Skip to content

G1023 APT5

APT5 is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. APT5 has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.546712

Item Value
ID G1023
Associated Names Mulberry Typhoon, MANGANESE, BRONZE FLEETWOOD, Keyhole Panda, UNC2630
Version 1.1
Created 05 February 2024
Last Modified 04 April 2025
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Mulberry Typhoon 34
MANGANESE 35
BRONZE FLEETWOOD 8
Keyhole Panda 38
UNC2630 5

Techniques Used

Domain ID Name Use
enterprise T1098 Account Manipulation -
enterprise T1098.007 Additional Local or Domain Groups APT5 has created their own accounts with Local Administrator privileges to maintain access to systems with short-cycle credential rotation.7
enterprise T1583 Acquire Infrastructure -
enterprise T1583.003 Virtual Private Server SPACEHOP Activity has used acquired Virtual Private Servers as control systems for devices within the ORB network.9
enterprise T1583.005 Botnet APT5 has acquired a network of compromised systems – specifically an ORB (operational relay box) network – for follow on activities.9
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility APT5 has used the JAR/ZIP file format for exfiltrated files.7
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell APT5 has used PowerShell to accomplish tasks within targeted environments.7
enterprise T1059.003 Windows Command Shell APT5 has used cmd.exe for execution on compromised systems.7
enterprise T1554 Compromise Host Software Binary APT5 has modified legitimate binaries and scripts for Pulse Secure VPNs including the legitimate DSUpgrade.pm file to install the ATRIUM webshell for persistence.67
enterprise T1136 Create Account -
enterprise T1136.001 Local Account APT5 has created Local Administrator accounts to maintain access to systems with short-cycle credential rotation.7
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging APT5 has staged data on compromised systems prior to exfiltration often in C:\Users\Public.7
enterprise T1190 Exploit Public-Facing Application APT5 has exploited vulnerabilities in externally facing software and devices including Pulse Secure VPNs and Citrix Application Delivery Controllers.675 4
enterprise T1083 File and Directory Discovery APT5 has used the BLOODMINE utility to discover files with .css, .jpg, .png, .gif, .ico, .js, and .jsp extensions in Pulse Secure Connect logs.7
enterprise T1562 Impair Defenses -
enterprise T1562.006 Indicator Blocking APT5 has used the CLEANPULSE utility to insert command line strings into a targeted process to prevent certain log events from occurring.7
enterprise T1070 Indicator Removal APT5 has used the THINBLOOD utility to clear SSL VPN log files located at /home/runtime/logs.67
enterprise T1070.003 Clear Command History APT5 has cleared the command history on targeted ESXi servers.7
enterprise T1070.004 File Deletion APT5 has deleted scripts and web shells to evade detection.67
enterprise T1070.006 Timestomp APT5 has modified file timestamps.7
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging APT5 has used malware with keylogging capabilities to monitor the communications of targeted entities.12
enterprise T1654 Log Enumeration APT5 has used the BLOODMINE utility to parse and extract information from Pulse Secure Connect logs.7
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Resource Name or Location APT5 has named exfiltration archives to mimic Windows Updates at times using filenames with a KB<digits>.zip pattern.7
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool SPACEHOP Activity leverages a C2 framework sourced from a publicly-available Github repository for administration of relay nodes.9
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory APT5 has used the Task Manager process to target LSASS process memory in order to obtain NTLM password hashes. APT5 has also dumped clear text passwords and hashes from memory using Mimikatz hosted through an RDP mapped drive.7
enterprise T1003.002 Security Account Manager APT5 has copied and exfiltrated the SAM Registry hive from targeted systems.7
enterprise T1057 Process Discovery APT5 has used Windows-based utilities to carry out tasks including tasklist.exe. 7
enterprise T1055 Process Injection APT5 has used the CLEANPULSE utility to insert command line strings into a targeted process to alter its functionality.7
enterprise T1090 Proxy -
enterprise T1090.003 Multi-hop Proxy SPACEHOP Activity has routed traffic through chains of compromised network devices to proxy C2 communications.9
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol APT5 has moved laterally throughout victim environments using RDP.7
enterprise T1021.004 SSH APT5 has used SSH for lateral movement in compromised environments including for enabling access to ESXi host servers.7
enterprise T1053 Scheduled Task/Job -
enterprise T1053.003 Cron APT5 has made modifications to the crontab file including in /var/cron/tabs/.5
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell APT5 has installed multiple web shells on compromised servers including on Pulse Secure VPN appliances.67
enterprise T1049 System Network Connections Discovery APT5 has used the BLOODMINE utility to collect data on web requests from Pulse Secure Connect logs.7
enterprise T1078 Valid Accounts -
enterprise T1078.002 Domain Accounts APT5 has used legitimate account credentials to move laterally through compromised environments.6
enterprise T1078.004 Cloud Accounts APT5 has accessed Microsoft M365 cloud environments using stolen credentials. 7

Software

ID Name References Techniques
S0032 gh0st RAT 8 Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Fast Flux DNS:Dynamic Resolution Symmetric Cryptography:Encrypted Channel Encrypted Channel DLL:Hijack Execution Flow Clear Windows Event Logs:Indicator Removal File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Non-Application Layer Protocol Process Discovery Process Injection Query Registry Screen Capture Shared Modules Rundll32:System Binary Proxy Execution System Information Discovery Service Execution:System Services
S0002 Mimikatz 7 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Golden Ticket:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Pass the Ticket:Use Alternate Authentication Material
S0039 Net 7 Domain Account:Account Discovery Local Account:Account Discovery Additional Local or Domain Groups:Account Manipulation Local Account:Create Account Domain Account:Create Account Network Share Connection Removal:Indicator Removal Network Share Discovery Password Policy Discovery Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0104 netstat 7 System Network Connections Discovery
S1109 PACEMAKER 6 Automated Collection Unix Shell:Command and Scripting Interpreter Local Data Staging:Data Staged File and Directory Discovery Proc Filesystem:OS Credential Dumping Ptrace System Calls:Process Injection
S1050 PcShare 8 Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Data from Local System Deobfuscate/Decode Files or Information Component Object Model Hijacking:Event Triggered Execution Exfiltration Over C2 Channel File Deletion:Indicator Removal Keylogging:Input Capture Match Legitimate Resource Name or Location:Masquerading Invalid Code Signature:Masquerading Modify Registry Native API Compression:Obfuscated Files or Information Encrypted/Encoded File:Obfuscated Files or Information Process Discovery Process Injection Query Registry Screen Capture Rundll32:System Binary Proxy Execution System Network Configuration Discovery Video Capture
S0012 PoisonIvy 2 Application Window Discovery Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Active Setup:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Data from Local System Local Data Staging:Data Staged Symmetric Cryptography:Encrypted Channel Mutual Exclusion:Execution Guardrails Ingress Tool Transfer Keylogging:Input Capture Modify Registry Obfuscated Files or Information Dynamic-link Library Injection:Process Injection Rootkit
S1108 PULSECHECK 6 Web Protocols:Application Layer Protocol Unix Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding Web Shell:Server Software Component
S1113 RAPIDPULSE 7 Data from Local System Deobfuscate/Decode Files or Information Encrypted/Encoded File:Obfuscated Files or Information Web Shell:Server Software Component
S0007 Skeleton Key 8 Domain Controller Authentication:Modify Authentication Process
S1110 SLIGHTPULSE 67 Web Protocols:Application Layer Protocol Command and Scripting Interpreter Standard Encoding:Data Encoding Data from Local System Local Data Staging:Data Staged Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Ingress Tool Transfer Web Shell:Server Software Component
S1104 SLOWPULSE 6 Compromise Host Software Binary Local Data Staging:Data Staged Network Device Authentication:Modify Authentication Process Multi-Factor Authentication:Modify Authentication Process Multi-Factor Authentication Interception Obfuscated Files or Information
S0057 Tasklist 7 Process Discovery Security Software Discovery:Software Discovery System Service Discovery

References

  1. FireEye. (2015, March). SOUTHEAST ASIA: AN EVOLVING CYBER THREAT LANDSCAPE. Retrieved February 5, 2024. 

  2. Mandiant. (n.d.). Advanced Persistent Threats (APTs). Retrieved February 14, 2024. 

  3. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. 

  4. Microsoft Threat Intelligence. (2023, September). Digital threats from East Asia increase in breadth and effectiveness. Retrieved February 5, 2024. 

  5. National Security Agency. (2022, December). APT5: Citrix ADC Threat Hunting Guidance. Retrieved February 5, 2024. 

  6. Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024. 

  7. Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024. 

  8. Secureworks CTU. (n.d.). BRONZE FLEETWOOD. Retrieved February 5, 2024. 

  9. Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved July 8, 2024.