Skip to content

G0022 APT3

APT3 is a China-based threat group that researchers have attributed to China’s Ministry of State Security.12 This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.13 As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.4

In 2017, MITRE developed an APT3 Adversary Emulation Plan.5

Item Value
ID G0022
Associated Names Gothic Panda, Pirpi, UPS Team, Buckeye, Threat Group-0110, TG-0110
Version 1.4
Created 31 May 2017
Last Modified 01 October 2021
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Gothic Panda 6 2 4
Pirpi 6
UPS Team 1 2 4
Buckeye 4
Threat Group-0110 2 4
TG-0110 2 4

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account APT3 has used a tool that can obtain info about local and global group users, power users, and administrators.4
enterprise T1098 Account Manipulation APT3 has been known to add created accounts to local admin groups to maintain elevated access.9
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility APT3 has used tools to compress data before exfilling it.9
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder APT3 places scripts in the startup folder for persistence.3
enterprise T1110 Brute Force -
enterprise T1110.002 Password Cracking APT3 has been known to brute force password hashes to be able to leverage plain text credentials.5
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell APT3 has used PowerShell on victim systems to download and run payloads after exploitation.3
enterprise T1059.003 Windows Command Shell An APT3 downloader uses the Windows command “cmd.exe” /C whoami. The group also uses a tool to execute commands on remote computers.34
enterprise T1136 Create Account -
enterprise T1136.001 Local Account APT3 has been known to create or enable accounts, such as support_388945a0.9
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service APT3 has a tool that creates a new service for persistence.3
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers APT3 has used tools to dump passwords from browsers.4
enterprise T1005 Data from Local System APT3 will identify Microsoft Office documents on the victim’s computer.9
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging APT3 has been known to stage files for exfiltration in a single location.9
enterprise T1546 Event Triggered Execution -
enterprise T1546.008 Accessibility Features APT3 replaces the Sticky Keys binary C:\Windows\System32\sethc.exe for persistence.9
enterprise T1041 Exfiltration Over C2 Channel APT3 has a tool that exfiltrates data over the C2 channel.7
enterprise T1203 Exploitation for Client Execution APT3 has exploited the Adobe Flash Player vulnerability CVE-2015-3113 and Internet Explorer vulnerability CVE-2014-1776.17
enterprise T1083 File and Directory Discovery APT3 has a tool that looks for files and directories on the local file system.78
enterprise T1564 Hide Artifacts -
enterprise T1564.003 Hidden Window APT3 has been known to use -WindowStyle Hidden to conceal PowerShell windows.3
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading APT3 has been known to side load DLLs with a valid version of Chrome with one of their tools.711
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion APT3 has a tool that can delete files.7
enterprise T1105 Ingress Tool Transfer APT3 has a tool that can copy files to remote machines.7
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging APT3 has used a keylogging tool that records keystrokes in encrypted files.4
enterprise T1104 Multi-Stage Channels An APT3 downloader first establishes a SOCKS5 connection to 192.157.198[.]103 using TCP port 1913; once the server response is verified, it then requests a connection to 192.184.60[.]229 on TCP port 81.3
enterprise T1095 Non-Application Layer Protocol An APT3 downloader establishes SOCKS5 connections for its initial C2.3
enterprise T1027 Obfuscated Files or Information APT3 obfuscates files or information to help evade defensive measures.4
enterprise T1027.002 Software Packing APT3 has been known to pack their tools.51
enterprise T1027.005 Indicator Removal from Tools APT3 has been known to remove indicators of compromise from tools.5
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory APT3 has used a tool to dump credentials by injecting itself into lsass.exe and triggering with the argument “dig.”4
enterprise T1069 Permission Groups Discovery APT3 has a tool that can enumerate the permissions associated with Windows groups.4
enterprise T1566 Phishing -
enterprise T1566.002 Spearphishing Link APT3 has sent spearphishing emails containing malicious links.1
enterprise T1057 Process Discovery APT3 has a tool that can list out currently running processes.78
enterprise T1090 Proxy -
enterprise T1090.002 External Proxy An APT3 downloader establishes SOCKS5 connections for its initial C2.3
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol APT3 enables the Remote Desktop Protocol for persistence.9 APT3 has also interacted with compromised systems to browse and copy files through RDP sessions.10
enterprise T1021.002 SMB/Windows Admin Shares APT3 will copy files over to Windows Admin Shares (like ADMIN$) as part of lateral movement.4
enterprise T1018 Remote System Discovery APT3 has a tool that can detect the existence of remote systems.47
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task An APT3 downloader creates persistence by creating the following scheduled task: schtasks /create /tn “mysc” /tr C:\Users\Public\test.exe /sc ONLOGON /ru “System”.3
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 APT3 has a tool that can run DLLs.7
enterprise T1082 System Information Discovery APT3 has a tool that can obtain information about the local system.48
enterprise T1016 System Network Configuration Discovery A keylogging tool used by APT3 gathers network information from the victim, including the MAC address, IP address, WINS, DHCP server, and gateway.48
enterprise T1049 System Network Connections Discovery APT3 has a tool that can enumerate current network connections.478
enterprise T1033 System Owner/User Discovery An APT3 downloader uses the Windows command “cmd.exe” /C whoami to verify that it is running with the elevated privileges of “System.”3
enterprise T1552 Unsecured Credentials -
enterprise T1552.001 Credentials In Files APT3 has a tool that can locate credentials in files on the file system such as those from Firefox or Chrome.4
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link APT3 has lured victims into clicking malicious links delivered through spearphishing.1
enterprise T1078 Valid Accounts -
enterprise T1078.002 Domain Accounts APT3 leverages valid accounts after gaining credentials for use within the victim domain.4


ID Name References Techniques
S0349 LaZagne - Keychain:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Password Stores Cached Domain Credentials:OS Credential Dumping LSASS Memory:OS Credential Dumping Proc Filesystem:OS Credential Dumping LSA Secrets:OS Credential Dumping /etc/passwd and /etc/shadow:OS Credential Dumping Credentials In Files:Unsecured Credentials
S0165 OSInfo - Local Account:Account Discovery Domain Account:Account Discovery Network Share Discovery Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery Query Registry Remote System Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery
S0013 PlugX - DNS:Application Layer Protocol Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Commonly Used Port Windows Service:Create or Modify System Process Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel File and Directory Discovery Hidden Files and Directories:Hide Artifacts DLL Search Order Hijacking:Hijack Execution Flow DLL Side-Loading:Hijack Execution Flow Ingress Tool Transfer Keylogging:Input Capture Masquerade Task or Service:Masquerading Match Legitimate Name or Location:Masquerading Modify Registry Multiband Communication Native API Network Share Discovery Non-Application Layer Protocol Obfuscated Files or Information Process Discovery Query Registry Screen Capture System Network Connections Discovery MSBuild:Trusted Developer Utilities Proxy Execution System Checks:Virtualization/Sandbox Evasion Dead Drop Resolver:Web Service
S0166 RemoteCMD - Ingress Tool Transfer Scheduled Task:Scheduled Task/Job Service Execution:System Services
S0111 schtasks - Scheduled Task:Scheduled Task/Job
S0063 SHOTPUT - Local Account:Account Discovery File and Directory Discovery Obfuscated Files or Information Process Discovery Remote System Discovery System Network Connections Discovery


Back to top