🇨🇳 CN3 malware families

SixLittleMonkeys

Also known assixlittlemonkeys

SixLittleMonkeys is a Chinese-speaking / China-aligned APT cluster that has targeted diplomatic and government entities, particularly in Central Asia, and has also been reported targeting entities in Russia, Belarus, Mongolia, and the Middle East. The group is also referred to as Microcin in the provided content. Kaspersky attributed a diplomatic-targeted campaign to SixLittleMonkeys that used steganography to deliver modules via the legitimate image-hosting service Cloudinary. The actor is best known for deploying Gh0st RAT and the Mikroceen/Microcin Trojan, and Kaspersky reported finding new samples linked to Microcin, described as a Trojan used exclusively by SixLittleMonkeys. Kaspersky also assessed with medium confidence that the B&W malware is related to SixLittleMonkeys. The content further notes overlaps between Webworm and China-nexus clusters tracked as FishMonger, SixLittleMonkeys, and Space Pirates, but does not establish they are the same actor. Known alias in the provided content: Microcin.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

ARSENAL

Associated malware families

3 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

B&Wwe revealed an additional infection... previously unknown malware that we dubbed B&W, which provides an attacker with the capabilities to remotely control a victim’s machine.1Mar 18, 2026

gh0st RATAttacks mounted by the group have leveraged remote access trojans (RATs) like Trochilus RAT, Gh0st RAT, and 9002 RAT.1May 20, 2026

MikroceenSixLittleMonkeys is best known for deploying Gh0st RAT and a RAT called Mikroceen targeting entities in Central Asia, Russia, Belarus, and Mongolia.1May 20, 2026

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

the hacker newsNews

May 20, 2026

Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API

China-nexus cluster overlapping with Webworm; known for deploying Gh0st RAT and Mikroceen against entities in Central Asia, Russia, Belarus, and Mongolia.

eset welivesecurity blogNews

May 20, 2026

Webworm: New burrowing techniques

Referenced only as a China-aligned APT group linked to Webworm.

securelistNews

Nov 28, 2024

Kaspersky report on APT trends in Q3 2024 | Securelist

Referenced as the exclusive user of the Microcin trojan; appears in linkage analysis around ExCone/DexCone-related activity.

securelistNews

Sep 3, 2020

IT threat evolution Q2 2020

Diplomatic-targeting actor in Central Asia; observed using a spooler-process memory-injected Trojan and steganography to retrieve modules/config from legitimate public resources (cloudinary.com), with attribution based on infra reuse and code similarity.

+2 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal3

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.