APT5
APT5 is a Chinese threat actor. The provided content explicitly describes it as a Chinese hacking collective, and reporting cited in the content says the group conducting related attacks may be working for the Chinese government. Known aliases in the provided material include ATG48, Auriga, Backdoor_DPD, Bottle, Bronze Fleetwood, Covenant, Cyservice, Keyhole Panda, Manganese, Mulberry Typhoon, Red Horus, Red Naga, TABCTENG, TG_2754, and UNC2630. The content links APT5 to intrusions involving Pulse Secure VPN appliances and cloud environments. It modified legitimate Pulse Secure VPN binaries and scripts, including DSUpgrade.pm, to install the ATRIUM web shell for persistence. It also used the CLEANPULSE utility to insert command-line strings into targeted processes to alter functionality and suppress certain log events, and used THINBLOOD to clear SSL VPN log files under /home/runtime/logs. Additional defense-evasion behavior in the content includes modifying file timestamps and deleting scripts and web shells. Operationally, the content states that APT5 staged data on compromised systems prior to exfiltration, often in C:\Users\Public, and at times named exfiltration archives to mimic Windows Updates using KB<digits>.zip-style filenames. It used cmd.exe, PowerShell, and Windows utilities including tasklist.exe on compromised systems, moved laterally via RDP, and accessed Microsoft M365 cloud environments using stolen credentials. Targeting described in the supporting content includes government agencies, defense companies, financial institutions, and organizations in the defense industrial sector in the US and Europe in connection with Pulse Secure exploitation activity.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Where they're from
Attributed origin per open-source reporting.
- CN
Tradecraft
43 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
16 malware families attributed to this actor across reporting.
11 additional families tracked in Mallory.
Associated vulnerabilities
11 CVEs this actor has used in observed campaigns. 11 of them exploited in the wild.
"...newly discovered critical zero-day authentication bypass vulnerability (CVE-2021-22893) that is currently being exploited in the wild and for which there is no patch available yet." ... "Ivanti ... has released temporary mitigations to address the arbitrary file execution vulnerability (CVE-2021-22893, CVSS score: 10)"
On Tuesday, December 13, a joint announcement from the United States NSA and Citrix announced a zero-day vulnerability in Citrix ADC. The vulnerability (CVE-2022-27518) is a critical unauthenticated Remote Code Execution (RCE) issue currently rated as CVSS 9.8. Patches are already available from Citrix. The NSA attributes the zero-day to APT5, a Chinese hacking collective.
This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.
"By exploiting multiple Pulse Secure VPN weaknesses (CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, and CVE-2021-22893), UNC2630 is said to have harvested login credentials..." ... "...advisory, warning businesses of active exploitation of five publicly known vulnerabilities by the Russian Foreign Intelligence Service (SVR), including CVE-2019-11510..."
This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.
6 more CVEs tied to this actor tracked in Mallory.
Observables
17 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Listed as a threat actor associated with the PowerShell P/Invoke process injection API chain detection and related ATT&CK techniques.
Listed as a threat actor associated with PowerShell execution behavior relevant to this detection analytic.
Referenced as a threat actor associated with the Indicator Removal / Defense Evasion technique of deleting or modifying logs on macOS systems.
Listed as a threat actor associated with use of Cobalt Strike PowerShell loader patterns.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.