Iron Tiger

Threat Actor updated 23 days ago (2024-11-29T14:49:12.635Z)
Download STIX
Preview STIX
Iron Tiger, also known as Iron Taurus or APT27, is a threat actor group believed to be aligned with China. The group has been involved in numerous cyber-espionage campaigns, targeting various entities including United States defense contractors and other international organizations. Their activities have been tracked back to at least 2015, when they were implicated in Operation Iron Tiger, an extensive espionage campaign that utilized the Gh0st RAT malware variant. The Iron Tiger group has demonstrated a broad range of capabilities and tools throughout its operational history. In 2017, it was observed using the HyperBro malware family. By 2018, the NCC Group reported a variant of Gh0st RAT being used by Iron Tiger. Another notable tool in their arsenal is Win.NOODLERAT, a shellcode-formed in-memory modular backdoor, which has been used for espionage purposes not only by Iron Tiger but also by other unknown clusters and groups like Calypso APT. Iron Tiger's operations have shown significant overlaps with other threat actors and campaigns. For instance, one of the main Diplomatic Specter C2 servers was used in campaigns attributed to Space Pirates in Operation Iron Tiger, tied to Iron Taurus (APT27), and Operation Exorcist, which targeted the Catholic Church and had overlaps with Mustang Panda (Stately Taurus). This group has targeted users across multiple operating systems, including Windows, Linux, and macOS, further demonstrating their broad reach and technical prowess.
Description last updated: 2024-09-25T13:20:28.073Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
APT27 is a possible alias for Iron Tiger. APT27, also known as Emissary Panda or Iron Taurus, is a threat actor suspected to be associated with China and has been involved in cyber operations primarily aimed at intellectual property theft. The group targets organizations globally, including those in North and South America, Europe, and the
4
SysUpdate is a possible alias for Iron Tiger. SysUpdate is a malicious software (malware) predominantly utilized by the Budworm group, also known as APT27, Emissary Panda, LuckyMouse, among other names. This malware variant is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites w
4
Iron Taurus is a possible alias for Iron Tiger. Iron Taurus, also known as APT27, is a malware that has been linked to various cyber-espionage activities. This malicious software is designed to infiltrate systems surreptitiously through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operatio
3
Emissary Panda is a possible alias for Iron Tiger. Emissary Panda, also known as APT27, Iron Tiger, Bronze Union, Budworm, Lucky Mouse, and Red Phoenix, is a threat actor linked to China. This group has been involved in cyberespionage activities with the primary goal of stealing intellectual property from organizations in sectors that China perceive
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Malware
Linux
Rat
Windows
Rootkit
Espionage
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The gh0st RAT Malware is associated with Iron Tiger. Gh0st RAT is a malicious software (malware) that has been in use for over 15 years. It is an open-source remote access tool known for exploiting vulnerabilities in systems, most notably the PHP flaw which it targeted within 24 hours of disclosure. This malware was observed as part of Operation DiploUnspecified
3
The ASPXSpy Malware is associated with Iron Tiger. ASPXSpy is a type of malware, specifically a web shell, that has been used by various threat actors to exploit and damage computer systems. The earliest deployment attempts date back to 2022 when this malicious software was deployed to multiple hosted websites. It's typically installed on vulnerableUnspecified
2
Source Document References
Information about the Iron Tiger Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Checkpoint
3 months ago
InfoSecurity-magazine
6 months ago
Trend Micro
6 months ago
BankInfoSecurity
7 months ago
Unit42
7 months ago
CERT-EU
a year ago
Securityaffairs
a year ago
Unit42
a year ago
Unit42
a year ago
CERT-EU
2 years ago
CERT-EU
a year ago
CERT-EU
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
Trend Micro
2 years ago
DARKReading
2 years ago
CERT-EU
2 years ago
Checkpoint
2 years ago
CERT-EU
2 years ago