Naikon

Naikon is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).^[1] Active since at least 2010, Naikon has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).^[1]^[2]

While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.^[3]

ID: G0019

Contributors: Kyaw Pyiyt Htet, @KyawPyiytHtet

Version: 2.0

Created: 31 May 2017

Last Modified: 25 April 2025

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Naikon has modified a victim's Windows Run registry to establish persistence.^[4]
Enterprise	T1574	.001	Hijack Execution Flow: DLL	Naikon has used DLL side-loading to load malicious DLL's into legitimate executables.^[5]
Enterprise	T1036	.004	Masquerading: Masquerade Task or Service	Naikon renamed a malicious service `taskmgr` to appear to be a legitimate version of Task Manager.^[4]
		.005	Masquerading: Match Legitimate Resource Name or Location	Naikon has disguised malicious programs as Google Chrome, Adobe, and VMware executables.^[4]
Enterprise	T1046		Network Service Discovery	Naikon has used the LadonGo scanner to scan target networks.^[4]
Enterprise	T1137	.006	Office Application Startup: Add-ins	Naikon has used the RoyalRoad exploit builder to drop a second stage loader, intel.wll, into the Word Startup folder on the compromised host.^[5]
Enterprise	T1566	.001	Phishing: Spearphishing Attachment	Naikon has used malicious e-mail attachments to deliver malware.^[5]
Enterprise	T1018		Remote System Discovery	Naikon has used a netbios scanner for remote machine identification.^[4]
Enterprise	T1053	.005	Scheduled Task/Job: Scheduled Task	Naikon has used schtasks.exe for lateral movement in compromised networks.^[4]
Enterprise	T1518	.001	Software Discovery: Security Software Discovery	Naikon uses commands such as `netsh advfirewall firewall` to discover local firewall settings.^[2]
Enterprise	T1016		System Network Configuration Discovery	Naikon uses commands such as `netsh interface show` to discover network interface settings.^[2]
Enterprise	T1204	.002	User Execution: Malicious File	Naikon has convinced victims to open malicious attachments to execute malware.^[5]
Enterprise	T1078	.002	Valid Accounts: Domain Accounts	Naikon has used administrator credentials for lateral movement in compromised networks.^[4]
Enterprise	T1047		Windows Management Instrumentation	Naikon has used WMIC.exe for lateral movement.^[4]

Software

ID	Name	References	Techniques
S0456	Aria-body	^[5]^[4]	Access Token Manipulation: Create Process with Token, Access Token Manipulation: Token Impersonation/Theft, Application Layer Protocol: Web Protocols, Application Window Discovery, Archive Collected Data, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Data from Removable Media, Deobfuscate/Decode Files or Information, Dynamic Resolution: Domain Generation Algorithms, File and Directory Discovery, Indicator Removal: File Deletion, Ingress Tool Transfer, Native API, Non-Application Layer Protocol, Obfuscated Files or Information: Encrypted/Encoded File, Process Discovery, Process Injection: Dynamic-link Library Injection, Proxy, Screen Capture, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery
S0095	ftp	^[2]	Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Ingress Tool Transfer, Lateral Tool Transfer
S0061	HDoor	^[2]	Impair Defenses: Disable or Modify Tools, Network Service Discovery
S0630	Nebulae	^[4]	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data from Local System, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Hijack Execution Flow: DLL, Indicator Removal: File Deletion, Ingress Tool Transfer, Masquerading: Masquerade Task or Service, Masquerading: Match Legitimate Resource Name or Location, Native API, Non-Application Layer Protocol, Process Discovery, System Information Discovery
S0039	Net	^[2]^[4]	Account Discovery: Domain Account, Account Discovery: Local Account, Account Manipulation: Additional Local or Domain Groups, Create Account: Local Account, Create Account: Domain Account, Indicator Removal: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0108	netsh	^[2]	Event Triggered Execution: Netsh Helper DLL, Impair Defenses: Disable or Modify System Firewall, Proxy, Software Discovery: Security Software Discovery
S0097	Ping	^[2]^[4]	Remote System Discovery
S0029	PsExec	^[2]	Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0629	RainyDay	^[4]	Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, Data from Local System, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Fallback Channels, File and Directory Discovery, Hijack Execution Flow: DLL, Indicator Removal: File Deletion, Ingress Tool Transfer, Masquerading: Match Legitimate Resource Name or Location, Masquerading: Masquerade Task or Service, Native API, Non-Application Layer Protocol, Obfuscated Files or Information: Encrypted/Encoded File, Process Discovery, Proxy, Scheduled Task/Job: Scheduled Task, Screen Capture, System Service Discovery
S0055	RARSTONE	^[2]^[1]	File and Directory Discovery, Ingress Tool Transfer, Non-Application Layer Protocol, Process Injection: Dynamic-link Library Injection
S0058	SslMM	^[2]^[1]	Access Token Manipulation, Boot or Logon Autostart Execution: Shortcut Modification, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Fallback Channels, Impair Defenses: Disable or Modify Tools, Input Capture: Keylogging, Masquerading: Match Legitimate Resource Name or Location, System Information Discovery, System Owner/User Discovery
S0060	Sys10	^[2]	Application Layer Protocol: Web Protocols, Encrypted Channel: Symmetric Cryptography, Permission Groups Discovery: Local Groups, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0096	Systeminfo	^[2]	System Information Discovery
S0057	Tasklist	^[2]	Process Discovery, Software Discovery: Security Software Discovery, System Service Discovery
S0059	WinMM	^[2]^[1]	Application Layer Protocol: Web Protocols, Fallback Channels, File and Directory Discovery, Process Discovery, System Information Discovery, System Owner/User Discovery

Naikon

Enterprise Layer

Techniques Used

Software

References