🇺🇸 US29 malware families

TAO

Also known asTAO

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Government & Administration
Technology Hardware & Equipment
Telecommunication Services
Military

Where they target

Geographies tied to known operations.

🇨🇳 China
🇮🇶 Iraq
🇮🇷 Iran

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

21 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

12 of 15 tactics33 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

6 techniques

T1078

Valid Accounts

T1189×3

Drive-by Compromise

T1190×3

Exploit Public-Facing Application

T1195

Supply Chain Compromise

T1566×2

Phishing

T1659

Content Injection

TA0002

Execution

3 techniques

T1059

Command and Scripting Interpreter

T1203×2

Exploitation for Client Execution

T1574

Hijack Execution Flow

T1574.013

KernelCallbackTable

TA0003

Persistence

2 techniques

T1078

Valid Accounts

T1556

Modify Authentication Process

TA0004

Privilege Escalation

1 technique

T1078

Valid Accounts

TA0005

Stealth

3 techniques

T1070

Indicator Removal

T1078

Valid Accounts

T1574

Hijack Execution Flow

T1574.013

KernelCallbackTable

TA0112

Defense Impairment

1 technique

T1556

Modify Authentication Process

TA0006

Credential Access

3 techniques

T1040

Network Sniffing

T1556

Modify Authentication Process

T1557×2

Adversary-in-the-Middle

TA0007

Discovery

3 techniques

T1040

Network Sniffing

T1082

System Information Discovery

T1614

System Location Discovery

TA0008

Lateral Movement

1 technique

T1570

Lateral Tool Transfer

TA0009

Collection

1 technique

T1557×2

Adversary-in-the-Middle

TA0011

Command and Control

5 techniques

T1090

Proxy

T1090.003

Multi-hop Proxy

T1105

Ingress Tool Transfer

T1219

Remote Access Tools

T1573

Encrypted Channel

T1659

Content Injection

TA0010

Exfiltration

1 technique

T1041×2

Exfiltration Over C2 Channel

ARSENAL

Associated malware families

29 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

FOXACIDAfter identifying an individual Tor user on the Internet, the NSA uses its network of secret Internet servers to redirect those users to another set of secret Internet servers, with the codename FoxAcid, to infect the user’s computer.3May 26, 2026

Beach HeadThe documentation mentions United Rake, Peddle Cheap, Packet Wrench, and Beach Head — all delivered from a FOXACID subsystem called Ferret Cannon.1May 26, 2026

CLOWN FOODSchool of Magic, Clown Food, and Cursed Fire: These NSA tools were specifically designed for extracting sensitive files from telecom and defense research systems.1May 24, 2026

COMMENDEERFor computers and networks that have firewalls and other security systems in place, the NSA uses QUANTUMNATION, a tool that will scan defenses using software dubbed VALIDATOR to find an exploitable hole, and then use it to seize control using code dubbed COMMENDEER.1May 26, 2026

CUNNING HERETICSCUNNING HERETICS: A lightweight implant that established encrypted communication channels for NSA to remotely reactivate access points even after clean up attempts.1May 24, 2026

24 additional families tracked in Mallory.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

foreign policyNews

Jun 10, 2013

Inside the NSA’s Ultra-Secret China Hacking Group - Foreign Policy

A highly secretive NSA cyber operations unit conducting computer network exploitation against foreign targets, including long-term penetration of Chinese computer and telecommunications systems, credential cracking, data theft, implant deployment, and intelligence collection. It also develops access and capabilities that could support destructive cyberattacks by U.S. Cyber Command.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping21

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal29

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.