Skip to main content
Mallory
Back to threat actors
6 malware families

TA428

Also known asTA428

TA428 is a China-linked cyber-espionage threat actor. The provided reporting links TA428 to operations targeting East Asia and Eurasia, including Mongolian targets and military-industrial, government, and public-sector organizations in Belarus, Russia, Ukraine, and Afghanistan. TA428 is also discussed in relation to activity against Southeast Asian government entities and to malware and infrastructure overlaps involving other Chinese-aligned clusters. Aliases directly mentioned in the content include Vicious Panda. The content also notes possible or alternative naming overlap in some cases with LuckyMouse, Emissary Panda, and APT27, but attribution is described as uncertain in those contexts. TA428 is also discussed as having a notable relationship with the Space Pirates cluster; Positive Technologies reported observing both Space Pirates and TA428 activity on the same infected systems and assessed that they may share tools, infrastructure, and access to compromised systems. Malware and tooling attributed to or previously associated with TA428 in the provided content include PhantomNet (also called SManager and DOWNTOWN), Tmanger, PortDoor, nccTrojan, Logtu, Cotx, DNSep, and use of the Ladon framework. The content also states that PhantomNet was previously attributed to TA428, that Tmanger was attributed to TA428 and used one of the ShadowPad C2 servers, and that five of six backdoors found in one Kaspersky-investigated campaign had been used earlier in attacks attributed by other researchers to APT TA428. Observed tradecraft associated with TA428 in the content includes DLL side-loading, spear-phishing with malicious Microsoft Word documents exploiting CVE-2017-11882, reconnaissance, credential theft, lateral movement using stolen credentials and the Ladon utility, DLL hijacking, process hollowing, and deployment of multiple backdoors for redundant access. In the Kaspersky-described 2022 campaign, the attackers ultimately compromised domain controllers, searched for sensitive files, and exfiltrated data in encrypted password-protected ZIP archives via multi-stage C2 infrastructure, with a second-stage server located in China. The content also places TA428 among confirmed Royal Road users and in a Group-B cluster with Trident, Tick, and Tonto, characterized as targeting East Asia, especially Russia, Korea, and Japan. Additional reporting cited in the content links TA428 to Mongolian targeting through the Able Desktop supply-chain compromise context, where Tmanger delivery was associated with TA428 and infrastructure overlapped with ShadowPad.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they target

Geographies tied to known operations.

  • 🇲🇳 Mongolia
MITRE ATT&CK

Tradecraft

8 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

7 of 15 tactics16 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1195
Supply Chain Compromise
T1195.002
Compromise Software Supply Chain
TA0002
Execution
1 technique
T1574
Hijack Execution Flow
T1574.001
DLL
TA0005
Stealth
1 technique
T1574
Hijack Execution Flow
T1574.001
DLL
TA0006
Credential Access
1 technique
T1056
Input Capture
T1056.001
Keylogging
TA0009
Collection
2 techniques
T1056
Input Capture
T1056.001
Keylogging
T1113
Screen Capture
TA0011
Command and Control
3 techniques
T1008
Fallback Channels
T1095
Non-Application Layer Protocol
T1573
Encrypted Channel
T1573.001
Symmetric Cryptography
TA0010
Exfiltration
1 technique
T1041×2
Exfiltration Over C2 Channel
ARSENAL

Associated malware families

6 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
ZupdaxЗлоумышленники также имеют доступ к бэкдору Zupdax: его современные варианты используют аналогичную MyKLoadClient схему исполнения, однако код самого бэкдора берет начало в 2010 году и не может быть однозначно привязан к группе.2May 26, 2026
HyperBroESET researchers discovered that chat software called Able Desktop ... was used to deliver the HyperBro backdoor (commonly used by LuckyMouse) ... In mid-2018, we observed a first occurrence of the legitimate Able Desktop application being used to download and execute HyperBro.1May 26, 2026
PhantomNetPhantomNet (aka SManager, DOWNTOWN) is a simple backdoor capable of collecting victim information and installing malicious plugins that has been previously attributed to Chinese APT TA428.1May 26, 2026
PlugXThese revolved around a few known toolsets commonly associated with Chinese threat actors, notably the PlugX malware... PlugX is a well-known Chinese trojan used by a whole host of threat actors.1May 26, 2026
ShadowPadЗлоумышленники также используют и хорошо известное ВПО: PlugX, ShadowPad, Poison Ivy, модифицированный вариант PcShare и публичный шелл ReVBShell.1May 26, 2026

1 additional family tracked in Mallory.

IOCS

Observables

8 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

8 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
sophos threat researchNews
Jan 1, 2026
Operation Crimson Palace: A Technical Deep Dive | SOPHOS

Referenced Chinese threat actor previously attributed with PhantomNet malware that overlaps with tooling seen in Cluster Alpha.

Read more
the hacker newsNews
Apr 28, 2025
Earth Kurma Targets Southeast Asia With Rootkits and Cloud-Based Data Theft Tools

China-linked threat actor referenced for prior attribution of the Ladon post-exploitation framework, which is also used in the described intrusions (as a lateral movement/scanning tool).

Read more
sophos threat researchNews
Jun 5, 2024
Operation Crimson Palace: Sophos threat hunting unveils multiple clusters of Chinese state-sponsored activity targeting Southeast Asian government | SOPHOS

Chinese-nexus espionage actor referenced for overlap with Cluster Alpha via PhantomNet/DOWNTOWN and possible linkage through Worok ties.

Read more
securelistNews
Aug 8, 2022
Targeted attack on industrial enterprises and public institutions | Securelist

Cyber-espionage campaign targeting military-industrial complex enterprises and public institutions via spear-phishing with malicious Word documents exploiting CVE-2017-11882, followed by multi-backdoor persistence, lateral movement (including Ladon), domain controller takeover, and staged exfiltration to infrastructure ultimately forwarding data to a server located in China.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping8

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal6

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables8

Domains, IPs, and hashes tied to this actor, refreshed continuously.