Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
🇨🇳 CN9 malware families

APT1

Also known asAPT1Comment CrewComment GroupComment Pandapla_unit_61398

APT1 is a Chinese state actor assessed in Mandiant’s 2013 report "APT1: Exposing One of China’s Cyber Espionage Units" as PLA Unit 61398. Known aliases in the provided content include Comment Crew, Comment Group, Comment Panda, and PLA Unit 61398. The content describes APT1 as an espionage-focused threat actor linked to breaches at hundreds of victim organizations, with attribution supported in part by Chinese (Simplified) — US keyboard layout artifacts. Reported tradecraft includes spearphishing and phishing emails as an initial access vector; use of the Windows command shell and batch scripts to automate execution and discovery; network configuration discovery using ipconfig /all; process discovery using tasklist /v; credential dumping; collection of files from local victims; use of RDP during operations; use of malware named to resemble legitimate software such as AcroRD32.exe; and use of publicly available or open-source malware and tools for privilege escalation. The content also notes infrastructure tradecraft associated with APT1 references, including use of varied domain registration information, different registrars, and private WHOIS services to hinder tracking.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

  • CN
MITRE ATT&CK

Tradecraft

38 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

12 of 15 tactics52 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0042
Resource Development
5 techniques
T1583
Acquire Infrastructure
T1583.001×4
Domains
T1583.002
DNS Server
T1584
Compromise Infrastructure
T1585
Establish Accounts
T1585.002
Email Accounts
T1587
Develop Capabilities
T1587.001×2
Malware
T1588
Obtain Capabilities
T1588.001×2
Malware
T1588.002×4
Tool
TA0001
Initial Access
2 techniques
T1078
Valid Accounts
T1566×5
Phishing
T1566.001×28
Spearphishing Attachment
T1566.002×8
Spearphishing Link
TA0002
Execution
2 techniques
T1059×2
Command and Scripting Interpreter
T1059.003×2
Windows Command Shell
T1204
User Execution
T1204.001
Malicious Link
T1204.002
Malicious File
TA0003
Persistence
2 techniques
T1078
Valid Accounts
T1547
Boot or Logon Autostart Execution
T1547.001
Registry Run Keys / Startup Folder
TA0004
Privilege Escalation
2 techniques
T1078
Valid Accounts
T1547
Boot or Logon Autostart Execution
T1547.001
Registry Run Keys / Startup Folder
TA0005
Stealth
3 techniques
T1036×3
Masquerading
T1070
Indicator Removal
T1070.004
File Deletion
T1078
Valid Accounts
TA0006
Credential Access
2 techniques
T1003×2
OS Credential Dumping
T1003.001
LSASS Memory
T1649
Steal or Forge Authentication Certificates
TA0007
Discovery
5 techniques
T1007
System Service Discovery
T1016×3
System Network Configuration Discovery
T1057×2
Process Discovery
T1082×2
System Information Discovery
T1087
Account Discovery
TA0008
Lateral Movement
2 techniques
T1021
Remote Services
T1021.001×5
Remote Desktop Protocol
T1550
Use Alternate Authentication Material
T1550.002
Pass the Hash
TA0009
Collection
4 techniques
T1005×3
Data from Local System
T1119
Automated Collection
T1213
Data from Information Repositories
T1560
Archive Collected Data
TA0011
Command and Control
3 techniques
T1001
Data Obfuscation
T1071
Application Layer Protocol
T1071.001
Web Protocols
T1105×2
Ingress Tool Transfer
TA0010
Exfiltration
2 techniques
T1020
Automated Exfiltration
T1041
Exfiltration Over C2 Channel
ARSENAL

Associated malware families

9 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
GETMAILAPT1 uses two utilities, GETMAIL and MAPIGET, to steal email.1Mar 18, 2026
GLASSESMalware (“GLASSES”) sent in 2010 is a simple downloader that is closely related to the GOGGLES malware described by Mandiant in their APT1 report.1Mar 18, 2026
GOGGLESOne of these is called “GOGGLES” — a simple downloader that is controlled via encoded markers in files accessed over HTTP.1Mar 18, 2026
LONGRUNThis decoding method is mentioned in the Mandiant report multiple times, used by the GOGGLES malware as well as three other malicious programs (SWORD, NEWSREELS, and LONGRUN).1Mar 18, 2026
MAPIGETMAPIGET steals email still on Exchange servers that has not yet been archived.1Mar 18, 2026

4 additional families tracked in Mallory.

IOCS

Observables

10 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

10 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
osint team blogNews
May 27, 2026
Hunters Don’t Email the Prey: A Hypergame Reading of Zhang’s AI Security Publication Gap | by Berend Watchus | May, 2026 | OSINT Team

Referenced as an example of a named threat actor whose operations were monitored across victim networks and later documented in a major threat report.

Read more
slideshareNews
May 21, 2026
Hunting for Credentials Dumping in Windows Environment | PDF

Known for using credential dumping in Windows environments.

Read more
splunk researchNews
Apr 13, 2026
Detection: Windows Universal Data Link File Creation | Splunk Security Content

Referenced as a threat actor associated with spearphishing attachment activity involving malicious file execution and potential credential capture via UDL files.

Read more
splunk researchNews
Feb 25, 2026
Detection: GSuite Email Suspicious Attachment | Splunk Security Content

Listed as a threat actor associated with spearphishing attachments for initial access in this detection content.

Read more
+135 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping38

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal9

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables10

Domains, IPs, and hashes tied to this actor, refreshed continuously.