🇨🇳

Chimera

APT Group Information theft and espionage 6 zero-day CVEs ETDA ✓

Also Known As 7 names

G0114 THORIUM Bronze Vapor Chimera Tumbleweed Typhoon Nuclear Taurus Red Charon

Target Countries 4

Countries highlighted in red

Germany Netherlands Province of China Taiwan United States

Sectors Targeted

Computer Systems Design and Related Services 54151 Aviation Pharmaceutical and Medicine Manufacturing 32541 High-Tech Air Transportation 481 Computer and Electronic Product Manufacturing 334 Semiconductor Industry

Details

Origin 🇨🇳 CN

Last Updated 11 May 2024

MITRE ATT&CK 95

T1003 - OS Credential Dumping T1003.003 T1007 T1012 - Query Registry T1016 T1018 T1021 - Remote Services T1021.001 T1021.002 T1021.006 T1027 T1027.010 T1033 T1036 T1036.005 T1039 T1041 T1046 T1047 T1049 T1053 - Scheduled Task/Job T1053.005 - Scheduled Task T1057 T1059 T1059.001 - PowerShell T1059.003 - Windows Command Shell T1059.005 - Visual Basic T1059.006 - Python T1069 T1069.001 T1070 T1070.001 T1070.004 T1070.006 T1071 T1071.001 - Web Protocols T1071.004 T1074 T1074.001 T1074.002 T1078 T1078.002 T1078.003 T1082 T1083 T1087 T1087.001 T1087.002 T1102.002 - Bidirectional Communication T1105 T1106 - Native API T1110 T1110.003 T1110.004 T1111 T1114 T1114.001 T1114.002 T1119 T1124 T1133 T1135 T1140 - Deobfuscate/Decode Files or Information T1190 T1201 T1204 - User Execution T1204.002 - Malicious File T1213 T1213.002 T1217 T1482 T1547 - Boot or Logon Autostart Execution T1547.001 - Registry Run Keys / Startup Folder T1548.002 - Bypass User Account Control T1550 T1550.002 T1556 T1556.001 T1560 T1560.001 T1564.003 - Hidden Window T1566.001 T1567 T1567.002 T1569 T1569.002 T1570 T1572 T1574 T1574.001 - DLL Search Order Hijacking T1588 T1588.002 T1589 T1589.001 T1680

Related Zero-Days 6

CVE-2024-8190 CVE-2024-8963 CVE-2024-9380 CVE-2025-0282 CVE-2025-0283 CVE-2025-22457

Known Names 7 entries

Chimera CyCraft

Bronze Vapor SecureWorks

Red Charon PWC

THORIUM Microsoft

Tumbleweed Typhoon Microsoft

Nuclear Taurus Palo Alto

G0114 MITRE

Observed Target Countries 3

Based on ETDA data — countries highlighted in red

Netherlands Taiwan different geographical areas

Description

(CyCraft) For nearly two years, our team monitored several attacks that targeted Taiwan’s semiconductor vendors. We believe these attacks originated from the same threat actor – Chimera – as these attacks utilized similar tactics, techniques and even the same customized malware. The actor likely harvested various valid credentials via phishing emails or data breaches as their starting point to conduct their cyber attack on the vendors. Cobalt Strike was later used as their main RAT tool. To avoid detection, the Cobalt Strike RAT was often masqueraded as a Google Chrome Update. The RAT would then connect back to their C2 server. As these servers were in a public cloud server, it made it difficult to track. Subsequently, by compromising the AD server, the delicate malware – SkeletonKeyInjector – was invoked to implant a general key to allow LM, persistence and defense evasion. Although this malware was discovered for the first time, we have high confidence that these attacks were conducted by the same threat actor. Based on the stolen data, we infer that the actor’s goal was to harvest company trade secrets. The motive may be related to business competition or a country’s industrial strategy.

Tools Used 2

Cobalt Strike SkeletonKeyInjector

Operations 3

2017 Late Hackers spent 2+ years looting secrets of chipmaker NXP before being detected https://arstechnica.com/security/2023/11/hackers-spent-2-years-looting-secrets-of-chipmaker-nxp-before-being-detected/

2018 Late Operation “Skeleton Key” https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf

2019-10 NCC Group and Fox-IT have been tracking a threat group with a wide set of interests, from intellectual property (IP) from victims in the semiconductors industry through to passenger data from the airline industry. https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/

Reports & References 1

https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf

ETDA Profile

Chimera

Origin

China

First Seen 2018

Motivation

Information theft and espionage

MITRE ATT&CK Groups

https://attack.mitre.org/groups/G0114/

View on ETDA APT Groups ↗