Camaro Dragon

Threat Actor Profile Updated 17 days ago
Download STIX
Preview STIX
Camaro Dragon, a Chinese state-sponsored threat actor, has been identified as the source of several cyber attacks on European foreign affairs entities. Checkpoint Research has discovered and analyzed a custom firmware image affiliated with Camaro Dragon, which contained multiple malicious components, including a custom MIPS32 ELF implant known as "Horse Shell". The firmware implant was specifically tailored for TP-Link routers, highlighting the group's sophisticated tactics and techniques. There are significant overlaps between Camaro Dragon and another Advanced Persistent Threat (APT) group, Mustang Panda, suggesting that the router implant may have been deployed in other campaigns by the group. The Camaro Dragon APT group has been operating since at least 2012 under various aliases, including Mustang Panda, Bronze President, Red Delta, LuminousMoth, Earth Preta, and Stately Taurus. Their activities have been linked to attacks on Burmese government agencies and opposition groups, according to Avast's report. Additionally, they have employed USB-targeting malware, using USB drives as Trojan horses in their operations. In one notable case, a UK hospital's corporate network was infected after an employee inadvertently brought back Camaro Dragon malware from a trip abroad. In recent years, the group has expanded its capabilities, deploying network implants in the networks of victims, possibly targeting vulnerable network appliances such as routers or gateways. This aligns with broader trends in the cybersecurity landscape, where router compromise has become a key strategy for large-scale APT groups like Slingshot, APT28, and Camaro Dragon. These findings underscore the increasing sophistication of threat actors and the importance of robust cybersecurity measures, particularly in relation to network devices and firmware.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Mustang Panda
6
Mustang Panda, also known as Bronze President, Nomad Panda, Naikon, Earth Preta, and Stately Taurus, is a Chinese-aligned threat actor that has been associated with widespread attacks against various countries in the Asia-Pacific region. The group's malicious activities were first traced back to Mar
Stately Taurus
4
Stately Taurus, also known as Mustang Panda, Bronze President, Red Delta, LuminousMoth, Earth Preta, and Camaro Dragon, is a potent malware linked to Chinese Advanced Persistent Threat (APT) activities. The first signs of its operation date back to at least 2012, with notable activity traced to Marc
LuminousMoth
3
LuminousMoth is a threat actor with ties to HoneyMyte, as evidenced by their similar targeting and Tactics, Techniques, and Procedures (TTPs). These include the use of DLL side-loading, Cobalt Strike loaders, and Chrome cookie stealers. The malware's operation begins with the execution of "explorer.
Earth Preta
1
Earth Preta, also known as Mustang Panda, Bronze President, TA416, RedDelta, and Stately Taurus, is a prominent threat actor group that has been operational since at least 2012. The group has been highly active in Europe and Asia, employing a variety of tools and malware for their malicious activiti
Luminous Moth
1
None
BlackTech
1
BlackTech is a threat actor, or a group responsible for carrying out malicious cyber activities. Known for its links to China, BlackTech focuses on gathering intelligence from technology and government organizations, predominantly in the Asia-Pacific region. This group has shown a high degree of sop
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Malware
Implant
Espionage
Backdoor
Firmware
State Sponso...
Chinese
Antivirus
Tp
Html
Infiltration
Trojan
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Raspberry RobinUnspecified
2
Raspberry Robin is a sophisticated malware that has been designed to exploit and damage computer systems. This malicious software infiltrates the system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once embedded, Raspberry Robin can steal personal information, di
PlugXUnspecified
1
PlugX is a notorious malware, typically associated with Chinese threat actors, that has been used in various cyberattacks. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. It
TaurusUnspecified
1
Taurus is a malicious software (malware) that has been associated with multiple cyber threat actors, notably Stately Taurus, Iron Taurus, and Starchy Taurus, all of which have connections to Chinese Advanced Persistent Threats (APTs). The malware is designed to infiltrate systems and steal personal
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
RedDeltaUnspecified
4
RedDelta, also known as Bronze President, is a threat actor that has been conducting cyber-espionage attacks since 2014. It is one of the likely Ministry of State Security (MSS)-linked groups which include APT10, APT17, APT27, APT40, APT41, TAG-22, and RedBravo among others. The organization's activ
Aqua BlizzardUnspecified
2
Aqua Blizzard, previously known as ACTINIUM, is a significant threat actor originating from Russia. Recently, Microsoft revamped its naming convention for threat groups, transitioning from all-cap names based on atomic elements to a two-name scheme inspired by storm terminology. Aqua Blizzard has be
GamaredonUnspecified
2
Gamaredon, a Russian Advanced Persistent Threat (APT) group, has been actively tracked since 2013 and is recognized as a significant threat actor in the cybersecurity landscape. Its primary target is Ukraine, against which it deploys an array of home-brewed malware through malicious documents. The E
Primitive BearUnspecified
1
Primitive Bear, also known as Gamaredon, UAC-0010, and Shuckworm, is a threat actor associated with Russia that has been actively targeting Ukraine for over a decade. This group has primarily focused on organizations within government, defense, and critical infrastructure sectors. Since our update i
APT31Unspecified
1
APT31, also known as Zirconium, is a threat actor group believed to be sponsored by the Chinese government. This group has been implicated in various cyber espionage activities across the globe. One of their notable exploits includes the cloning and use of an Equation Group exploit, EpMe (CVE-2017-0
Stardust ChollimaUnspecified
1
Stardust Chollima is a recognized threat actor in the cybersecurity industry, primarily known for its malicious activities aimed at acquiring funds. This group has been linked to various high-profile cyber-attacks and fraudulent activities since 2015. Stardust Chollima has been associated with the f
APT28Unspecified
1
APT28, also known as Fancy Bear, is a threat actor linked to Russia and has been involved in numerous cyber espionage campaigns. The group is notorious for its sophisticated tactics, techniques, and procedures (TTPs). Recently, NATO and the EU formally condemned APT28's activities, acknowledging the
Evasive PandaUnspecified
1
Evasive Panda, a threat actor group also known as Bronze Highland and Daggerfly, has been identified as a significant cybersecurity threat. This group, believed to be aligned with China, has been deploying custom implants such as MgBot, Nightdoor, and a macOS downloader component, using these tools
TheWizardsUnspecified
1
TheWizards is a threat actor, potentially China-aligned, known for conducting adversary-in-the-middle attacks. The group exhibits capabilities similar to other known China-aligned threat actors such as Evasive Panda and Mustang Panda (also known as Camaro Dragon), who have been observed deploying ma
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Camaro Dragon Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
InfoSecurity-magazine
17 days ago
Eldorado Ransomware Strikes Windows and Linux Networks
InfoSecurity-magazine
4 months ago
Chinese Hackers Target ASEAN Entities in Espionage Campaign
Unit42
4 months ago
ASEAN Entities in the Spotlight: Chinese APT Group Targeting
CERT-EU
5 months ago
'The Weirdest Trend in Cybersecurity': Nation-States Returning to USBs | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
DARKReading
5 months ago
'The Weirdest Trend in Cybersecurity': Nation-States Returning to USBs
ESET
6 months ago
NSPX30: A sophisticated AitM-enabled implant evolving since 2005
ESET
6 months ago
NSPX30: A sophisticated AitM-enabled implant evolving since 2005
CERT-EU
8 months ago
How to protect corporate routers and firewalls against hacking
Unit42
8 months ago
Stately Taurus Targets the Philippines As Tensions Flare in the South Pacific
CERT-EU
10 months ago
Chinese state-backed hackers accidentally infected a European hospital with malware | #ukscams | #datingscams | #european | #datingscams | #love | #relationships | #scams | #pof | #match.com | #dating | National Cyber Security Consulting
CERT-EU
10 months ago
Hackers Are Dropping USB Drives at Watering Holes | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
a year ago
Les dernières cyberattaques détectées | 27 juin 2023
CERT-EU
a year ago
Camaro Dragon Hackers Strike with USB-Driven Self-Propagating Malware – GIXtools
CERT-EU
a year ago
Leftover Links 02/07/2023: Amazon Antitrust Woes, Windows Security Breaches
CERT-EU
a year ago
Chinese state-backed hackers accidentally infected a European hospital with malware | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
Checkpoint
a year ago
22nd May – Threat Intelligence Report - Check Point Research
CERT-EU
a year ago
In Other News: Hospital Infected via USB Drive, EU Cybersecurity Rules, Free Security Tools
CERT-EU
a year ago
This Week In Security:Camaro Dragon, RowPress, And RepoJacking
CERT-EU
a year ago
Chinese Hackers Mustang Panda Attacks TP-Link Routers | IT Security News
CERT-EU
a year ago
Camaro Dragon APT Group Exploits TP-Link Routers With Custom Implant