Skip to main content
Mallory
Back to threat actors
5 malware families

APT-C-01

Also known asapt_c_01poison_vine

APT-C-01, also known as Poison Vine and referred to in one mention as the “Poison Ivy Group,” is an unattributed cyber espionage threat actor. Reporting in the provided content describes its targeting profile as consistent with Southeast Asian or Taiwan-linked intelligence tasking. Chinese reporting further alleges APT-C-01 is one of several groups affiliated with Taiwan’s Information, Communications and Electronic Force Command (ICEFCOM), with claimed U.S. backing, but this attribution is presented as an allegation in the source material. Across the provided content, APT-C-01 is described as conducting espionage and long-duration intelligence collection. Reported targets include government and scientific organizations, and one summary also states Chinese government, military, and maritime organizations were targeted. The group is described as using phishing to compromise victims, followed by malware installation and data exfiltration. One mention notes overlap between APT-C-01 and APT-C-62 in their use of phishing against government and scientific targets. The Chinese report cited in the content characterizes the alleged Taiwan-linked groups, including APT-C-01, as relying on known vulnerabilities, public or open-source resources, commercial tools, and weak anti-tracing practices rather than zero-days or advanced indigenous capabilities. Known aliases in the provided content are APT-C-01 and Poison Vine; one mention also includes GreenSpot, but this alias is only briefly cited.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Government & Administration
  • Military
  • Academia & Research

Where they target

Geographies tied to known operations.

  • 🇨🇳 China
MITRE ATT&CK

Tradecraft

7 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

5 of 15 tactics9 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0042
Resource Development
1 technique
T1583
Acquire Infrastructure
T1583.006
Web Services
TA0001
Initial Access
2 techniques
T1189
Drive-by Compromise
T1566
Phishing
T1566.001
Spearphishing Attachment
T1566.002
Spearphishing Link
TA0005
Stealth
1 technique
T1036
Masquerading
TA0009
Collection
1 technique
T1213
Data from Information Repositories
TA0011
Command and Control
1 technique
T1219
Remote Access Tools
ARSENAL

Associated malware families

5 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
Poison IvyEarlier campaigns used legacy Poison Ivy RAT shellcode variants and ZxShell via spear-phishing and watering hole attacks.2May 26, 2026
ZxShellEarlier campaigns used legacy Poison Ivy RAT shellcode variants and ZxShell via spear-phishing and watering hole attacks.2May 26, 2026
Cobalt Strike...deployed remote access tools such as Cobalt Strike or Sliver for remote and persistent access.1Mar 18, 2026
Sliver...retrieved and decrypted a hidden payload—a remote access tool (RAT) based on Sliver, an open-source command-and-control framework.1Mar 18, 2026
Sliver RATInitial Access: Phishing operations using cloned official government and institutional websites, victims directed to convincing replicas that trigger automatic download of malicious payloads. December 2024 campaign delivered Sliver RAT via this mechanism.1May 26, 2026
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
cyfirma otherNews
Apr 22, 2026
CHINA CYBERSECURITY THREAT INTELLIGENCE REPORT - CYFIRMA

Unattributed espionage group conducting long-duration intelligence collection against Chinese government, military, maritime, scientific, and academic organizations using cloned websites and malware delivery.

Read more
the hacker newsNews
Jun 9, 2025
⚡ Weekly Recap: Chrome 0-Day, Data Wipers, Misused Tools and Zero-Click iPhone Attacks

One of five Taiwan-attributed APT groups (per CVERC claim) alleged to conduct cyber espionage against mainland China entities; also claimed to have 'close ties' with U.S. Cyber Command and to focus on 'hunt forward' operations.

Read more
scworldNews
Jun 6, 2025
Taiwan alleged to have targeted China with US backing

Targeting government and scientific organizations, allegedly operated by Taiwan's Information, Communications and Electronic Force Command with U.S. assistance.

Read more
register securityNews
Jun 5, 2025
China accuses Taiwan of running five feeble APT gangs, with US help

APT-C-01 is accused of conducting phishing attacks against government and scientific targets, installing malware, and exfiltrating data.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping7

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal5

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.