1. Home
  2. Groups
  3. APT5

APT5

APT5 is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. APT5 has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.[1][2][3][4][5][6]

ID: G1023
Associated Groups: Mulberry Typhoon, MANGANESE, BRONZE FLEETWOOD, Keyhole Panda, UNC2630
Contributors: @_montysecurity
Version: 1.1
Created: 05 February 2024
Last Modified: 04 April 2025
Version Permalink

Associated Group Descriptions

Name Description
Mulberry Typhoon

[7][2]
MANGANESE

[7][1]
BRONZE FLEETWOOD

[8]
Keyhole Panda

[7][8]
UNC2630

[1]

Campaigns

ID Name First Seen Last Seen References Techniques
C0052 SPACEHOP Activity January 2019 [9] May 2024 [9]

[9]

 Acquire Infrastructure: Virtual Private Server, Exploit Public-Facing Application, Obtain Capabilities: Tool, Proxy: Multi-hop Proxy
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1098 .007 Account Manipulation: Additional Local or Domain Groups

APT5 has created their own accounts with Local Administrator privileges to maintain access to systems with short-cycle credential rotation.[4]
Enterprise T1583 .003 Acquire Infrastructure: Virtual Private Server

SPACEHOP Activity has used acquired Virtual Private Servers as control systems for devices within the ORB network.[9]
.005 Acquire Infrastructure: Botnet

APT5 has acquired a network of compromised systems – specifically an ORB (operational relay box) network – for follow on activities.[9]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

APT5 has used the JAR/ZIP file format for exfiltrated files.[4]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

APT5 has used PowerShell to accomplish tasks within targeted environments.[4]
.003 Command and Scripting Interpreter: Windows Command Shell

APT5 has used cmd.exe for execution on compromised systems.[4]
Enterprise T1554 Compromise Host Software Binary

APT5 has modified legitimate binaries and scripts for Pulse Secure VPNs including the legitimate DSUpgrade.pm file to install the ATRIUM webshell for persistence.[3][4]
Enterprise T1136 .001 Create Account: Local Account

APT5 has created Local Administrator accounts to maintain access to systems with short-cycle credential rotation.[4]
Enterprise T1074 .001 Data Staged: Local Data Staging

APT5 has staged data on compromised systems prior to exfiltration often in C:\Users\Public.[4]
Enterprise T1190 Exploit Public-Facing Application

APT5 has exploited vulnerabilities in externally facing software and devices including Pulse Secure VPNs and Citrix Application Delivery Controllers.[3][4][1] [2]

SPACEHOP Activity has enabled the exploitation of CVE-2022-27518 and CVE-2022-27518 for illegitimate access.[1][9]
Enterprise T1083 File and Directory Discovery

APT5 has used the BLOODMINE utility to discover files with .css, .jpg, .png, .gif, .ico, .js, and .jsp extensions in Pulse Secure Connect logs.[4]
Enterprise T1562 .006 Impair Defenses: Indicator Blocking

APT5 has used the CLEANPULSE utility to insert command line strings into a targeted process to prevent certain log events from occurring.[4]
Enterprise T1070 Indicator Removal

APT5 has used the THINBLOOD utility to clear SSL VPN log files located at /home/runtime/logs.[3][4]
.003 Clear Command History

APT5 has cleared the command history on targeted ESXi servers.[4]
.004 File Deletion

APT5 has deleted scripts and web shells to evade detection.[3][4]
.006 Timestomp

APT5 has modified file timestamps.[4]
Enterprise T1056 .001 Input Capture: Keylogging

APT5 has used malware with keylogging capabilities to monitor the communications of targeted entities.[5][6]
Enterprise T1654 Log Enumeration

APT5 has used the BLOODMINE utility to parse and extract information from Pulse Secure Connect logs.[4]
Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

APT5 has named exfiltration archives to mimic Windows Updates at times using filenames with a KB<digits>.zip pattern.[4]
Enterprise T1588 .002 Obtain Capabilities: Tool

SPACEHOP Activity leverages a C2 framework sourced from a publicly-available Github repository for administration of relay nodes.[9]
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

APT5 has used the Task Manager process to target LSASS process memory in order to obtain NTLM password hashes. APT5 has also dumped clear text passwords and hashes from memory using Mimikatz hosted through an RDP mapped drive.[4]
.002 OS Credential Dumping: Security Account Manager

APT5 has copied and exfiltrated the SAM Registry hive from targeted systems.[4]
Enterprise T1057 Process Discovery

APT5 has used Windows-based utilities to carry out tasks including tasklist.exe. [4]
Enterprise T1055 Process Injection

APT5 has used the CLEANPULSE utility to insert command line strings into a targeted process to alter its functionality.[4]
Enterprise T1090 .003 Proxy: Multi-hop Proxy

SPACEHOP Activity has routed traffic through chains of compromised network devices to proxy C2 communications.[9]
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

APT5 has moved laterally throughout victim environments using RDP.[4]
.004 Remote Services: SSH

APT5 has used SSH for lateral movement in compromised environments including for enabling access to ESXi host servers.[4]
Enterprise T1053 .003 Scheduled Task/Job: Cron

APT5 has made modifications to the crontab file including in /var/cron/tabs/.[1]
Enterprise T1505 .003 Server Software Component: Web Shell

APT5 has installed multiple web shells on compromised servers including on Pulse Secure VPN appliances.[3][4]
Enterprise T1049 System Network Connections Discovery

APT5 has used the BLOODMINE utility to collect data on web requests from Pulse Secure Connect logs.[4]
Enterprise T1078 .002 Valid Accounts: Domain Accounts

APT5 has used legitimate account credentials to move laterally through compromised environments.[3]
.004 Valid Accounts: Cloud Accounts

APT5 has accessed Microsoft M365 cloud environments using stolen credentials. [4]

Software

ID Name References Techniques
S0032 gh0st RAT [8] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Deobfuscate/Decode Files or Information, Dynamic Resolution: Fast Flux DNS, Encrypted Channel: Symmetric Cryptography, Encrypted Channel, Hijack Execution Flow: DLL, Indicator Removal: Clear Windows Event Logs, Indicator Removal: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Non-Application Layer Protocol, Process Discovery, Process Injection, Query Registry, Screen Capture, Shared Modules, System Binary Proxy Execution: Rundll32, System Information Discovery, System Services: Service Execution
S0002 Mimikatz [4] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0039 Net [4] Account Discovery: Domain Account, Account Discovery: Local Account, Account Manipulation: Additional Local or Domain Groups, Create Account: Local Account, Create Account: Domain Account, Indicator Removal: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0104 netstat [4] System Network Connections Discovery
S1109 PACEMAKER [3] Automated Collection, Command and Scripting Interpreter: Unix Shell, Data Staged: Local Data Staging, File and Directory Discovery, OS Credential Dumping: Proc Filesystem, Process Injection: Ptrace System Calls
S1050 PcShare [8] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, Deobfuscate/Decode Files or Information, Event Triggered Execution: Component Object Model Hijacking, Exfiltration Over C2 Channel, Indicator Removal: File Deletion, Input Capture: Keylogging, Masquerading: Match Legitimate Resource Name or Location, Masquerading: Invalid Code Signature, Modify Registry, Native API, Obfuscated Files or Information: Compression, Obfuscated Files or Information: Encrypted/Encoded File, Process Discovery, Process Injection, Query Registry, Screen Capture, System Binary Proxy Execution: Rundll32, System Network Configuration Discovery, Video Capture
S0012 PoisonIvy [6] Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Active Setup, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data from Local System, Data Staged: Local Data Staging, Encrypted Channel: Symmetric Cryptography, Execution Guardrails: Mutual Exclusion, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, Process Injection: Dynamic-link Library Injection, Rootkit
S1108 PULSECHECK [3] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Unix Shell, Data Encoding: Standard Encoding, Server Software Component: Web Shell
S1113 RAPIDPULSE [4] Data from Local System, Deobfuscate/Decode Files or Information, Obfuscated Files or Information: Encrypted/Encoded File, Server Software Component: Web Shell
S0007 Skeleton Key [8] Modify Authentication Process: Domain Controller Authentication
S1110 SLIGHTPULSE [3][4] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter, Data Encoding: Standard Encoding, Data from Local System, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Server Software Component: Web Shell
S1104 SLOWPULSE [3] Compromise Host Software Binary, Data Staged: Local Data Staging, Modify Authentication Process: Network Device Authentication, Modify Authentication Process: Multi-Factor Authentication, Multi-Factor Authentication Interception, Obfuscated Files or Information
S0057 Tasklist [4] Process Discovery, Software Discovery: Security Software Discovery, System Service Discovery

References

  1. National Security Agency. (2022, December). APT5: Citrix ADC Threat Hunting Guidance. Retrieved February 5, 2024.
  2. Microsoft Threat Intelligence. (2023, September). Digital threats from East Asia increase in breadth and effectiveness. Retrieved February 5, 2024.
  3. Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024.
  4. Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.
  5. FireEye. (2015, March). SOUTHEAST ASIA: AN EVOLVING CYBER THREAT LANDSCAPE. Retrieved February 5, 2024.
  1. Mandiant. (n.d.). Advanced Persistent Threats (APTs). Retrieved February 14, 2024.
  2. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  3. Secureworks CTU. (n.d.). BRONZE FLEETWOOD. Retrieved February 5, 2024.
  4. Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved July 8, 2024.