🇨🇳

Group 27

APT Group Information theft and espionage 55 zero-day CVEs ETDA ✓

Also Known As 17 names

ZipToken Linen Typhoon APT27 Lucky Mouse Iron Tiger Iron Taurus Red Phoenix G0027 BRONZE UNION TEMP.Hippo GreedyTaotie Circle Typhoon TG-3390 EMISSARY PANDA Earth Smilodon Budworm Group 35

Target Countries 17

Countries highlighted in red

Australia Canada China France United Kingdom Israel India Islamic Republic of Iran Japan Republic of Korea Netherlands Russian Federation Thailand Turkey Province of China Taiwan Ukraine United States

Sectors Targeted

Computer Systems Design Services 541512 Government Periodical Publishers 51112 Computer Systems Design and Related Services 54151 Telecommunications 517 NAICS:31 31 Professional, Scientific, and Technical Services 54 Utilities 22 Information 51 Religious, Grantmaking, Civic, Professional, and Similar Organizations 813 Computer Systems Design and Related Services 5415 National Security and International Affairs 9281 Publishing Industries (except Internet) 511 National Security and International Affairs 928110 Educational Services 61 Air Transportation 481 Public Administration 92 Grantmaking and Giving Services 8132 Other Services (except Public Administration) 81 Space Research and Technology 927 Private sector National Security and International Affairs 928

Details

Origin 🇨🇳 CN

Last Updated 01 Jun 2022

Malware Families 4

hyperssl

unidentified_080

twoface

polpo

MITRE ATT&CK 77

T1003 T1003.003 T1016 T1021 T1021.002 T1027 T1027.001 T1036 - Masquerading T1036.005 T1036.007 T1041 T1047 T1049 T1052.001 T1053.005 T1055 - Process Injection T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.001 T1059.003 T1059.005 T1070.004 T1071 T1071.001 T1074.001 T1078 T1082 T1083 T1090 T1091 T1102 T1105 T1113 T1119 T1134 - Access Token Manipulation T1140 T1189 T1190 - Exploit Public-Facing Application T1203 T1204 T1204.001 T1204.002 T1218 T1218.004 T1218.005 T1219 T1221 T1486 T1498.001 T1505 - Server Software Component T1505.003 - Web Shell T1518 T1530 - Data from Cloud Storage Object T1546.003 T1546.015 T1547 T1547.001 T1559 T1559.002 T1560.001 T1560.003 T1564.001 T1566.001 T1566.002 T1569 T1569.002 T1573.001 T1574.002 T1583 T1583.001 T1585.002 T1588 T1588.006 T1598 T1598.002 T1608 T1608.001

Related Zero-Days 55

CVE-2017-0199 CVE-2018-0802 CVE-2021-40539 CVE-2021-44228 CVE-2022-24521 CVE-2022-42475 CVE-2023-23376 CVE-2023-27350 CVE-2023-28252 CVE-2024-12356 CVE-2024-24919 CVE-2024-3400 CVE-2024-39717 CVE-2024-49039 CVE-2024-49138 CVE-2024-50623 CVE-2024-53150 CVE-2024-53197 CVE-2024-55591 CVE-2024-8190 CVE-2024-8963 CVE-2024-9380 CVE-2024-9680 CVE-2025-11371 CVE-2025-14847 CVE-2025-20333 CVE-2025-20337 CVE-2025-20362 CVE-2025-22224 CVE-2025-22225 CVE-2025-22226 CVE-2025-22457 CVE-2025-24201 CVE-2025-24983 CVE-2025-24984 CVE-2025-24985 CVE-2025-24991 CVE-2025-24993 CVE-2025-26633 CVE-2025-27363 CVE-2025-29824 CVE-2025-41244 CVE-2025-4427 CVE-2025-4428 CVE-2025-49704 CVE-2025-53770 CVE-2025-53771 CVE-2025-5419 CVE-2025-55182 CVE-2025-59287 CVE-2025-61882 CVE-2025-6218 CVE-2025-62221 CVE-2025-7775 CVE-2025-9491

Known Names 5 entries

Nightshade Panda CrowdStrike

APT 9 Mandiant

Group 27 ASERT

FlowerLady Context

FlowerShow Context

Observed Target Countries 4

Based on ETDA data — countries highlighted in red

Myanmar Thailand USA Europe

Description

(Softpedia) Arbor’s ASERT team is now reporting that, after looking deeper at that particular campaign, and by exposing a new trail in the group’s activities, they managed to identify a new RAT that was undetectable at that time by most antivirus vendors. Named Trochilus, this new RAT was part of Group 27’s malware portfolio that included six other malware strains, all served together or in different combinations, based on the data that needed to be stolen from each victim. This collection of malware, dubbed the Seven Pointed Dagger by ASERT experts, included two different PlugX versions, two different Trochilus RAT versions, one version of the 3012 variant of the 9002 RAT, one EvilGrab RAT version, and one unknown piece of malware, which the team has not entirely decloaked just yet.

Tools Used 7

3102 RAT 9002 RAT EvilGrab RAT MoonWind RAT PlugX Poison Ivy Trochilus RAT

Operations 3

2015-05 Operation “Seven Pointed Dagger” During that campaign, the threat actor identified as Group 27 used watering hole attacks on official Myanmar government websites to infect unsuspecting users with the PlugX malware (an RAT) when accessing information on the upcoming Myanmar elections. https://news.softpedia.com/news/trochilus-rat-evades-antivirus-detection-used-for-cyber-espionage-in-south-east-asia-498776.shtml https://unit42.paloaltonetworks.com/evilgrab-delivered-by-watering-hole-attack-on-president-of-myanmars-website/ http://pages.arbornetworks.com/rs/082-KNA-087/images/ASERT%20Threat%20Intelligence%20Brief%202015-05%20PlugX%20Threat%20Activity%20in%20Myanmar.pdf

2015-05 Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media https://unit42.paloaltonetworks.com/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/

2016-09 From September 2016 through late November 2016, a threat actor group used both the Trochilus RAT and a newly idenfied RAT we’ve named MoonWind to target organizations in Thailand, including a utility organization. We chose the name ‘MoonWind’ based on debugging strings we saw within the samples, as well as the compiler used to generate the samples. The attackers compromised two legitimate Thai websites to host the malware, which is a tactic this group has used in the past. https://unit42.paloaltonetworks.com/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/

ETDA Profile

Nightshade Panda, APT 9, Group 27

Origin

China

First Seen 2013

Motivation

Information theft and espionage

View on ETDA APT Groups ↗