Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors

chinese_apt

Also known asChinese APT

A Chinese advanced persistent threat (APT) actor (unspecified group) assessed to be conducting cyber espionage and actively exploiting vulnerabilities in the wild. The actor is reported exploiting CVE-2025-20393, a critical zero-day in Cisco AsyncOS Software used by Cisco Secure Email Gateway products (CVSS 10.0), and the activity is referenced in the CISA Known Exploited Vulnerabilities (KEV) catalog. Separately, reporting notes overlap among Chinese APT groups via shared use of multiple malware families—Zingdoor, ShadowPad, and KrustyLoader—used in global cyber espionage campaigns targeting organizations worldwide, indicating sophisticated and wide-reaching operations. No specific aliases or sub-groups are identified in the provided content.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
IOCS

Observables

6 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

6 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
eclypsium blogNews
Dec 19, 2025
Cisco Secure Email Gateway Under Siege: CVE-2025-20393 (CVSS 10) Exploited in the Wild by Chinese APT

Exploiting a critical zero-day vulnerability (CVE-2025-20393) in Cisco AsyncOS Software for networking gear, specifically targeting Cisco Secure Email Gateway.

Read more
security online infoNews
Oct 23, 2025
Symantec Exposes Chinese APT Overlap: Zingdoor, ShadowPad, and KrustyLoader Used in Global Espionage

Engaged in global espionage operations using a variety of malware tools.

Read more
anthropicNews
Oct 3, 2025
Building AI for cyber defenders

Engaged in complex espionage operations, including targeting critical telecommunications infrastructure, and leveraging AI models to scale operations.

Read more
security online infoNews
Sep 30, 2025
Zero-Day PoC Published: Privilege Escalation Flaw in VMware Tools Used by Chinese APT

A Chinese APT is leveraging a privilege escalation vulnerability in VMware Tools, for which a zero-day proof-of-concept has been published.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables6

Domains, IPs, and hashes tied to this actor, refreshed continuously.