Bronze Atlas

Threat Actor Profile Updated 3 months ago

Download STIX

Preview STIX

Bronze Atlas, also known as APT41, Winnti Group, or HOODOO, is a significant threat actor identified in the cybersecurity industry. The group has been involved in various malicious activities and has been tracked by Secureworks' Counter Threat Unit since at least 2007. According to Marc Burnard, a senior security researcher for Secureworks, Bronze Atlas is "one of the most prolific groups we have been tracking for a long time." This Chinese entity is characterized by dual espionage and cybercrime activities, demonstrating its broad range of capabilities and intent. Recently, Bronze Atlas targeted a Taiwanese media organization, as reported by the Google Threat Analysis Group (TAG). The attack was executed through phishing emails that contained links to a password-protected file hosted on Drive. This attack methodology aligns with the group's well-documented approach of using sophisticated techniques to compromise their targets. The group's actions continue to pose a substantial risk to organizations worldwide, especially those in the media sector. In a recent development, Symantec researchers noted a shift in the group's tactics. In late last year and early this year, Bronze Atlas showed a greater reliance on open-source tools rather than its usual custom malware. This change could suggest an adaptation to evade detection or a new strategic direction. Furthermore, the group is linked to the discovery of Shadowpad, a modular backdoor found in 2017 following a supply-chain attack on server management software. This connection further underscores the group's advanced capabilities and persistent threat to global cybersecurity.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
APT41	2	APT41, also known as Winnti, Wicked Panda, and Wicked Spider, is a sophisticated threat actor attributed to China. This group has been active since at least 2012, targeting organizations across 14 countries. The group is known for its extensive use of various code families and tools, with at least 4
Winnti	1	Winnti is a sophisticated threat actor group, first identified by Kaspersky in 2013, with activities dating back to at least 2007. The group has been associated with the Chinese nation-state and is part of a collective known as APT41, which also includes subgroups like Wicked Panda, Suckfly, and Bar
Wicked Panda	1	Wicked Panda, also known as APT41, Double Dragon, and Bronze Atlas, is a state-sponsored threat actor originating from China. Recognized as one of the top cyber threats by the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center, this group has been associated wit

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Google

Phishing

Espionage

Cybercrime

Backdoor

Malware

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
ShadowPad	Unspecified	1	ShadowPad is a modular backdoor malware that has been utilized by several Chinese threat groups since at least 2017. Notably, it was used as the payload in supply chain attacks targeting South Asian governments, as reported in the VB2023 paper. ShadowPad provides near-administrative capabilities in

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Blackfly	Unspecified	1	Blackfly is a threat actor, tracked by Symantec, that has been involved in cyber-attacks primarily targeting South Korean companies, especially those in the video game and software development industry. The group initiated its activities with a campaign to steal certificates, which were later utiliz

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Bronze Atlas Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
DARKReading	a year ago	China's BlackFly Targets Materials Sector in 'Relentless' Quest for IP
InfoSecurity-magazine	a year ago	Chinese APT Favorite Backdoor Found in Pakistani Government App
DARKReading	a year ago	APT41 Taps Google Red Teaming Tool in Targeted Info-Stealing Attacks