Bronze Starlight

Threat Actor updated 4 months ago (2024-07-22T15:18:11.826Z)

Download STIX

Preview STIX

Bronze Starlight, a Chinese threat actor group, has been linked to various malicious activities in the cybersecurity landscape. The group is known for deploying different types of ransomware payloads, including traditional ransomware schemes such as LockFile and name-and-shame models. Bronze Starlight's operations have targeted organizations in the US and multiple other countries, with indicators suggesting their primary goal appears to be espionage rather than financial gain. They use ransomware as a means of distraction or misattribution, possibly to cover intellectual property theft. The group's recent activities include the use of HUI Loader malware, which was observed in the A41APT campaign linked to another threat actor, Bronze Riverside, and in post-intrusion ransomware activity associated with Bronze Starlight. As of this publication, CTU researchers have not found any public links to the HUI Loader code and noted no further activity from Bronze Starlight following the deployment and execution of HUI Loader to load a Cobalt Strike Beacon. This malware's hosting has sparked intriguing possibilities regarding Bronze Starlight's broader activities. Despite these observations, the connection between Bronze Starlight and certain cyber activities is assessed with low confidence at this time. For instance, there are similarities in file path and naming conventions between the NPS tool variants deployed by RA World and Bronze Starlight. Moreover, some overlapping tactics, techniques, and procedures (TTPs) used by Bronze Starlight were identified in the forensic data related to RA World. However, these connections remain unverified, underlining the need for further research into Bronze Starlight's activities and potential affiliations.

Description last updated: 2024-07-22T15:16:55.577Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Emperor Dragonfly is a possible alias for Bronze Starlight. Emperor Dragonfly, also known as Bronze Starlight or Storm-0401, is a threat actor group linked to China that has been identified as deploying various ransomware payloads. This group targets sectors such as gambling within Southeast Asia. The cybersecurity industry uses different names for the same	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Apt

Malware

Espionage

Loader

Sentinellabs

Exploit

Chinese

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The PlugX Malware is associated with Bronze Starlight. PlugX is a Remote Access Trojan (RAT) malware known for its stealthy operations and destructive capabilities. It is often used by threat actors to exploit and damage computer systems, steal personal information, disrupt operations, or hold data hostage for ransom. Its deployment has been linked to s	Unspecified	2

Source Document References

Information about the Bronze Starlight Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Unit42	4 months ago	From RA Group to RA World: Evolution of a Ransomware Group
DARKReading	5 months ago	'ChamelGang' APT Disguises Espionage Activities With Ransomware
CERT-EU	8 months ago	12 Months of Fighting Cybercrime & Defending Enterprises \| #cybercrime \| #infosec \| National Cyber Security Consulting
CERT-EU	a year ago	Chinese Scammers Exploit Cloned Websites in Vast Gambling Network
CERT-EU	a year ago	Sekoia: Latest in the Financial Sector Cyber Threat Landscape
Recorded Future	2 years ago	Semiconductor Companies Targeted by Ransomware \| Recorded Future
CERT-EU	2 years ago	Novel CatB ransomware analyzed
Recorded Future	2 years ago	Semiconductor Companies Targeted by Ransomware \| Recorded Future
Secureworks	2 years ago	BRONZE STARLIGHT Ransomware Operations Use HUI Loader
CERT-EU	a year ago	Chinese entanglement - DLL hijacking in the Asian gambling sector – Global Security Mag Online
CERT-EU	2 years ago	Cybersecurity Firm Group-IB Repeatedly Targeted by Chinese APT
InfoSecurity-magazine	a year ago	New Chinese APT Group Launches Supply Chain Attacks
Checkpoint	a year ago	21st August – Threat Intelligence Report - Check Point Research
Securityaffairs	a year ago	Security Affairs newsletter Round 433 by Pierluigi Paganini
CERT-EU	a year ago	Southeast Asian gambling industry targeted by Chinese hacking operation
InfoSecurity-magazine	a year ago	Chinese Hackers Use DLL Hijacking to Target Asian Gamblers
CERT-EU	a year ago	Chinese hackers accused of targeting Southeast Asian gambling sector
Securityaffairs	a year ago	Bronze Starlight targets the Southeast Asian gambling sector - Security Affairs
CERT-EU	a year ago	China-Linked Bronze Starlight Group Targeting Gambling Sector with Cobalt Strike Beacons – GIXtools