China🇨🇳 CN46 malware familiesExploits CVEs in the wild

Threat Group-3390

Also known asAPT27BOWSERBRONZE UNIONCircle TyphoonDEV-0322Earth Smilodonemissary_pandaemissarypandaHippoIODINEIron Tigeriron_taurusLinen Typhoonlucky_mouseluckymouseRed PhoenixTG-3390Threat Group-3390Wekby2

Threat Group-3390 is a China-linked espionage threat actor assessed by SecureWorks CTU as likely based in the People’s Republic of China. It is also tracked as APT27 and BRONZE UNION, with aliases including Emissary Panda, LuckyMouse/Lucky Mouse, Linen Typhoon, Iron Tiger, Iron Taurus, Earth Smilodon, Circle Typhoon, Bowser, Red Phoenix, Wekby2, DEV-0322, TG-3390, and Threat Group-3390. CTU described the group as active and capable, focused on gathering defense, security, and political intelligence. Reported targeting includes aerospace, government, defense, technology, energy, manufacturing, banking, academic, media, and utilities organizations. The content specifically notes targeting of Turkish government, banking, and academic networks, U.S.-based defense manufacturers, a governmental entity in the Middle East via Exchange ProxyLogon exploitation, and use of SharePoint vulnerabilities by China-linked groups including Linen Typhoon to steal intellectual property. Observed tradecraft includes strategic web compromises and exploitation of vulnerable Internet-facing services, including JBOSS-based service desk software and Exchange ProxyLogon. After access, the group rapidly collected credentials, escalated privileges, deployed multiple web shells, conducted internal reconnaissance, moved laterally, established persistence, staged data, and exfiltrated archives. CTU reported use of OwaAuth, China Chopper, Rcmd, Wrapikatz, Netview, and a likely Kekeo-derived credential abuse tool, along with Impacket, pwdump, Mimikatz, gsecdump, NBTscan, and Windows Credential Editor. The group has used command-line interfaces, PowerShell, WMI to execute binaries, and native Windows features such as PowerShell remoting and WinRM. The content attributes several ATT&CK-style behaviors to Threat Group-3390: delivery via malicious email attachments; persistence through Registry Run keys under Software\Microsoft\Windows\CurrentVersion\Run; reading and decrypting stored Registry values; compiling archives of file types of interest from victim directories; locally staging encrypted archives; moving staged encrypted archives to previously compromised Internet-facing servers with China Chopper before exfiltration; deleting logs and exfiltrated file archives; and disabling IIS HTTP logging with appcmd before deleting logs. CTU also reported password-protected RAR archives renamed as .tmp files for staging and later exfiltration. More recently, the content describes APT27 as PRC-nexus and states it used Gemini to accelerate development of fleet management tooling for an operational relay box (ORB) network, an anonymizing infrastructure using 4G or 5G SIM cards on routers and mobile gateways to launder traffic through residential IP space.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Government & Administration
Academia & Research
Independent Media
Financial Services
Health Care Equipment & Services
Military

Where they target

Geographies tied to known operations.

🇺🇸 United States

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

61 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

13 of 15 tactics82 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0042

Resource Development

2 techniques

T1587

Develop Capabilities

T1587.001×3

Malware

T1587.004

Exploits

T1588

Obtain Capabilities

T1588.002

Tool

TA0001

Initial Access

6 techniques

T1078×2

Valid Accounts

T1091

Replication Through Removable Media

T1189

Drive-by Compromise

T1190×8

Exploit Public-Facing Application

T1195

Supply Chain Compromise

T1195.002

Compromise Software Supply Chain

T1566

Phishing

T1566.001

Spearphishing Attachment

TA0002

Execution

5 techniques

T1047

Windows Management Instrumentation

T1059

Command and Scripting Interpreter

T1059.001×2

PowerShell

T1059.003×2

Windows Command Shell

T1204

User Execution

T1204.002

Malicious File

T1559

Inter-Process Communication

T1559.001

Component Object Model

T1574

Hijack Execution Flow

T1574.001

DLL

TA0003

Persistence

5 techniques

T1078×2

Valid Accounts

T1112×3

Modify Registry

T1505

Server Software Component

T1505.003×2

Web Shell

T1543

Create or Modify System Process

T1543.003

Windows Service

T1547

Boot or Logon Autostart Execution

T1547.001×4

Registry Run Keys / Startup Folder

TA0004

Privilege Escalation

3 techniques

T1078×2

Valid Accounts

T1543

Create or Modify System Process

T1543.003

Windows Service

T1547

Boot or Logon Autostart Execution

T1547.001×4

Registry Run Keys / Startup Folder

TA0005

Stealth

5 techniques

T1027×3

Obfuscated Files or Information

T1027.002

Software Packing

T1027.013

Encrypted/Encoded File

T1070×3

Indicator Removal

T1070.004×4

File Deletion

T1078×2

Valid Accounts

T1140

Deobfuscate/Decode Files or Information

T1574

Hijack Execution Flow

T1574.001

DLL

TA0112

Defense Impairment

1 technique

T1112×3

Modify Registry

TA0006

Credential Access

4 techniques

T1003×2

OS Credential Dumping

T1040

Network Sniffing

T1557

Adversary-in-the-Middle

T1558

Steal or Forge Kerberos Tickets

TA0007

Discovery

9 techniques

T1012

Query Registry

T1016×2

System Network Configuration Discovery

T1018×3

Remote System Discovery

T1033

System Owner/User Discovery

T1040

Network Sniffing

T1046×2

Network Service Discovery

T1057

Process Discovery

T1083×2

File and Directory Discovery

T1087

Account Discovery

TA0008

Lateral Movement

3 techniques

T1021

Remote Services

T1021.006

Windows Remote Management

T1091

Replication Through Removable Media

T1570

Lateral Tool Transfer

TA0009

Collection

8 techniques

T1005×2

Data from Local System

T1074×3

Data Staged

T1113

Screen Capture

T1114

Email Collection

T1185

Browser Session Hijacking

T1213

Data from Information Repositories

T1557

Adversary-in-the-Middle

T1560×3

Archive Collected Data

T1560.001

Archive via Utility

TA0011

Command and Control

3 techniques

T1071

Application Layer Protocol

T1071.001×3

Web Protocols

T1090

Proxy

T1090.001

Internal Proxy

T1090.002

External Proxy

T1090.003×2

Multi-hop Proxy

T1105

Ingress Tool Transfer

TA0010

Exfiltration

2 techniques

T1041

Exfiltration Over C2 Channel

T1567

Exfiltration Over Web Service

T1567.002

Exfiltration to Cloud Storage

ARSENAL

Associated malware families

46 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

HyperBroВ качестве полезной нагрузки, которая была встроена в инсталляторы, исследователи называют бэкдоры HyperBro и Korplug (PlugX).7May 26, 2026

China ChopperThreat Group-3390 has moved staged encrypted archives to Internet-facing servers that had previously been compromised with China Chopper prior to exfiltration.6May 26, 2026

PlugXInside: captive-portal Wi-Fi Pineapples that bypass MFA, PlugX side-loading through legitimate apps, and the USB worm that jumps air-gapped military networks.6May 28, 2026

MimikatzAPT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.4May 26, 2026

HTTPBrowserBRONZE UNION previously used this technique to enable execution of PlugX and HttpBrowser tools in a way that is challenging for network defenders to detect.3May 26, 2026

41 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

33 CVEs this actor has used in observed campaigns. 33 of them exploited in the wild.

CVE-2025-53770ToolShell unauthenticated RCE in Microsoft SharePoint ServerIn the wildEvidence8

China-based attackers used the ToolShell vulnerability (CVE-2025-53770) to compromise a telecoms company in the Middle East shortly after the vulnerability was publicly revealed and patched in July 2025... ToolShell affects on-premise SharePoint servers and gives an attacker unauthenticated access to vulnerable servers, allowing them to remotely execute code and access all content and file systems.

CVE-2025-49704Remote Code Execution in Microsoft Office SharePointIn the wildEvidence6

According to Microsoft, cyber threat actors have chained CVE-2025-49706 (a network spoofing vulnerability) and CVE-2025-49704 (a remote code execution (RCE) vulnerability) in an exploit chain known as “ToolShell” to gain unauthorized access to on-premise SharePoint servers.

CVE-2025-49706Improper authentication spoofing vulnerability in Microsoft Office SharePointIn the wildEvidence6

CVE-2025-53771Microsoft SharePoint ToolShell path traversal spoofing vulnerabilityIn the wildEvidence6

Microsoft has not confirmed exploitation of CVE-2025-53771; however, CISA assesses exploitation is likely because it can be chained with CVE-2025-53770 to bypass previously disclosed vulnerabilities CVE-2025-49704 and CVE-2025-49706.

CVE-2021-35211RCE in SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTPIn the wildEvidence5

"During multiple incident response investigations, NCC Group found that a vulnerable version of SolarWinds Serv-U server appeared to be the initial access used by TA505... The vulnerability being exploited is known as CVE-2021-35211."

28 more CVEs tied to this actor tracked in Mallory.

IOCS

Observables

144 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

144 IOCsView more in app

Domains

61 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+53

ip.v4

37 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+29

hash.sha256

35 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+27

hash.sha1

5 total

••••••••••••••••••••••••••••••••••••••••••••••••••

hash.sha512

3 total

•••••••••••••••••••••••••••

hash.md5

2 total

•••••••••••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

malware newsNews

May 29, 2026

The AI-Embedded SOC: An Operating Model for the Asymmetry Era - Malware News - Malware Analysis, News and Indicators

PRC-linked actor using Gemini to accelerate development of ORB fleet-management tooling for anonymized operational infrastructure.

detectNews

May 29, 2026

The AI-Embedded SOC: An Operating Model for the Asymmetry Era | by Omar Tarek Zayed | May, 2026 | Detect FYI

Uses Gemini to accelerate development of fleet management tooling for an ORB network used to anonymize and launder traffic through residential IP space.

ahnlab asec blogNews

May 27, 2026

The proliferation and evolution of AI-powered hacking tools - how generative AI has changed the cyber attack ecosystem and response strategies - ASEC

Using AI to accelerate development of ORB network management infrastructure used to anonymize and conceal attack origin.

dark readingNews

May 26, 2026

Microsoft Issues Out-of-Band SharePoint Patch

Exploited SharePoint vulnerabilities to steal intellectual property.

+196 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping61

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal46

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs33

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables144

Domains, IPs, and hashes tied to this actor, refreshed continuously.