🇨🇳 CN3 malware families

camofei

Also known ascamofei

CamoFei is a China-associated threat actor assessed by TeamT5 to have been active since at least 2019. TeamT5 linked the group to use of a stolen digital certificate attributed to “coolschool,” which was also used to sign Cobalt Strike and BYOVD-related malware uploaded to VirusTotal, and reported that the group conducted espionage, denial-of-service, and ransomware activity. TeamT5 also reported that the group’s CatB ransomware payload was signed with the same “coolschool” certificate. SentinelOne tracks a related activity cluster as ChamelGang and reported attacks against organizations in the U.S., Brazil, India, Russia, Taiwan, and Japan, including the Presidency of Brazil and the All-India Institute of Medical Sciences (AIIMS). More recent reporting cited in the content links Warlock ransomware activity exploiting a Microsoft SharePoint zero-day to a longer-running China-based nexus associated with CamoFei/ChamelGang. Observed tradecraft in the broader linked activity includes DLL sideloading, use of custom command-and-control infrastructure, and BYOVD-based defense evasion using a renamed vulnerable 2016 Baidu antivirus driver to disable security software.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they target

Geographies tied to known operations.

🇺🇸 United States

Where they're from

Attributed origin per open-source reporting.

ARSENAL

Associated malware families

3 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

WarlockWarlock Ransomware Hits US Firms Exploiting SharePoint Zero-Day, Linked to China’s CamoFei APT2Mar 18, 2026

CatB"Its ransomware payload, known as CatB, had been signed with the same coolschool certificate."1Mar 18, 2026

Cobalt Strike"...used to sign Cobalt Strike and BYOVD-related malware uploaded to VirusTotal."1Mar 18, 2026

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

security online infoNews

Oct 24, 2025

Warlock Ransomware Hits US Firms Exploiting SharePoint Zero-Day, Linked to China’s CamoFei APT

Linked to ransomware activity impacting US firms and exploiting a SharePoint zero-day.

symantec blogNews

Oct 22, 2025

Warlock Ransomware: Old Actor, New Tricks?

China-nexus group (per TeamT5/SentinelOne) active since at least 2019 spanning espionage, DDoS, and ransomware; associated with the stolen "coolschool" certificate used to sign Cobalt Strike/BYOVD tooling and the CatB ransomware payload; described as targeting multiple countries and high-profile entities.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal3

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.