BlackTech

Threat Actor Profile Updated 12 days ago
Download STIX
Preview STIX
BlackTech is a threat actor, or a group responsible for carrying out malicious cyber activities. Known for its links to China, BlackTech focuses on gathering intelligence from technology and government organizations, predominantly in the Asia-Pacific region. This group has shown a high degree of sophistication in its tactics, techniques, and procedures, using a variety of malware families to achieve its objectives. Recently, BlackTech was spotted infiltrating Cisco router firmware. This marks a significant escalation in their tactics, as embedding malicious code within firmware can make it incredibly difficult to detect and remove. The group used a specific malware family known as "Waterbear" for these attacks. Waterbear is a well-documented tool in BlackTech's arsenal, often used in their cyber espionage campaigns. The discovery of BlackTech's activity within Cisco router firmware underscores the group's persistent threat to global cybersecurity. It also highlights the necessity for robust security measures, particularly for critical infrastructure like routers. As the group continues to evolve its tactics, organizations worldwide need to remain vigilant and adopt proactive security measures to mitigate the risk posed by this and similar threat actors.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Radio Panda
4
Radio Panda, also known as BlackTech, Palmerworm, Temp.Overboard, and Circuit Panda, is a state-sponsored Chinese Advanced Persistent Threat (APT) group that has been conducting cyber espionage attacks since at least 2010. This threat actor has targeted various sectors, including government, industr
Palmerworm
3
Palmerworm, also known as BlackTech, Temp.Overboard, Circuit Panda, and Radio Panda, is a threat actor group that has been active since at least 2013. This group has demonstrated extensive capabilities in targeting various sectors such as government, industrial, technology, media, electronics, and t
temp.overboard
2
Temp.Overboard, also known as BlackTech, Circuit Panda, Palmerworm, and several other aliases, is a threat actor that has been active in the cybersecurity landscape since at least 2007. This group is known for its operations against targets in East Asia, specifically Taiwan, Japan, and Hong Kong. As
Mustang Panda
2
Mustang Panda, also known as Bronze President, Nomad Panda, Naikon, Earth Preta, and Stately Taurus, is a Chinese-aligned threat actor that has been associated with widespread attacks against various countries in the Asia-Pacific region. The group's malicious activities were first traced back to Mar
Camaro Dragon
1
Camaro Dragon, a Chinese state-sponsored threat actor, has been identified as the source of several cyber attacks on European foreign affairs entities. Checkpoint Research has discovered and analyzed a custom firmware image affiliated with Camaro Dragon, which contained multiple malicious components
Waterbear
1
WaterBear is a sophisticated form of malware, known for its ability to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or hold data hostag
Circuit Panda
1
Circuit Panda, also known as BlackTech, HUAPI, Manga Taurus, Palmerworm, Red Djinn, and Temp.Overboard, is a significant threat actor with a history of operating against targets in East Asia, particularly Taiwan, Japan, and Hong Kong since at least 2007. This group is part of a constellation of adva
Taurus
1
Taurus is a malicious software (malware) that has been associated with multiple cyber threat actors, notably Stately Taurus, Iron Taurus, and Starchy Taurus, all of which have connections to Chinese Advanced Persistent Threats (APTs). The malware is designed to infiltrate systems and steal personal
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Apt
Exploit
Firmware
Cisco
Espionage
Chinese
Proxy
Vulnerability
Ios
Exploits
exploited
t1542.004
t1601.001
Lateral Move...
Phishing
LOTL
AITM
Linux
Taiwan
Chrome
Japan
CISA
Nsa
Downloader
State Sponso...
Implant
Trojan
T1199
t1090.002
t1556.004
t1562.003
t1601.002
Windows
China
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
PLEADUnspecified
3
The PLEAD malware is a malicious software that was discovered by ESET researchers in 2019 to be utilized by the Chinese APT group known as BlackTech. The group was found to be performing Man-in-the-Middle (MitM) attacks through compromised ASUS routers and delivering the PLEAD malware through ASUS W
TSCookieUnspecified
2
TSCookie is a malware that has been associated with various backdoors such as BendyBear, BIFROSE (Bifrost), Consock, KIVARS, PLEAD, XBOW, and Waterbear (DBGPRINT). It's also known as FakeDead and is used in conjunction with other tools like BendyBear and Flagpro by BlackTech, an advanced persistent
FlagproUnspecified
2
Flagpro is a malicious software (malware) used by threat actors to exploit and damage computer systems. The malware was first observed in attacks against Japan in October 2020, with new versions using the Microsoft Foundation Class (MFC) library identified by Security Operations Centers (SOCs) in Ju
TaidoorUnspecified
2
Taidoor is a malicious software (malware) traditionally used as a Remote Access Trojan (RAT), associated with other malware like PITTYTIGER and ENFAL. Its primary attack vector involves phishing emails themed around military, renewable energy, or business strategy. The malware infects systems throug
Red DjinnUnspecified
1
None
FakedeadUnspecified
1
FakeDead, also known as TSCookie, is a potent malware that has been linked to a series of backdoors including BendyBear, BIFROSE (or Bifrost), Consock, KIVARS, PLEAD, XBOW, and Waterbear (also known as DBGPRINT). This malicious software infiltrates systems typically through suspicious downloads, ema
BendyBearUnspecified
1
BendyBear is a sophisticated x64 shellcode malware that requires loader or code injection for deployment. It contains advanced features not typically found in shellcode, making it a potent threat to computer systems. BendyBear, along with other specific malware strains such as Bifrose, SpiderPig, an
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Volt TyphoonUnspecified
2
Volt Typhoon, a threat actor linked to China, has been identified as a significant cyber threat with strong operational security. Known for their sophisticated Advanced Persistent Threat (APT) activities, this group has been associated with the KV-Botnet and has remained undetected within U.S. infra
Evasive PandaUnspecified
1
Evasive Panda, a threat actor group also known as Bronze Highland and Daggerfly, has been identified as a significant cybersecurity threat. This group, believed to be aligned with China, has been deploying custom implants such as MgBot, Nightdoor, and a macOS downloader component, using these tools
TheWizardsUnspecified
1
TheWizards is a threat actor, potentially China-aligned, known for conducting adversary-in-the-middle attacks. The group exhibits capabilities similar to other known China-aligned threat actors such as Evasive Panda and Mustang Panda (also known as Camaro Dragon), who have been observed deploying ma
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2022-1388Unspecified
1
CVE-2022-1388 is a critical vulnerability identified in the F5 BIG-IP iControl REST interface, which allows for an authentication bypass. This flaw in software design or implementation enables unauthorized users to gain access and control over the system without needing to authenticate their identit
Source Document References
Information about the BlackTech Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
5 days ago
Security Affairs Malware Newsletter - Round 3
Securityaffairs
5 days ago
Security Affairs Malware Newsletter - Round 3
Securityaffairs
12 days ago
Security Affairs Malware Newsletter - Round 2
Securityaffairs
19 days ago
Security Affairs Malware Newsletter - Round 1
Securityaffairs
a month ago
Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
a month ago
Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
a month ago
Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
2 months ago
Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
3 months ago
Security Affairs newsletter Round 470 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
3 months ago
Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
3 months ago
Security Affairs newsletter Round 467 by Pierluigi Paganini – INTERNATIONAL EDITION
Trend Micro
3 months ago
Cyberespionage Group Earth Hundun's Continuous Refinement of Waterbear and Deuterbear
Securityaffairs
4 months ago
Security Affairs newsletter Round 466 by Pierluigi Paganini
DARKReading
4 months ago
CISO Corner: Ivanti's Mea Culpa; World Cup Hack; CISOs & Cyber-Awareness
DARKReading
4 months ago
How Soccer's 2022 World Cup in Qatar Was Nearly Hacked
Securityaffairs
4 months ago
Security Affairs newsletter Round 465 by Pierluigi Paganini
Securityaffairs
4 months ago
Security Affairs newsletter Round 464 by Pierluigi Paganini
DARKReading
4 months ago
Chinese APT 'Earth Krahang' Compromises 48 Gov't Orgs on 5 Continents
Securityaffairs
4 months ago
Security Affairs newsletter Round 463 by Pierluigi Paganini
Securityaffairs
5 months ago
Security Affairs newsletter Round 462 by Pierluigi Paganini