China🇨🇳 CN2 malware families

APT4

Also known asAPT4MAVERICK PANDASalmon TyphoonSODIUM

APT4 is a Chinese state-affiliated threat actor. The provided content maps APT4 to Microsoft’s Salmon Typhoon naming and states that Salmon Typhoon is also known as SODIUM and Maverick Panda. The actor is described as a sophisticated Chinese espionage group and is associated with malware such as Win32/Wkysol. Microsoft and OpenAI reporting cited in the content states that Salmon Typhoon used LLM services in 2023 for exploratory reconnaissance on sensitive topics, including geopolitics, high-profile individuals, intelligence agencies, regional threat actors, and cybersecurity topics; for translating technical papers; for retrieving publicly available information on multiple intelligence agencies and regional threat actors; for coding assistance and coding error resolution; and for researching common ways processes could be hidden on a system. The content also states the model declined requests for support in developing potentially malicious code, and that associated accounts and assets were disabled. Separately, the content notes APT4 has been observed using XMRig. Known aliases in the provided content are APT4, Salmon Typhoon, SODIUM, and Maverick Panda.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

Win32/Wkysol"...deployment of malware, such as Win32/Wkysol, to maintain remote access to compromised systems."1Mar 18, 2026

XMRigXMRig is an open-source Monero mining application frequently abused by cybercriminals. TeamPCP deploys XMRig on compromised hosts to mine Monero using the victim’s CPU resources without authorization.1Apr 1, 2026

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

cyble blogNews

Feb 18, 2026

TeamPCP Threat Actor Profile | Cyble

Referenced only as another threat actor observed using XMRig.

web archiveNews

Dec 6, 2024

How Microsoft names threat actors - Microsoft Defender XDR | Microsoft Learn

China-linked nation-state threat actor listed in Microsoft's naming taxonomy mapping.

fireeyeNews

May 27, 2021

Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices

Referenced as a resurgent Chinese espionage group (no specific Pulse Secure tradecraft attributed in this text beyond general resurgence).

wikipedia cyber incidentsNews

Jan 20, 2010

Advanced persistent threat - Wikipedia

Listed as a China-linked named cluster; no additional operational detail provided in the content beyond inclusion in an APT group list.

+1 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.