APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. [1]

ID: G0025
Associated Groups: Deputy Dog
Version: 1.0
Created: 31 May 2017
Last Modified: 22 March 2019

Associated Group Descriptions

Name Description
Deputy Dog [1]

Techniques Used

Domain ID Name Use
PRE-ATT&CK T1341 Build social network persona

APT17 posted in forum threads and created profile pages in Microsoft TechNet.[1]

PRE-ATT&CK T1342 Develop social network persona digital footprint

APT17 created biographical sections on TechNet profile pages to appear more legitimate.[1]

PRE-ATT&CK T1331 Obfuscate infrastructure

APT17 obfuscated infrastructure using a multi-layered malware beaconing approach. [1]


ID Name References Techniques


Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, Indicator Removal on Host: File Deletion, Multi-Stage Channels, Process Discovery, Web Service: Dead Drop Resolver, Web Service: Bidirectional Communication