🇨🇳

Velvet Ant

APT Group Information theft and espionage 4 zero-day CVEs ETDA ✓

Also Known As

No alias recorded

Target Countries 1

Countries highlighted in red

United States

Sectors Targeted

Computer Systems Design Services 541512 Computer Systems Design and Related Services 54151

Details

Origin 🇨🇳 CN

Last Updated 02 Jan 2026

Malware Families 4

sorgu

unidentified_075

NewCore

darkstrat

MITRE ATT&CK 48

T1003 - OS Credential Dumping T1016 - System Network Configuration Discovery T1018 - Remote System Discovery T1021 - Remote Services T1021.002 T1036 - Masquerading T1036.005 T1037 - Boot or Logon Initialization Scripts T1037.004 T1039 - Data from Network Shared Drive T1040 - Network Sniffing T1047 - Windows Management Instrumentation T1048 - Exfiltration Over Alternative Protocol T1049 - System Network Connections Discovery T1055 - Process Injection T1059 - Command and Scripting Interpreter T1059.004 T1070 - Indicator Removal on Host T1071 - Application Layer Protocol T1078 - Valid Accounts T1078.003 T1082 - System Information Discovery T1083 - File and Directory Discovery T1087 - Account Discovery T1090 - Proxy T1090.001 T1102 - Web Service T1105 - Ingress Tool Transfer T1132 - Data Encoding T1133 - External Remote Services T1135 - Network Share Discovery T1187 - Forced Authentication T1211 T1546 - Event Triggered Execution T1562 - Impair Defenses T1562.001 T1562.004 T1569 - System Services T1569.002 T1570 - Lateral Tool Transfer T1571 T1572 - Protocol Tunneling T1573 T1573.002 T1574 - Hijack Execution Flow T1574.001 T1685 T1686

Related Zero-Days 4

CVE-2024-0012 CVE-2024-20399 CVE-2024-9474 CVE-2025-0282

Known Names 1 entries

Velvet Ant Sygnia

Observed Target Countries 1

Based on ETDA data — countries highlighted in red

East Asia

Description

(Sygnia) Velvet Ant is a sophisticated and innovative threat actor. The investigation confirmed the threat actor maintained a prolonged presence in the organization’s on–premises network for about three years. The overall goal behind this campaign was to maintain access to the target network for espionage. The threat actor achieved remarkable persistence by establishing and maintaining multiple footholds within the victim company’s environment. One of the mechanisms utilized for persistence was a legacy F5 BIG-IP appliance, which was exposed to the internet and which the threat actor leveraged as an internal Command and Control (C&C). After one foothold was discovered and remediated, the threat actor swiftly pivoted to another, demonstrating agility and adaptability in evading detection. The threat actor exploited various entry points across the victim’s network infrastructure, indicating a comprehensive understanding of the target’s environment.

Tools Used 6

EarthWorm ESRDE PlugX ShadowPad Winnti VELVETSTING VELVETTAP

Operations 1

2024-07 China-Nexus Threat Group ‘Velvet Ant’ Exploits Cisco Zero-Day (CVE-2024-20399) to Compromise Nexus Switch Devices – Advisory for Mitigation and Response https://www.sygnia.co/threat-reports-and-advisories/china-nexus-threat-group-velvet-ant-exploits-cisco-0-day/ https://www.sygnia.co/blog/china-threat-group-velvet-ant-cisco-zero-day/

Reports & References 1

https://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/

ETDA Profile

Velvet Ant

Origin

China

First Seen 2023

Motivation

Information theft and espionage

View on ETDA APT Groups ↗