Ke3chang

Threat Actor Profile Updated 24 days ago
Download STIX
Preview STIX
Ke3chang, also known as APT15, Mirage, Vixen Panda GREF, and Playful Dragon, is a prominent threat actor that has been active since at least 2010. According to the European Union Agency for Cybersecurity (ENISA), this group has consistently targeted energy, government, and military sectors. Ke3chang is linked to various arms of China’s People’s Liberation Army or government, along with other groups such as APT27, APT30, APT31, GALLIUM, and Mustang Panda. Notably, between March 2022 and early 2023, Ke3chang targeted a government finance department in the Americas. Ke3chang's activities have evolved over time, with recent developments including the creation of Graphican's backdoor, an evolution of its signature Ketrican malware. This toolset, while associated with APT15 by Symantec, is linked to Ke3chang by Sekoia.io analysts and ESET, indicating a possible overlap in the operations of these threat actors. Other threat actors have also demonstrated similar patterns of targeting financial institutions and organizations financing infrastructure projects, such as Tropic Trooper targeting Taiwanese financial institutions, Witchetty targeting an African stock exchange, and Gallium targeting an organization financing urban infrastructure development projects in Nepal. The group's tactics, techniques, and procedures (TTPs) have been closely studied and emulated in real-world testing scenarios, underscoring their sophistication and effectiveness. For example, SE Labs replicated the TTPs of Ke3chang, among others, in their testing. Moreover, researchers at Eset attributed campaigns to a threat group tracked as Gref, which overlaps with activity also ascribed to groups including APT15, Vixen Panda, and Ke3chang. In another instance, the Chinese state-sponsored operation Flea, also known as APT15 and Ke3chang, leveraged a novel Graphican backdoor in attacks against foreign affairs ministries across the Americas between late 2022 and early 2023.
What's your take? (Question 1 of 5)
1b38c397-8007-44ff-9303-151b2a32e4be Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
APT15
2
APT15, also known as Vixen Panda, Nickel, Flea, KE3CHANG, Royal APT, and Playful Dragon, is a threat actor group suspected to be of Chinese origin. The group targets global sectors including trade, economic and financial, energy, and military, aligning with the interests of the Chinese government. I
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
KetricanUnspecified
2
Ketrican is a type of malware, or malicious software, that was developed to exploit and damage computer systems. It's associated with the Ke3chang group and is known for its ability to infiltrate systems through suspicious downloads, emails, or websites. Once inside a system, Ketrican can steal pers
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Mustang PandaUnspecified
4
Mustang Panda, also known as Earth Preta, Camaro Dragon, Bronze President, TA416, and Stately Taurus, is a Chinese state-backed advanced persistent threat (APT) group known for its malicious cyber activities. The group has targeted numerous countries across Asia, including Taiwan, Vietnam, India, Ja
APT27Unspecified
2
APT27, also known as Iron Taurus, is a threat actor suspected to be originating from China. The group primarily engages in cyber operations with the goal of intellectual property theft, targeting organizations globally including those in North and South America, Europe, and the Middle East. APT27 ut
APT30Unspecified
2
APT30, a threat actor suspected to be attributed to China, has been active since at least 2005. This group primarily targets members of the Association of Southeast Asian Nations (ASEAN). APT30 is notable for its sustained activity over an extended period and its ability to adapt and modify source c
APT31Unspecified
2
APT31, also known as Zirconium, is a threat actor group believed to be sponsored by the Chinese government. This group has been implicated in various cyber espionage activities across the globe. One of their notable exploits includes the cloning and use of an Equation Group exploit, EpMe (CVE-2017-0
GALLIUMUnspecified
2
Gallium, also known as Alloy Taurus, is a China-aligned threat actor known for executing actions with malicious intent in the cyber domain. In recent years, Gallium has been associated with various significant cyber-espionage campaigns. The group targeted telecommunication entities in the Middle Eas
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Ke3chang Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Operation “Ke3chang”: Targeted attacks against ministries of foreign affairs | Mandiant
Securityaffairs
a year ago
ENISA and CERT-EU warns Chinese APTs targeting EU organizations
DARKReading
a year ago
ESET APT Report: Attacks by China-, North Korea-, and Iran-aligned Threat Actors; Russia Eyes Ukraine and the EU
CERT-EU
a year ago
Europa vermehrt im Visier chinesischer und russischer Ausspähversuche | ZDNet.de
Unit42
a year ago
Chinese Playful Taurus Activity in Iran
CERT-EU
8 months ago
Multiple Chinese APTs are attacking European targets, EU cyber agency warns | #ukscams | #datingscams | #european | #datingscams | #love | #relationships | #scams | #pof | #match.com | #dating | National Cyber Security Consulting
CERT-EU
8 months ago
My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
ESET
a year ago
ESET APT Activity Report Q4 2022­–Q1 2023 | WeLiveSecurity
CERT-EU
a year ago
EU Organizations Warned of Chinese APT Attacks
CERT-EU
10 months ago
Stay informed with threat reports
MITRE
a year ago
APT15 is Alive and Strong: An Analysis of RoyalCli and RoyalDNS
CERT-EU
a year ago
Novel Graphican backdoor leveraged in Chinese APT attacks against foreign ministries
BankInfoSecurity
9 months ago
Chinese APT Uses Fake Messenger Apps to Spy on Android Users
CERT-EU
a year ago
Flea APT’s latest campaign targets foreign affairs ministries with new Graphican backdoor
CrowdStrike
10 months ago
CrowdStrike Scores 100% in SE Labs 2023 Q2 EAS Test | CrowdStrike