Passcv

PassCV is a threat actor, or hacking team, that has been identified as part of the Chinese intelligence apparatus. This group has operated under various names including Winnti, APT17, Axiom, LEAD, BARIUM, Wicked Panda, and GREF, indicating a broad and complex network of cyber operations. The group is known for its malicious activities, which typically involve the execution of actions with harmful intent. One particular method PassCV has employed is the use of malware linked to stolen code signing certificates, as was reported by cybersecurity firm Cylance in 2016. The PassCV group gained significant attention when it was discovered that one of the NetWire binaries they used was signed with a stolen certificate. This certificate was directly linked to the aforementioned Cylance report, providing further evidence of PassCV's involvement in these cyberattacks. The utilization of stolen certificates allows the group to infiltrate systems more seamlessly, as the malicious software appears legitimate and trustworthy to unsuspecting victims. More recently, researchers have identified PassCV among over two dozen different threat actors hosting command-and-control (C2) servers on Cloudzy infrastructure. These groups span multiple countries and include other Chinese actors like Operation Dragon Castling, APT10, and BlackTech/Circuit Panda, as well as actors from India, Iran, North Korea, Pakistan, Russia, Vietnam, Israel, and various cybercriminal groups. This discovery underscores the widespread reach and influence of PassCV within the global landscape of cyber threats.