Barium

Threat Actor Profile Updated 24 days ago
Download STIX
Preview STIX
Barium, also known as BRONZE ATLAS, APT41, TA415, and part of the Winnti Group, is a China-linked cyberespionage threat actor that has been active since at least 2007. Notable for its deployment of sophisticated malware such as ShadowPad and KEYPLUG, Barium has been implicated in numerous cyber attacks aimed at stealing intellectual property and personally identifiable information (PII). In 2017, Microsoft alleged that Barium deployed ShadowPad to carry out these thefts. Furthermore, between May 2021 and February 2022, Barium was reported to have infiltrated six U.S. state government networks using KEYPLUG, a backdoor tool disclosed by Google-owned Mandiant. Barium and another activity group, LEAD, are strongly associated with the use of the Winnti malware implant. Starting from March 2, 2021, just hours before Microsoft released a patch, the Winnti Group compromised the email servers of an oil company and a construction equipment company both based in East Asia. Despite this, both LEAD and BARIUM are not typically involved in large-scale spear-phishing operations, making it unlikely for security operations center (SOC) personnel to encounter multiple machines compromised by these groups simultaneously. Windows Defender ATP aids network security professionals in managing intrusions from activity groups like LEAD and BARIUM. Microsoft Threat Intelligence continuously tracks these activity groups, documenting their tactics, techniques, and procedures, with particular emphasis on the tools and infrastructure they utilize for their attacks. Once rapport is established, BARIUM often spear-phishes victims using various unsophisticated malware installation vectors, including malicious shortcut (.lnk) files with hidden payloads, compiled HTML help (.chm) files, or Microsoft Office documents containing macros or exploits.
What's your take? (Question 1 of 5)
1403284d-866e-48ca-93ac-63d518176a5c Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
APT41
5
APT41, also known as Winnti, Wicked Panda, Barium, Suckfly, Earth Freybug, and Daggerfly, is a China-attributed threat actor that has been active since at least 2012. The group has targeted organizations across at least 14 countries, focusing on entities in the South China Sea region. APT41's activi
Winnti
4
Winnti, also known as Starchy Taurus, APT41, Axiom, Barium, Blackfly, and HOODOO, is a prominent threat actor originating from China. The group has been active since at least 2007 and is notorious for its sophisticated cyberespionage campaigns. The group's activities have been linked to a shared Chi
Redgolf
2
RedGolf, a Chinese state-sponsored threat activity group, has been actively targeting Windows and Linux systems with the KEYPLUG backdoor. This group's activities have been closely associated with other threat groups including APT41, Wicked Panda, Bronze Atlas, and Barium. The first known use of the
Axiom
2
Axiom is a recognized threat actor, also known as a hacking team, that has been associated with malicious activities. The group has ties to the Chinese intelligence apparatus and has operated under various names such as Winnti, PassCV, APT17, LEAD, BARIUM, Wicked Panda, and GREF. The naming conventi
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Windows
Apt
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
WyrmspyUnspecified
2
WyrmSpy is a sophisticated malware attributed to the Chinese espionage group APT41, also known as Double Dragon, BARIUM, and Winnti. This harmful software, designed to exploit and damage computer systems or devices, infects systems through suspicious downloads, emails, or websites, often without use
DragonEggUnspecified
2
DragonEgg is a malware associated with the notorious Chinese Advanced Persistent Threat (APT) group, APT41. This malicious software was developed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. The malware has been linked to surveillance
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Barium Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Detecting threat actors in recent German industrial attacks with Windows Defender ATP - Microsoft Security Blog
Secureworks
a year ago
ShadowPad Malware Analysis
Recorded Future
a year ago
With KEYPLUG, China’s RedGolf Spies On, Steals From Wide Field of Targets | Recorded Future
CERT-EU
6 months ago
Researchers Unmask Sandman APT's Hidden Link to China-Based KEYPLUG Backdoor
MITRE
a year ago
Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan
MITRE
a year ago
Exchange servers under siege from at least 10 APT groups | WeLiveSecurity
MITRE
a year ago
Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques
CERT-EU
10 months ago
Cyber Security Week In Review: July 21, 2023
CERT-EU
10 months ago
Chinese APT41 Linked to WyrmSpy and DragonEgg Surveillanceware
CERT-EU
a year ago
Massive 3CX Supply-Chain Hack Targeted Cryptocurrency Firms
CERT-EU
a year ago
NATO countries targeted by Winter Vivern via Zimbra vulnerability
CERT-EU
6 months ago
Connect the Dots on State-Sponsored Cyber Incidents - Targeting of Air India
BankInfoSecurity
10 months ago
Chinese Threat Group APT41 Linked To Android Malware Attacks
CERT-EU
3 months ago
Connect the Dots on State-Sponsored Cyber Incidents - Targeting of Air India
Securityaffairs
10 months ago
Experts attribute WyrmSpy and DragonEgg spyware to the Chinese APT41 group
CERT-EU
a year ago
3CX hack highlights risk of cascading software supply-chain compromises
CERT-EU
3 months ago
Hacking firm I-Soon data leak revealed Chinese gov hacking capabilities
CERT-EU
a year ago
Windows, Linux systems subjected to Chinese state-backed cyberattacks
CERT-EU
10 months ago
In Other News: Military Emails Leaked, Google Restricts Internet Access, Chinese Spyware
Securityaffairs
9 months ago
Redfly group infiltrated an Asian national grid as long as six months