🇨🇳

PassCV

APT Group Information theft and espionage 17 zero-day CVEs ETDA ✓

Also Known As

No alias recorded

Target Countries 4

Countries highlighted in red

China Republic of Korea Province of China Taiwan United States

Sectors Targeted

Online video game companies

Details

Origin 🇨🇳 CN

Last Updated 01 Jun 2022

MITRE ATT&CK 36

T1003 - OS Credential Dumping T1014 - Rootkit T1027 - Obfuscated Files or Information T1036 - Masquerading T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1055 - Process Injection T1056 - Input Capture T1059 - Command and Scripting Interpreter T1059.001 T1068 - Exploitation for Privilege Escalation T1070 - Indicator Removal on Host T1071.001 T1078 - Valid Accounts T1090 T1102 - Web Service T1110 - Brute Force T1112 - Modify Registry T1133 - External Remote Services T1136 - Create Account T1190 - Exploit Public-Facing Application T1195 - Supply Chain Compromise T1197 - BITS Jobs T1203 - Exploitation for Client Execution T1218 - Signed Binary Proxy Execution T1480 - Execution Guardrails T1542 - Pre-OS Boot T1543 - Create or Modify System Process T1546 - Event Triggered Execution T1547 - Boot or Logon Autostart Execution T1553 - Subvert Trust Controls T1566 - Phishing T1569 - System Services T1574 - Hijack Execution Flow T1588 - Obtain Capabilities T1588.002 - Tool

Related Zero-Days 17

CVE-2021-1048 CVE-2021-37973 CVE-2021-37976 CVE-2021-38000 CVE-2021-38003 CVE-2023-2033 CVE-2023-2136 CVE-2023-3079 CVE-2023-41991 CVE-2023-41992 CVE-2023-41993 CVE-2023-4762 CVE-2024-3400 CVE-2024-4610 CVE-2025-48543 CVE-2025-62215 CVE-2025-6554

Known Names 1 entries

PassCV Blue Coat Systems

Observed Target Countries 6

Based on ETDA data — countries highlighted in red

China Russia South Korea Taiwan USA Europe

Description

(Cylance) Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post. His post provides a good introduction to the group and covers some of the older infrastructure, stolen code-signing certificate reuse, and other connections associated with the PassCV malware. There are several clues alluding to the possibility that multiple groups may be utilizing the same stolen signing certificates, but at this time SPEAR believes the current attacks are more likely being perpetrated by a single group employing multiple publicly available Remote Administration Tools (RATs). The PassCV group has been operating with continued success and has already started to expand their malware repertoire into different off-the-shelf RATs and custom code. SPEAR identified eighteen previously undisclosed stolen Authenticode certificates. These certificates were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia. The PassCV group typically utilized publicly available RATs in addition to some custom code, which ultimately provided backdoor functionality to affected systems via phony resumes and curriculum vitae (CVs). PassCV continues to maintain a heavy reliance on obfuscated and signed versions of older RATs like ZxShell and Ghost RAT, which have remained a favorite of the wider Chinese criminal community since their initial public release.

Tools Used 7

Cobalt Strike Excalibur Gh0st RAT Kitkiot NetWire RC Winnti ZXShell

Reports & References 1

https://threatvector.cylance.com/en_us/home/digitally-signed-malware-targeting-gaming-companies.html

ETDA Profile

PassCV

Origin

China

First Seen 2016

Sponsor State-sponsored

Motivation

Information theft and espionage

View on ETDA APT Groups ↗