APT18

APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical. [1]

ID: G0026
Aliases: APT18, TG-0416, Dynamite Panda, Threat Group-0416
Version: 1.0

Alias Descriptions

NameDescription
APT18[3]
TG-0416[3]
Dynamite Panda[3]
Threat Group-0416[3]

Techniques Used

DomainIDNameUse
EnterpriseT1133External Remote ServicesAPT18 actors leverage legitimate credentials to log into external remote services.[2]
EnterpriseT1107File DeletionAPT18 actors deleted tools and batch files from victim systems.[1]
EnterpriseT1053Scheduled TaskAPT18 actors used the native at Windows task scheduler tool to use scheduled tasks for execution on a victim network.[1]
EnterpriseT1078Valid AccountsAPT18 actors leverage legitimate credentials to log into external remote services.[2]

Software

IDNameTechniques
S0106cmdCommand-Line Interface, File and Directory Discovery, File Deletion, Remote File Copy, System Information Discovery
S0032gh0stCommand-Line Interface, DLL Side-Loading, File Deletion, Indicator Removal on Host, Input Capture, Process Discovery, Rundll32
S0071hcdLoaderCommand-Line Interface, New Service
S0070HTTPBrowserCommand-Line Interface, Commonly Used Port, DLL Search Order Hijacking, DLL Side-Loading, File and Directory Discovery, File Deletion, Input Capture, Masquerading, Obfuscated Files or Information, Registry Run Keys / Startup Folder, Remote File Copy, Standard Application Layer Protocol
S0124PisloaderCommand-Line Interface, Data Encoding, File and Directory Discovery, Obfuscated Files or Information, Registry Run Keys / Startup Folder, Remote File Copy, Standard Application Layer Protocol, System Information Discovery, System Network Configuration Discovery

References