C0052 SPACEHOP Activity
SPACEHOP Activity is conducted through commercially leased Virtual Private Servers (VPS), otherwise known as provisioned Operational Relay Box (ORB) networks. The network leveraged for SPACEHOP Activity enabled China-nexus cyber threat actors – such as APT5 and Ke3chang – to perform network reconnaissance scanning and vulnerability exploitation. SPACEHOP Activity has historically targeted entities in North America, Europe, and the Middle East.1
| Item | Value |
|---|---|
| ID | C0052 |
| Associated Names | |
| First Seen | January 2019 |
| Last Seen | May 2024 |
| Version | 1.0 |
| Created | 25 March 2025 |
| Last Modified | 27 March 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Groups
| ID | Name | References |
|---|---|---|
| G1023 | APT5 | 1 |
| G0004 | Ke3chang | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1583 | Acquire Infrastructure | - |
| enterprise | T1583.003 | Virtual Private Server | SPACEHOP Activity has used acquired Virtual Private Servers as control systems for devices within the ORB network.1 |
| enterprise | T1190 | Exploit Public-Facing Application | SPACEHOP Activity has enabled the exploitation of CVE-2022-27518 and CVE-2022-27518 for illegitimate access.21 |
| enterprise | T1588 | Obtain Capabilities | - |
| enterprise | T1588.002 | Tool | SPACEHOP Activity leverages a C2 framework sourced from a publicly-available Github repository for administration of relay nodes.1 |
| enterprise | T1090 | Proxy | - |
| enterprise | T1090.003 | Multi-hop Proxy | SPACEHOP Activity has routed traffic through chains of compromised network devices to proxy C2 communications.1 |