TA459 is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others. [1]

ID: G0062
Aliases: TA459
Contributors: Valerii Marchuk, Cybersecurity Help s.r.o.

Version: 1.0

Alias Descriptions


Techniques Used

EnterpriseT1203Exploitation for Client ExecutionTA459 has exploited Microsoft Word vulnerability CVE-2017-0199 for execution.[1]
EnterpriseT1086PowerShellTA459 has used PowerShell for execution of a payload.[1]
EnterpriseT1064ScriptingTA459 has a VBScript for execution.[1]
EnterpriseT1193Spearphishing AttachmentTA459 has targeted victims using spearphishing emails with malicious Microsoft Word attachments.[1]
EnterpriseT1204User ExecutionTA459 has attempted to get victims to open malicious Microsoft Word attachment sent via spearphishing.[1]


S0032gh0stCommand-Line Interface, DLL Side-Loading, File Deletion, Indicator Removal on Host, Input Capture, Process Discovery, Rundll32
S0033NetTravelerApplication Window Discovery, Input Capture
S0013PlugXCommand-Line Interface, Commonly Used Port, Custom Command and Control Protocol, DLL Side-Loading, Execution through API, Masquerading, Multiband Communication, New Service, Query Registry, Registry Run Keys / Startup Folder, Standard Application Layer Protocol, Standard Non-Application Layer Protocol, Trusted Developer Utilities, Web Service
S0230ZeroTBinary Padding, Bypass User Account Control, Data Obfuscation, Deobfuscate/Decode Files or Information, DLL Side-Loading, New Service, Obfuscated Files or Information, Remote File Copy, Software Packing, Standard Application Layer Protocol, Standard Cryptographic Protocol, System Information Discovery, System Network Configuration Discovery