Skip to main content
Mallory
Back to threat actors
China🇨🇳 CN

APT26

Also known asAPT26BEARCLAWJerseyMikesRed KoboldTaffeta TyphoonTECHNETIUMTG-0055TURBINE PANDA

APT26 is a China-linked cyberespionage threat actor also referred to in the provided content as Taffeta Typhoon, Turbine Panda, BearClaw, JerseyMikes, Red Kobold, Technetium, and TG-0055. The content links APT26 to the Jiangsu Province Ministry of State Security / Jiangsu MSS Bureau, including a 2018 U.S. indictment and a 2019 CrowdStrike report. It describes the group as conducting cyberespionage, including operations from 2010 to 2015 against companies supplying COMAC C919 components and against U.S. and European jet-engine manufacturers, with the apparent objective of stealing commercial and aerospace trade-secret information to benefit China’s state-owned aerospace sector. The content specifically notes targeting aligned with Jiangsu’s aerospace industry priorities. Tradecraft directly mentioned in the content includes use of malware/tooling associated with the keywords "hide" and "install."

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

  • CN
MITRE ATT&CK

Tradecraft

2 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

2 of 15 tactics2 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1589
Gather Victim Identity Information
TA0009
Collection
1 technique
T1005
Data from Local System
ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
itifNews
Jun 15, 2026
COMAC: China’s Looming Threat to the Global Aviation Industry | Reports & Briefings | Jun 15, 2026 | ITIF

Conducted cyberespionage against aerospace companies supplying components for COMAC’s C919 program.

Read more
natto thoughts blogNews
Dec 16, 2025
The Many Arms of the MSS: Why Provincial Bureaus Matter in China’s Cyber Operations

APT26 is known for cyber intrusions and intellectual property theft, particularly targeting aerospace and jet engine manufacturers in the US and Europe, supporting China's domestic aerospace industry, especially the C919 airliner project.

Read more
wikipedia cyber incidentsNews
Jan 20, 2010
Advanced persistent threat - Wikipedia

Listed as a China-linked APT group; no additional operational detail provided in the content beyond inclusion in an APT group list.

Read more
eth zurich newsNews
Mar 18, 2026

China-linked espionage actor referenced as associated with the Jiangsu MSS branch and described as focused on online intellectual property theft; also discussed in the context of MSS using MPS cover/co-location for operations.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping2

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.

APT26 | Mallory