Securityaffairs
3 months ago
Securityaffairs
5 months ago
BankInfoSecurity
6 months ago
Unit42
6 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CERT-EU
a year ago