Iron Tiger

Threat Actor updated 3 months ago (2024-06-11T09:17:41.682Z)

Download STIX

Preview STIX

Iron Tiger, also known as Iron Taurus or APT27, is a threat actor group known for executing malicious actions with the intent of espionage. The group became prominent after its involvement in Operation Iron Tiger, which was reported in 2015. This operation was a series of Chinese cyber-espionage attacks targeting U.S. defense contractors. The group used a variant of Gh0st RAT malware, an infamous remote access trojan, during this operation, as evidenced by the string observed in the malware variant. Post the 2015 operations, Iron Tiger continued to evolve and adapt its techniques. From at least 2017, it started using the HyperBro malware family. In 2018, NCC Group reported that Iron Tiger used another variant of Gh0st RAT. Additionally, the group has been associated with the use of Win.NOODLERAT, an in-memory modular backdoor, alongside other threat actors such as Calypso APT in various espionage campaigns. Iron Tiger's activities have not been limited to any specific operating systems, posing threats to Windows, Linux, and macOS users alike. Furthermore, it has connections with other China-aligned actors like Space Pirates in Operation Iron Tiger and overlaps with Mustang Panda (aka Stately Taurus) in Operation Exorcist. The group also reportedly used one of the AspxSpy web shells employed by Gelsemium in Operation Iron Tiger. Overall, Iron Tiger represents a persistent and evolving cyber threat with ties to several significant operations and threat actors.

Description last updated: 2024-06-11T09:16:33.895Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
APT27	4	APT27, also known as Iron Taurus, is a threat actor group suspected to be attributed to China. Engaging in cyber operations with the primary goal of intellectual property theft, APT27 targets organizations globally, with a focus on North and South America, Europe, and the Middle East. The group's mo
SysUpdate	4	SysUpdate is a malicious software variant that has been exclusively used by Budworm, also known as APT27, Emissary Panda, Bronze Union, Lucky Mouse, Iron Tiger, and Red Phoenix. In December 2020, a sample of the SysUpdate malware variant was found, with its payload being a new version of SysUpdate.
Iron Taurus	3	Iron Taurus, also known as APT27, is a malware that has been linked to various cyber-espionage activities. This malicious software is designed to infiltrate systems surreptitiously through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operatio
Emissary Panda	2	Emissary Panda, also known as APT27, Iron Tiger, Bronze Union, Lucky Mouse, and Budworm, is a notable threat actor linked to China. This group has been engaged in the theft of intellectual property from organizations in sectors that China perceives as being of vital strategic interest. The group has

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Malware

Linux

Rat

Windows

Rootkit

Espionage

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
gh0st RAT	Unspecified	3	Gh0st RAT is a notorious malware that was originally developed by the C. Rufus Security Team in China and has been widely used for cyber espionage since its code leaked in 2008. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often without the user's
ASPXSpy	Unspecified	2	ASPXSpy is a type of malware, specifically a web shell, that has been used by various threat actors to exploit and damage computer systems. The earliest deployment attempts date back to 2022 when this malicious software was deployed to multiple hosted websites. It's typically installed on vulnerable

Source Document References

Information about the Iron Tiger Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	3 months ago	Chinese Hackers Leveraging 'Noodle RAT' Backdoor
Trend Micro	3 months ago	Noodle RAT Reviewing the New Backdoor Used by Chinese-Speaking Groups
BankInfoSecurity	3 months ago	Active Chinese Cyberespionage Campaign Rifling Email Servers
Unit42	3 months ago	Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia
CERT-EU	9 months ago	New JaskaGO Malware Targets Mac and Windows for Crypto, Browser Data
Securityaffairs	a year ago	Is Gelsemium APT behind an attack in Southeast Asian Govt?
Unit42	a year ago	Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda
Unit42	a year ago	Rare Backdoors Suspected to be Tied to Gelsemium APT Found in Targeted Attack in Southeast Asian Government
CERT-EU	2 years ago	Cyber Security Today, March 3, 2023 – Bootkit can compromise Windows 11, a hacked container found and more \| IT World Canada News
CERT-EU	a year ago	Researchers Leverage ChatGPT to Expose Notorious macOS Malware
CERT-EU	2 years ago	Iron Tiger updates malware to target Linux platform
MITRE	2 years ago	Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware
MITRE	2 years ago	Chinese Hackers Carried Out Country-Level Watering Hole Attack
MITRE	2 years ago	Decoding network data from a Gh0st RAT variant
Trend Micro	2 years ago	Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting
DARKReading	2 years ago	Linux Support Expands Cyber Spy Group's Arsenal
CERT-EU	2 years ago	Хакеры Iron Tiger распространяют Linux-версию своей вредоносной программы SysUpdate
Checkpoint	2 years ago	6th March – Threat Intelligence Report - Check Point Research
CERT-EU	2 years ago	安全事件周报 2023-02-27 第9周 - 360CERT
Flashpoint	a year ago	No title