Poison Ivy

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
Poison Ivy is a type of malware, or malicious software, designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. The malware has been linked to other harmful programs such as FakeM MSN, BiFrost, Elirks, and PlugX, with overlaps in PE resources and infrastructure ties indicating that the same developer may have been involved in creating these various samples. Poison Ivy has been used in attacks dating back to 2009, and traces of its use have been found in the network infrastructure of HenBox. A unique variant of Poison Ivy, known as GALLIUM, has been observed. This version appears to be modified and unique to the threat group GALLIUM. In addition to this, Poison Ivy has been used by various Advanced Persistent Threat (APT) campaigns, including the "menuPass" campaign in 2016 which targeted Japanese academics and organizations. Other well-known malware, such as PlugX, ShadowPad, and Gh0st RAT, were also used in conjunction with Poison Ivy in these attacks. The use of Poison Ivy extends to several other cyber threats. APT1 intruders occasionally use publicly available backdoors like Poison Ivy, but they predominantly use their custom backdoors. Another threat group, IndigoZebra, utilized Poison Ivy in covert operations targeting former Soviet Republics. Moreover, the malware was part of a cyber campaign likely intended to monitor Hong Kong media during periods of crisis, demonstrating its widespread use in global cyber espionage activities.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
GALLIUM
1
Gallium, also known as Alloy Taurus, is a China-aligned threat actor known for executing actions with malicious intent in the cyber domain. In recent years, Gallium has been associated with various significant cyber-espionage campaigns. The group targeted telecommunication entities in the Middle Eas
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Rat
Malware
Espionage
Web Shell
Encryption
Payload
Beacon
Apt
Dropbox
Backdoor
Trojan
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
PlugXUnspecified
2
PlugX is a notorious malware, typically associated with Chinese threat actors, that has been used in various cyberattacks. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. It
FakeMUnspecified
1
FakeM is a malware family first exposed in 2013 by Trend Micro, named for its command and control traffic mimicking Windows Messenger and Yahoo. The malware primarily operates as a Windows backdoor, used extensively by the cyber-espionage group, Scarlet Mimic. Since its exposure, FakeM has undergone
xCaonUnspecified
1
xCaon is a malicious software, or malware, that has been used in cyber-espionage operations for several years, particularly by the Chinese-speaking APT actor "IndigoZebra." The earliest identified samples date back to 2014. This malware family has targeted governmental agencies in Central Asia and f
BoxCaonUnspecified
1
BoxCaon is a newly discovered malware variant attributed to the xCaon family, based on code and functionality similarities. It's an updated backdoor that uses Dropbox, a legitimate cloud-storage service, as its Command and Control (C&C) server. This particular variant, named BoxCaon, was found targe
gh0st RATUnspecified
1
Gh0st RAT is a notorious malware that was originally developed by the C. Rufus Security Team in China and has been widely used for cyber espionage since its code leaked in 2008. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often without the user's
China ChopperUnspecified
1
China Chopper is a notorious malware that has been widely used by various Advanced Persistent Threat (APT) groups, notably BRONZE UNION. This web shell was found embedded in multiple web shells on SharePoint servers, such as stylecs.aspx, test.aspx, and stylecss.aspx. It is believed to be associated
YAHOYAHUnspecified
1
Yahoyah is a type of malware that can infect your computer or device without your knowledge and cause harm such as stealing personal information, disrupting operations, or holding data hostage for ransom. The cybersecurity community has confirmed that the group behind Yahoyah has also used other mal
Ghostis related to
1
Ghost is a sophisticated malware that has been linked to various cyber threats and attacks. In 2020, there was a significant bilateral CDU/MDANG Ex Cyber Ghost operation in the works, hinting at its growing prominence. It uses techniques such as ghost spoofing, where the sender's name contains an au
MeterpreterUnspecified
1
Meterpreter, a type of malware, is an attack payload of Metasploit that serves as an interactive shell, enabling threat actors to control and execute code on a system. Advanced Persistent Threat (APT) actors have created and used a variant of Metasploit (Meterpreter) on the ServiceDesk system, liste
QuarkbanditUnspecified
1
None
ChChesUnspecified
1
ChChes is a malware family that has been linked to the Advanced Persistent Threat (APT) group known as "menuPass." The malware was first identified in 2016 when it was used to target Japanese academics, pharmaceutical companies, and a US-based subsidiary of a Japanese manufacturing organization. ChC
BifrostUnspecified
1
Bifrost is a remote access Trojan (RAT) that has been active since 2004, designed to gather sensitive information such as hostname and IP address from compromised systems. The malware has evolved over time, with notable ties to other Trojans like FakeM MSN, Elirks, and Poison Ivy, suggesting the sam
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
IndigoZebraUnspecified
1
IndigoZebra is a threat actor, or Advanced Persistent Threat (APT) group, suspected of originating from China and known for its cyber-espionage operations. The group first gained attention in August 2017 when Kaspersky detailed a covert operation targeting former Soviet Republics, deploying a wide r
APT1Unspecified
1
APT1, also known as Unit 61398 or Comment Crew, is a notorious cyber-espionage group believed to be part of China's People's Liberation Army (PLA) General Staff Department's 3rd Department. This threat actor has been linked with several high-profile Remote Access Trojans (RATs), enabling them to tak
menuPassUnspecified
1
MenuPass, also known as APT10, Stone Panda, and ALPHV BlackCat, is a threat actor suspected to be linked to the Chinese government. This cyber espionage group has been active since at least 2009, according to Mandiant, and has targeted a wide range of sectors including construction, engineering, aer
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Poison Ivy Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
7 months ago
The most-read Colorado news of 2023, from Casa Bonita to Bigfoot and Boebert
MITRE
a year ago
menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations
CERT-EU
a year ago
Space Pirates: analyzing the tools and connections of a new hacker group
MITRE
a year ago
Advanced Persistent Threats (APTs) | Threat Actors & Groups
MITRE
a year ago
IndigoZebra APT Hacking Campaign Targets the Afghan Government
MITRE
a year ago
China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets | Mandiant
MITRE
a year ago
GALLIUM: Targeting global telecom
MITRE
a year ago
Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy
MITRE
a year ago
Mustang Panda | Threat Actor Profile | CrowdStrike
MITRE
a year ago
New Wekby Attacks Use DNS Requests As Command and Control Mechanism
MITRE
a year ago
IndigoZebra APT continues to attack Central Asia with evolving tools - Check Point Research
MITRE
a year ago
Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists