Group
ID G0018

admin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors.1

## Alias Descriptions

• System Information Discovery - admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about the OS: `ver >> %temp%\download` `systeminfo >> %temp%\download`1
• Account Discovery - admin@338 actors used the following commands following exploitation of a machine with LOWBALL malware to enumerate user accounts: `net user >> %temp%\download` `net user /domain >> %temp%\download`1
• System Service Discovery - admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to obtain information about services: `net start >> %temp%\download`1
• Masquerading - admin@338 actors used the following command to rename one of their tools to a benign file name: `ren "%temp%\upload" audiodg.exe`1
• File and Directory Discovery - admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about files and directories: `dir c:\ >> %temp%\download` `dir "c:\Documents and Settings" >> %temp%\download` `dir "c:\Program Files\" >> %temp%\download` `dir d:\ >> %temp%\download`1