Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
🇨🇳 CN

SEQUIN CARP

Also known asSEQUIN CARP

SEQUIN CARP is a China-aligned phishing cluster identified by Citizen Lab and linked to digital transnational repression and espionage activity aligned with Chinese government interests. Citizen Lab assessed with high confidence that the attacks were carried out at the request of the Chinese government, and with medium confidence that commercial contractors in China’s Military-Civil Fusion ecosystem may have conducted the campaign. The cluster has been active since at least June 2025. SEQUIN CARP primarily targeted journalists, including ICIJ journalist Scilla Alecci and other international journalists reporting on topics of interest to the Chinese government, especially reporting related to Chinese transnational repression and the ICIJ “China Targets” investigation. Broader reporting also places SEQUIN CARP in a parallel activity track alongside GLITTER CARP targeting Uyghur, Tibetan, Taiwanese, and Hong Kong critics, diaspora activists, and investigative journalists. The group employs highly targeted phishing and social engineering, including personas based on real individuals. Reported tradecraft includes credential phishing and, notably, OAuth consent phishing to obtain persistent access to victims’ email accounts without requiring passwords. SEQUIN CARP abused legitimate Google OAuth 2.0 authorization flows, requested the https://mail.google.com/ scope for full Gmail access, and used access_type=offline to obtain refresh tokens that could survive password changes. Citizen Lab also reported use of cloud-hosted phishing pages and the legitimate Chinese push-notification service sctapi.ftqq[.]com to beacon browser fingerprints and victim identifiers when phishing links were clicked. The cluster has also been described as using impersonation emails and credential-harvesting pages. SEQUIN CARP shares similarities with Volexity’s UTA0388 and Trend Micro’s TAOTH. It was identified as a distinct cluster operating in parallel with GLITTER CARP.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Independent Media
  • Non-Governmental Organizations

Where they're from

Attributed origin per open-source reporting.

  • CN
MITRE ATT&CK

Tradecraft

8 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

8 of 15 tactics12 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1598
Phishing for Information
TA0042
Resource Development
1 technique
T1584
Compromise Infrastructure
TA0001
Initial Access
2 techniques
T1078
Valid Accounts
T1566×4
Phishing
T1566.002×3
Spearphishing Link
TA0003
Persistence
1 technique
T1078
Valid Accounts
TA0004
Privilege Escalation
1 technique
T1078
Valid Accounts
TA0005
Stealth
2 techniques
T1036×2
Masquerading
T1078
Valid Accounts
TA0006
Credential Access
2 techniques
T1056×2
Input Capture
T1528×2
Steal Application Access Token
TA0009
Collection
1 technique
T1056×2
Input Capture
IOCS

Observables

12 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

12 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
the hacker newsNews
May 1, 2026
China-Linked Hackers Target Asian Governments, NATO State, Journalists, and Activists

China-affiliated phishing cluster targeting journalists and civil society through impersonation-led phishing, credential harvesting, and OAuth access theft in support of Chinese government intelligence priorities.

Read more
the diplomatNews
May 1, 2026
1 Campaign, 2 Targets: China’s Cyber Operations Hit Asian Governments and Dissidents Abroad - The Diplomat

Related phishing campaign focused on surveillance and repression of diaspora activists and journalists by stealing email credentials or third-party access tokens.

Read more
citizenlabNews
Apr 28, 2026
Tall Tales: How Chinese Actors Use Impersonation and Stolen Narratives to Perpetuate Digital Transnational Repression - The Citizen Lab

OAuth consent phishing campaign targeting journalists reporting on China-related issues, especially ICIJ’s China Targets investigation. The group uses co-opted narratives and fabricated or hijacked personas to socially engineer victims into granting persistent third-party access to Gmail accounts.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping8

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables12

Domains, IPs, and hashes tied to this actor, refreshed continuously.