Iron Tiger

Threat Actor updated 2 months ago (2024-09-25T14:01:37.870Z)

Download STIX

Preview STIX

Iron Tiger, also known as Iron Taurus or APT27, is a threat actor group believed to be aligned with China. The group has been involved in numerous cyber-espionage campaigns, targeting various entities including United States defense contractors and other international organizations. Their activities have been tracked back to at least 2015, when they were implicated in Operation Iron Tiger, an extensive espionage campaign that utilized the Gh0st RAT malware variant. The Iron Tiger group has demonstrated a broad range of capabilities and tools throughout its operational history. In 2017, it was observed using the HyperBro malware family. By 2018, the NCC Group reported a variant of Gh0st RAT being used by Iron Tiger. Another notable tool in their arsenal is Win.NOODLERAT, a shellcode-formed in-memory modular backdoor, which has been used for espionage purposes not only by Iron Tiger but also by other unknown clusters and groups like Calypso APT. Iron Tiger's operations have shown significant overlaps with other threat actors and campaigns. For instance, one of the main Diplomatic Specter C2 servers was used in campaigns attributed to Space Pirates in Operation Iron Tiger, tied to Iron Taurus (APT27), and Operation Exorcist, which targeted the Catholic Church and had overlaps with Mustang Panda (Stately Taurus). This group has targeted users across multiple operating systems, including Windows, Linux, and macOS, further demonstrating their broad reach and technical prowess.

Description last updated: 2024-09-25T13:20:28.073Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
APT27 is a possible alias for Iron Tiger. APT27, also known as Emissary Panda or Iron Taurus, is a threat actor suspected to be associated with China and has been involved in cyber operations primarily aimed at intellectual property theft. The group targets organizations globally, including those in North and South America, Europe, and the	4
SysUpdate is a possible alias for Iron Tiger. SysUpdate is a malicious software (malware) predominantly utilized by the Budworm group, also known as APT27, Emissary Panda, LuckyMouse, among other names. This malware variant is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites w	4
Iron Taurus is a possible alias for Iron Tiger. Iron Taurus, also known as APT27, is a malware that has been linked to various cyber-espionage activities. This malicious software is designed to infiltrate systems surreptitiously through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operatio	3
Emissary Panda is a possible alias for Iron Tiger. Emissary Panda, also known as APT27, Iron Tiger, Bronze Union, Budworm, Lucky Mouse, and Red Phoenix, is a threat actor linked to China. This group has been involved in cyberespionage activities with the primary goal of stealing intellectual property from organizations in sectors that China perceive	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Malware

Linux

Rat

Windows

Rootkit

Espionage

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The gh0st RAT Malware is associated with Iron Tiger. Gh0st RAT is a malicious software (malware) that has been in use for over 15 years. It is an open-source remote access tool known for exploiting vulnerabilities in systems, most notably the PHP flaw which it targeted within 24 hours of disclosure. This malware was observed as part of Operation Diplo	Unspecified	3
The ASPXSpy Malware is associated with Iron Tiger. ASPXSpy is a type of malware, specifically a web shell, that has been used by various threat actors to exploit and damage computer systems. The earliest deployment attempts date back to 2022 when this malicious software was deployed to multiple hosted websites. It's typically installed on vulnerable	Unspecified	2

Source Document References

Information about the Iron Tiger Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Checkpoint	2 months ago	10 Years of DLL Hijacking, and What We Can Do to Prevent 10 More - Check Point Research
InfoSecurity-magazine	5 months ago	Chinese Hackers Leveraging 'Noodle RAT' Backdoor
Trend Micro	5 months ago	Noodle RAT Reviewing the New Backdoor Used by Chinese-Speaking Groups
BankInfoSecurity	6 months ago	Active Chinese Cyberespionage Campaign Rifling Email Servers
Unit42	6 months ago	Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia
CERT-EU	a year ago	New JaskaGO Malware Targets Mac and Windows for Crypto, Browser Data
Securityaffairs	a year ago	Is Gelsemium APT behind an attack in Southeast Asian Govt?
Unit42	a year ago	Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda
Unit42	a year ago	Rare Backdoors Suspected to be Tied to Gelsemium APT Found in Targeted Attack in Southeast Asian Government
CERT-EU	2 years ago	Cyber Security Today, March 3, 2023 – Bootkit can compromise Windows 11, a hacked container found and more \| IT World Canada News
CERT-EU	a year ago	Researchers Leverage ChatGPT to Expose Notorious macOS Malware
CERT-EU	2 years ago	Iron Tiger updates malware to target Linux platform
MITRE	2 years ago	Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware
MITRE	2 years ago	Chinese Hackers Carried Out Country-Level Watering Hole Attack
MITRE	2 years ago	Decoding network data from a Gh0st RAT variant
Trend Micro	2 years ago	Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting
DARKReading	2 years ago	Linux Support Expands Cyber Spy Group's Arsenal
CERT-EU	2 years ago	Хакеры Iron Tiger распространяют Linux-версию своей вредоносной программы SysUpdate
Checkpoint	2 years ago	6th March – Threat Intelligence Report - Check Point Research
CERT-EU	2 years ago	安全事件周报 2023-02-27 第9周 - 360CERT