Bronze Starlight

Threat Actor updated 23 days ago (2024-11-29T14:45:22.322Z)
Download STIX
Preview STIX
Bronze Starlight, a Chinese threat actor group, has been linked to various malicious activities in the cybersecurity landscape. The group is known for deploying different types of ransomware payloads, including traditional ransomware schemes such as LockFile and name-and-shame models. Bronze Starlight's operations have targeted organizations in the US and multiple other countries, with indicators suggesting their primary goal appears to be espionage rather than financial gain. They use ransomware as a means of distraction or misattribution, possibly to cover intellectual property theft. The group's recent activities include the use of HUI Loader malware, which was observed in the A41APT campaign linked to another threat actor, Bronze Riverside, and in post-intrusion ransomware activity associated with Bronze Starlight. As of this publication, CTU researchers have not found any public links to the HUI Loader code and noted no further activity from Bronze Starlight following the deployment and execution of HUI Loader to load a Cobalt Strike Beacon. This malware's hosting has sparked intriguing possibilities regarding Bronze Starlight's broader activities. Despite these observations, the connection between Bronze Starlight and certain cyber activities is assessed with low confidence at this time. For instance, there are similarities in file path and naming conventions between the NPS tool variants deployed by RA World and Bronze Starlight. Moreover, some overlapping tactics, techniques, and procedures (TTPs) used by Bronze Starlight were identified in the forensic data related to RA World. However, these connections remain unverified, underlining the need for further research into Bronze Starlight's activities and potential affiliations.
Description last updated: 2024-07-22T15:16:55.577Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Emperor Dragonfly is a possible alias for Bronze Starlight. Emperor Dragonfly, also known as Bronze Starlight or Storm-0401, is a threat actor group linked to China that has been identified as deploying various ransomware payloads. This group targets sectors such as gambling within Southeast Asia. The cybersecurity industry uses different names for the same
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Apt
Malware
Espionage
Loader
Sentinellabs
Exploit
Chinese
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The PlugX Malware is associated with Bronze Starlight. PlugX is a Remote Access Trojan (RAT) malware known for its stealthy operations and destructive capabilities. It is often used by threat actors to exploit and damage computer systems, steal personal information, disrupt operations, or hold data hostage for ransom. Its deployment has been linked to sUnspecified
2
Source Document References
Information about the Bronze Starlight Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Unit42
5 months ago
DARKReading
6 months ago
CERT-EU
9 months ago
CERT-EU
a year ago
CERT-EU
a year ago
Recorded Future
2 years ago
CERT-EU
2 years ago
Recorded Future
2 years ago
Secureworks
2 years ago
CERT-EU
a year ago
CERT-EU
2 years ago
InfoSecurity-magazine
a year ago
Checkpoint
a year ago
Securityaffairs
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago
CERT-EU
a year ago