绿斑

绿斑 is an APT threat actor tracked by Antiy Emergency Response Center and assessed in the provided reporting as linked to authorities in Taiwan. Antiy states it observed the group conducting attacks in the second half of 2024 against specific industry targets in China, with the apparent objectives of persistent access, long-term host control, lateral movement, and information theft. Antiy also states it had previously reported on 绿斑 in September 2018 and assessed the group’s activity as dating back to 2007. In the described campaign, 绿斑 used spear-phishing emails sent from official-looking accounts to lure victims to a malicious website impersonating a government information disclosure page. The site redirected victims to download a decoy file presented as a PDF but actually a C# EXE downloader. The downloader retrieved an encrypted payload disguised as an MP4/MOV file, decrypted it with AES using fixed key and IV values, decompressed it with GZip, and executed it in memory using delegate and unmanaged-code techniques. The payload included anti-debugging functionality. Antiy assessed the final payload to be generated by the open-source Sliver C2 framework, citing code similarity and a matching TLS JA3 fingerprint (19e29534fd49dd27d09234e639c4057e). The reporting maps the activity to 25 MITRE ATT&CK techniques across 10 stages, including reconnaissance, resource development, initial access, execution, defense evasion, discovery, collection, command-and-control, exfiltration, and impact. Known alias information in the provided content only includes 绿斑.