TA416

Threat Actor updated 6 months ago (2024-05-04T18:25:55.653Z)
Download STIX
Preview STIX
TA416 is an advanced persistent threat (APT) group that targets organizations globally with customized versions of the PlugX malware. TA416 has used a distinct installation method of a PE dropper to retrieve Trident loaded payload components using a legitimate PE and a DLL loader file to load a PlugX payload, which remains constant even though the components in this infection chain are regularly changing. This APT group has been known by several names such as Mustang Panda, Red Lich, Earth Preta, HoneyMyte, and Bronze President, Camaro Dragon, and LuminousMoth. In 2020, there were several espionage campaigns carried out by China's TA416 against Catholic Church and diplomatic groups, indicating a pattern of cyber espionage. Additionally, there have been other APTs with similar tactics, techniques, and procedures (TTPs), such as the Winter Vivern APT, which resurfaced after two years of hibernation. In late 2021, a Russian-aligned attacker took down the Vatican website in a suspected hacker attack. The discovery of a TA416 malware campaign during an investigation into an attack on a healthcare institution in Europe shed light on the activities of this APT group. The campaign involved the use of a Zip file with a geopolitically themed title shared with a PDF decoy that would later be downloaded as part of the infection chain. While this campaign's tactics are highly similar to the Trident Loader method used by TA416 in previous campaigns, the components in the infection chain regularly change.
Description last updated: 2023-06-23T22:16:07.280Z
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Mustang Panda is a possible alias for TA416. Mustang Panda, a China-aligned Advanced Persistent Threat (APT) group, has been identified as a significant cyber threat actor involved in a series of malicious activities. Notably, Mustang Panda was found to be associated with the BRONZE PRESIDENT phishing lure, which delivered PlugX and used modif
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Apt
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The PlugX Malware is associated with TA416. PlugX is a Remote Access Trojan (RAT) malware known for its stealthy operations and destructive capabilities. It is often used by threat actors to exploit and damage computer systems, steal personal information, disrupt operations, or hold data hostage for ransom. Its deployment has been linked to sUnspecified
2
Source Document References
Information about the TA416 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
MITRE
2 years ago
MITRE
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
DARKReading
2 years ago