1. Home
  2. Campaigns
  3. SPACEHOP Activity

SPACEHOP Activity

SPACEHOP Activity is conducted through commercially leased Virtual Private Servers (VPS), otherwise known as provisioned Operational Relay Box (ORB) networks. The network leveraged for SPACEHOP Activity enabled China-nexus cyber threat actors – such as APT5 and Ke3chang – to perform network reconnaissance scanning and vulnerability exploitation. SPACEHOP Activity has historically targeted entities in North America, Europe, and the Middle East.[1]

ID: C0052
First Seen:  January 2019 [1]
Last Seen:  May 2024 [1]
Version: 1.0
Created: 25 March 2025
Last Modified: 27 March 2025
Version Permalink

Groups

ID Name Description
G1023 APT5

[1]
G0004 Ke3chang

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1583 .003 Acquire Infrastructure: Virtual Private Server

SPACEHOP Activity has used acquired Virtual Private Servers as control systems for devices within the ORB network.[1]
Enterprise T1190 Exploit Public-Facing Application

SPACEHOP Activity has enabled the exploitation of CVE-2022-27518 and CVE-2022-27518 for illegitimate access.[2][1]
Enterprise T1588 .002 Obtain Capabilities: Tool

SPACEHOP Activity leverages a C2 framework sourced from a publicly-available Github repository for administration of relay nodes.[1]
Enterprise T1090 .003 Proxy: Multi-hop Proxy

SPACEHOP Activity has routed traffic through chains of compromised network devices to proxy C2 communications.[1]

References

  1. Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved July 8, 2024.
  1. National Security Agency. (2022, December). APT5: Citrix ADC Threat Hunting Guidance. Retrieved February 5, 2024.