Ke3chang

Threat Actor updated 23 days ago (2024-11-29T14:15:45.402Z)
Download STIX
Preview STIX
Ke3chang, also known as APT15, Mirage, Vixen Panda GREF, and Playful Dragon, is a prominent threat actor that has been active since at least 2010. According to the European Union Agency for Cybersecurity (ENISA), this group has consistently targeted energy, government, and military sectors. Ke3chang is linked to various arms of China’s People’s Liberation Army or government, along with other groups such as APT27, APT30, APT31, GALLIUM, and Mustang Panda. Notably, between March 2022 and early 2023, Ke3chang targeted a government finance department in the Americas. Ke3chang's activities have evolved over time, with recent developments including the creation of Graphican's backdoor, an evolution of its signature Ketrican malware. This toolset, while associated with APT15 by Symantec, is linked to Ke3chang by Sekoia.io analysts and ESET, indicating a possible overlap in the operations of these threat actors. Other threat actors have also demonstrated similar patterns of targeting financial institutions and organizations financing infrastructure projects, such as Tropic Trooper targeting Taiwanese financial institutions, Witchetty targeting an African stock exchange, and Gallium targeting an organization financing urban infrastructure development projects in Nepal. The group's tactics, techniques, and procedures (TTPs) have been closely studied and emulated in real-world testing scenarios, underscoring their sophistication and effectiveness. For example, SE Labs replicated the TTPs of Ke3chang, among others, in their testing. Moreover, researchers at Eset attributed campaigns to a threat group tracked as Gref, which overlaps with activity also ascribed to groups including APT15, Vixen Panda, and Ke3chang. In another instance, the Chinese state-sponsored operation Flea, also known as APT15 and Ke3chang, leveraged a novel Graphican backdoor in attacks against foreign affairs ministries across the Americas between late 2022 and early 2023.
Description last updated: 2024-05-04T18:50:03.217Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
APT15 is a possible alias for Ke3chang. APT15, also known as Vixen Panda, Nickel, Flea, KE3CHANG, Royal APT, and Playful Dragon, is a threat actor group suspected to be of Chinese origin. The group targets global sectors including trade, economic and financial, energy, and military, aligning with the interests of the Chinese government. I
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Ketrican Malware is associated with Ke3chang. Ketrican is a type of malware, or malicious software, that was developed to exploit and damage computer systems. It's associated with the Ke3chang group and is known for its ability to infiltrate systems through suspicious downloads, emails, or websites. Once inside a system, Ketrican can steal persUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Mustang Panda Threat Actor is associated with Ke3chang. Mustang Panda, a China-aligned Advanced Persistent Threat (APT) group, has been identified as a significant cyber threat actor involved in a series of malicious activities. Notably, Mustang Panda was found to be associated with the BRONZE PRESIDENT phishing lure, which delivered PlugX and used modifUnspecified
4
The APT27 Threat Actor is associated with Ke3chang. APT27, also known as Emissary Panda or Iron Taurus, is a threat actor suspected to be associated with China and has been involved in cyber operations primarily aimed at intellectual property theft. The group targets organizations globally, including those in North and South America, Europe, and the Unspecified
2
The APT30 Threat Actor is associated with Ke3chang. APT30, a threat actor suspected to be attributed to China, has been active since at least 2005. This group primarily targets members of the Association of Southeast Asian Nations (ASEAN). APT30 is notable for its sustained activity over an extended period and its ability to adapt and modify source cUnspecified
2
The APT31 Threat Actor is associated with Ke3chang. APT31, also known as Zirconium, is a threat actor believed to be linked to the Chinese government. This group has been associated with numerous cyber attacks, including a significant exploit of CVE-2017-0005. This exploit, dubbed "Jian," was initially attributed to APT31 but upon further analysis byUnspecified
2
The GALLIUM Threat Actor is associated with Ke3chang. Gallium, also known as Alloy Taurus, is a threat actor group that has been associated with significant cyber-espionage campaigns and is believed to have ties with China. The group has been linked to multiple intrusion sets targeting network devices, including routers and servers. Gallium notably tarUnspecified
2
Source Document References
Information about the Ke3chang Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
MITRE
2 years ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CrowdStrike
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
2 years ago
MITRE
2 years ago
Unit42
2 years ago
CERT-EU
2 years ago
Securityaffairs
2 years ago
CERT-EU
2 years ago
DARKReading
2 years ago
ESET
2 years ago