Bronze Starlight

Threat Actor Profile Updated 13 days ago
Download STIX
Preview STIX
Bronze Starlight, a threat actor group suspected to be aligned with China, has been associated with various malicious activities primarily focused on cyberespionage. Secureworks, a Dell Technologies company, published research in 2022 linking Bronze Starlight to ransomware attacks targeting companies with valuable intellectual property (IP). The group's modus operandi involves the careful selection of targets that possess high-value IP deemed beneficial to the Chinese government, and it refrains from attacking organizations without seemingly valuable information or data. In August 2023, the group was reported to use stolen Ivacy VPN certificates to sign malware, specifically targeting the Southeast Asian gambling sector. The group is known for its usage of HUI Loader malware and a relatively rare version of PlugX, a remote access trojan (RAT) linked exclusively to China-backed threat groups. HUI Loader has not been linked to publicly available code, and its usage has only been observed in the A41APT campaign linked to Bronze Riverside and post-intrusion ransomware activity linked to Bronze Starlight. However, no additional activity from Bronze Starlight was observed by CTU researchers after the deployment and execution of HUI Loader to load a Cobalt Strike Beacon. Bronze Starlight's operations aren't purely financially motivated; instead, they appear to participate in government-sponsored intelligence-gathering efforts. The group operated LockFile as a traditional ransomware scheme but adopted the name-and-shame model for other ransomware operations. Secureworks suggests that the combination of victimology and the overlap with infrastructure and tooling associated with government-sponsored threat group activity indicates that Bronze Starlight may deploy ransomware to conceal its cyberespionage activities. There have also been links found between Bronze Starlight and another entity, Bronze University, further suggesting potential state sponsorship.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Emperor Dragonfly
2
None
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Apt
Malware
Espionage
Sentinellabs
Loader
Exploit
Chinese
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
PlugXUnspecified
2
PlugX is a sophisticated malware predominantly used by various Chinese Advanced Persistent Threat (APT) groups like PKPLUG, but also found in the hands of non-Chinese threat actors due to its circulation in underground hacking communities. This modular backdoor has evolved through different stages,
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Bronze Starlight Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
6 months ago
Sekoia: Latest in the Financial Sector Cyber Threat Landscape
Checkpoint
9 months ago
21st August – Threat Intelligence Report - Check Point Research
CERT-EU
9 months ago
Southeast Asian gambling industry targeted by Chinese hacking operation
Recorded Future
a year ago
Semiconductor Companies Targeted by Ransomware | Recorded Future
CERT-EU
9 months ago
Chinese entanglement - DLL hijacking in the Asian gambling sector – Global Security Mag Online
CERT-EU
9 months ago
Chinese hackers accused of targeting Southeast Asian gambling sector
InfoSecurity-magazine
9 months ago
Chinese Hackers Use DLL Hijacking to Target Asian Gamblers
Securityaffairs
9 months ago
Bronze Starlight targets the Southeast Asian gambling sector - Security Affairs
InfoSecurity-magazine
9 months ago
New Chinese APT Group Launches Supply Chain Attacks
Recorded Future
a year ago
Semiconductor Companies Targeted by Ransomware | Recorded Future
Securityaffairs
9 months ago
Security Affairs newsletter Round 433 by Pierluigi Paganini
CERT-EU
2 months ago
12 Months of Fighting Cybercrime & Defending Enterprises | #cybercrime | #infosec | National Cyber Security Consulting
CERT-EU
a year ago
Novel CatB ransomware analyzed
Secureworks
a year ago
BRONZE STARLIGHT Ransomware Operations Use HUI Loader
CERT-EU
9 months ago
China-Linked Bronze Starlight Group Targeting Gambling Sector with Cobalt Strike Beacons – GIXtools
CERT-EU
a year ago
Cybersecurity Firm Group-IB Repeatedly Targeted by Chinese APT
CERT-EU
6 months ago
Chinese Scammers Exploit Cloned Websites in Vast Gambling Network