Cyber Threats from China
Understand more about cyber threat actors and intrusion sets attributed to China.
Cyber Threat Graph
Explore how the related entities on the cyber threat graph.
Intrusion Sets
Cyber intrusion sets attributed to China.
APT1
APT1 was one of the first publicly attributed advanced persistent threats following the APT1 report published by Mandiant. Mandiant linked them to ...
APT2
APT2 is an intrusion set tracked by Mandiant. They were first observed in 2010 and have been observed conducting theft of intellectual property.
APT3
APT3 is an intrusion set which Mandiant attribute to China. Mandiant reports that the group has targeted organisations in aerospace and defense, ...
APT31
APT31, attributed to China, is a cyber espionage actor. The groups primary focus is to obtain information that can provide the Chinese government ...
APT40
APT40 is a threat actor originally identified by researchers at Mandiant an attributed to the Chinese government. A 2021 US Department of Justice ...
APT41
APT41 is a Chinese state-sponsored group involved in espionage and cyber crime, targeting sectors aligned with China's economic plans. The group ...
BRONZE PRESIDENT
BRONZE PRESIDENT is an intrusion set tracked by Secureworks and linked to the Chinese government. The group has been active since at least 2018, ...
BlackTech
BlackTech is a cyber espionage group reported as being active since at least 2010 and linked to the People's Republic of China. The group is known ...
Earth Estries
Earth Estries is a Chinese advanced persistent threat (APT) group tracked by Trend Micro. The group has been observed actively targeting critical ...
Earth Hundun
Earth Hundun is a cyber espionage intrusion set tracked by researchers at TrendMicro. The group is believed to be based in China and has been ...
Earth Krahang
Earth Krahang is an intrusion set tracked by researchers at Trend Micro since early 2022. The group has been observed targeting government ...
Earth Lusca
Earth Lusca is an intrusion set which has been observed by Trend Micro since 2021. The group use spear phishing and watering holes to gain initial ...
Ethereal Panda
ETHEREAL PANDA is a China based intrusion set tracked by CrowdStrike and with suspected overlap with Flax Typhoon (an intrusion set tracked by ...
Evasive Panda
Evasive Panda is an intrusion set originally identified by researchers from Malwarebytes. The group has been active since at least 2014 and is ...
Evil Eye
Evil Eye is an intrusion set tracked by Volexity researchers since at least 2019. According to Volexity, Evil Eye has been observed targeting ...
EvilBamboo
EvilBamboo is a cyber intrusion set tracked by researchers at Volexity. The group was originally tracked under the name Evil Eye. According to ...
Flax Typhoon
Flax Typhoon is a cyber intrusion set tracked by researchers at Microsoft Threat Intelligence who attribute the group as a nation-state adversary ...
GhostEmperor
GhostEmperor is an advanced attacker originally identified by researchers from Kaspersky in 2021. The group has been observed using advanced ...
HAFNIUM
HAFNIUM is an intrusion set originally identified by Microsoft researchers. In March 2021, HAFNIUM were observed targeting Microsoft Exchange ...
Horde Panda
HORDE PANDA is a China-based intrusion set tracked by CrowdStrike with a likely intelligence collection mission. Active since at least mid-2023, ...
Insidious Taurus
Insidious Taurus is an intrusion set identified researchers from Palo Alto which is also known as Volt Typhoon. The group have been called out by ...
JACKPOT PANDA
JACKPOT PANDA is a cyber intrusion set tracked by CrowdStrike who state that the actor has been active since at least May 2020 and likely operates ...
Leviathan
Leviathan is a cyber espionage actor originally identified by researchers at Proofpoint who report the actor as being active since at least 2014. ...
Liminal Panda
LIMINAL PANDA is a China-nexus state-sponsored actor tracked by CrowdStrike that has been targeting telecommunications entities since at least ...
Muddling Meerkat
Muddling Meerkat is an actor tracked by researchers at Infoblox and assorted partners. Infoblox suggest that the group appear to be a People's ...
Mustang Panda
MUSTANG PANDA is an adversary attribute to China and originally identified by CrowdStrike. The group has been observed using exploits and ...
Naikon
The Naikon intrusion set has reportedly been active since 2010. Threat researchers from Kaspersky, ThreatConnect, Bitdefender and more have ...
Night Dragon
Night Dragon is a threat identified by McAfee in 2011 and reported as being active since at least 2009. McAfee describe the associated activity as ...
Operator Panda
OPERATOR PANDA is an intrusion set tracked by CrowdStrike since November 2024 which shows overlap with the group known as Salt Typhoon ...
Putter Panda
Putter Panda is an intrusion set identified by Crowd Strike and attributed to China.
RedAlpha
The RedAlpha group is an advanced persistent threat (APT) group tracked by analysts at Recorded Future. The group is thought to have been active ...
RedFoxtrot
RedFoxtrot is a suspected Chinese state-sponsored intrusion set tracked by Recorded Future's Insikt Group and linked to the People's Liberation ...
RedHotel
RedHotel is a group tracked by Recorded Future's Insikt Group and formerly referred to as TAG-22. RedHotel is a highly active Chinese state- ...
RedJuliett
RedJuliett is a likely Chinese state-sponsored cyber threat actor tracked by Recorded Future. primarily engaged in cyber-espionage activities ...
Salt Typhoon
Salt Typhoon is a threat actor tracked by researchers at Microsoft. The group is believed to be sponsored by the People's Republic of China (PRC), ...
Silk Typhoon
Silk Typhoon is an intrusion set originally identified by Microsoft researchers. In March 2021, the group was observed targeting Microsoft ...
Storm-0558
Storm-0558 is an intrusion set tracked by researchers at Microsoft and attributed as a China based threat actor. In May 2023, the group was able ...
TAG-22
TAG-22 is an intrusion set tracked by Recorded Future and later designated as Red Hotel. The group shows overlaps with the 'Winnti Group' and is ...
TeleBoyi
TeleBoyi is an intrusion set tracked by TeamT5. According to researchers, TeleBoyi is a China-nexus group which has been active since at least ...
Tonto Team
Tonto Team is an intrusion set which has been linked to China and observed targeting military, diplomatic and infrastructure organisations in Asia ...
UNC2630
UNC2630 is an 'uncategorized' intrusion set tracked by cyber threat researchers at Mandiant. The group is reported as conducting espionage ...
UNC2717
UNC2717 is an 'uncategorized' intrusion set tracked by cyber threat researchers at Mandiant. The group is reported as conducting espionage ...
UNC3886
UNC3886 is an intrusion set tracked by researchers at Google's Mandiant. Although the group has not been formally attributed or identified as a ...
UNC5174
UNC5174 is an uncategorised intrusion set tracked by Mandiant. Although UNC5174 has not been formally designated, Mandiant state with moderate ...
Violet Typhoon
Violet Typhoon is an intrusion set tracked by Microsoft and formerly known as ZIRCONIUM. The group, who Microsoft link to APT31, is attributed to ...
Volt Typhoon
Volt Typhoon is a cyber intrusion set first identified by Microsoft. Threat researchers at Microsoft state that the group has been active since ...
Wicked Panda
WICKED PANDA is an intrusion set tracked by researchers at CrowdStrike who they identify as 'one of the most prolific and effective China-based ...
Wicked Spider
WICKED SPIDER is an intrusion set tracked by CrowdStrike. The actor behind WICKED SPIDER operates with two distinct motivations: targeted ...
Winnti
Over time, Winnti (also known as Winnti Group) has become an umbrella term which likely covers multiple overlapping threat groups linked to the ...
Zirconium
Zirconium is an intrusion set tracked by Microsoft, which shows overlap with APT31. Microsoft subsequently renamed the group as 'Violet Typhoon'. ...
Threat Actors
Cyber threat actors attributed to China.
Chengdu 404
Chengdu 404, or Chengdu 404 Network Technology is a PRC (People's Republic of China) company which has been identified by the US justice ...
Chinese Ministry of State Security
The Chinese Ministry of State Security (MSS) has been linked by CISA and other agencies to multiple cyber APTs (Advanced Persistent Threats). CISA ...
Guangzhou Boyu Information Technology Company (Boyusec)
Guangzhou Boyu Information Technology Company, known as Boyusec, is a Chinese company based in Guangzhou with reported links to the Chinese ...
Hainan State Security Department
According to the US Department of Justice, Hainan State Security Department (HSSD) is a provincial arm of China’s Ministry of State Security ...
Hainan Xiandun Technology Development Company
According to the US Department of Justice, Hainan Xiandun Technology Development Co. Ltd (Hainan Xiandun) was established as a front company by ...
People’s Liberation Army (PLA) Unit 61398
PLA 61398's full title is China's 2nd Bureau of the People's Liberation Army (PLA) General Staff Department's (GSD) 3rd Department (Military Cover ...
People’s Liberation Army (PLA) Unit 61486
In June 2014, CrowdStrike researchers identified Chinese PLA 3rd Department 12th Bureau Unit 61486 as the threat actor likely to be behind the ...
People’s Liberation Army (PLA) Unit 65017
PLA Unit 65017 was identified by FireEye as the Chinese cyber threat actor potentially behind the Tonto Team intrusion set.
People’s Liberation Army (PLA) Unit 69010
According to analysis by Recorded Future, Unit 69010 is likely the Military Unit Cover Designator (MUCD) for a Technical Reconnaissance Bureau ...
People’s Liberation Army (PLA) Unit 78020
The Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau, or PLA Unit 78020, was identified by ...
Wuhan Xiaoruizhi Science and Technology Company Limited
According to the US and UK governments, Wuhan Xiaoruizhi Science and Technology Company, Limited (Wuhan XRZ) is a front company for China's ...
i-SOON
According to public reporting, i-SOON is a Chinese cyber security company which develops malware and carries out cyber espionage operations on ...
Threat Reports
Publicly available threat reporting on cyber attacks and campaigns attributed to China.
APT1: Exposing One of China's Cyber Espionage Units
The APT1 report represents years of work by Mandiant, who analysed data across hundreds of breaches globally. The report identifies APT1 as a ...
Chinese State-Sponsored RedJuliett Intensifies Taiwanese Cyber Espionage via Network Perimeter Exploitation
This report by Recorded Future's Insikt Group details activity by RedJuliett between November 2023 and April 2024. RedJuliett, also known by ...
Unveiling LIMINAL PANDA: A Closer Look at China's Cyber Threats to the Telecom Sector
This blog post describes LIMINAL PANDA, a China-nexus advanced persistent threat (APT) group identified by CrowdStrike, active since at least ...
Silk Typhoon targeting IT supply chain
Silk Typhoon is a sophisticated Chinese state-sponsored espionage group tracked by Microsoft Threat Intelligence. The group has been identified as ...
APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike
This blog post by researchers at Cisco Talos outlines a malicious campaign which they identified targeting a government affiliated research ...
GhostEmperor: From ProxyLogon to kernel mode
Public APT reporting from Kaspersky which outlines the GhostEmperor threat actor, including details of victimology and tooling. GhostEmperor is a ...
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
APT41 Has Arisen From the DUST
This report from Mandiant outlines APT41 activity observed since 2023 including successful compromises of logistic, media, technology and ...
Cloaked and Covert: Uncovering UNC3886 Espionage Operations
This article by researchers from Google's Mandiant outlines intrusion activity by UNC3886, a suspected China-nexus cyber espionage group. The ...
Flax Typhoon using legitimate software to quietly access Taiwanese organizations
This blog post by Microsoft Threat Intelligence outlines the Flax Typhoon intrusion set and TTPs demonstrated by the group. It describes the actor ...
ANALYSIS OF THE APT31 INDICTMENT
Blog post providing analysis of a March 2024 US Department of Justice indictment of 7 hackers associated with APT31. The post details attribution ...
MUDDLING MEERKAT: THE GREAT FIREWALL MANIPULATOR
This research from infoblox details a sophisticated cyber operation involving DNS queries, open DNS resolvers, and China's Great Firewall, ...
Chinese Espionage Group UNC3886 Found Exploiting CVE-2023-34048 Since Late 2021
This short post from Mandiant researchers details how UNC3886 were observed exploiting a zero-day vulnerability in VMWare tools for approximately ...
Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation
This blog post by threat researchers at Mandiant outlines intrusions activity by the UNC3886 intrusion set which involved the deployment of ...
APT41 (Double Dragon): A Dual Espionage and Cyber Crime Operation
This 2022 report by researchers at FireEye threat intelligence outlines the intrusion set they designate as APT41. They describe the group as 'a ...
Unveiling TeleBoyi: Chinese APT Group Targeting Critical Infrastructure Worldwide
This presentation from TeamT5 describes the intrusion set they refer to as TeleBoyi and was presented at JPCERT's JSAC2024 conference on January ...
Review of the Summer 2023 Microsoft Exchange Online Intrusion
This report by the US Cyber Safety Review Board presents the findings of an investigation into compromise of Microsoft Exchange Online mailboxes ...
Ministry of Defence of the Netherlands uncovers COATHANGER, a stealthy Chinese FortiGate RAT
This report by the Dutch AIVD and MIVD is a cybersecurity advisory covering activity which they attribute to Chinese threat actors. The report ...
People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection
This advisory from the US National Security Agency, CISA and various other agencies outlines tactics, techniques and procedures used by Volt ...
PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
Following an initial advisory issued in May 2023, this advisory from CISA, NSA and partners outlines information on the broader campaign of cyber ...
Putter Panda Intelligence Report
This intelligence report published by CrowdStrike outlines cyber espionage activity against Western companies which they attribute to Putter ...
HAFNIUM targeting Exchange Servers with 0-day exploits
In March 2021 Microsoft detected multiple zero-day exploits being used as part of a widespread campaign by HAFNIUM / Silk Typhoon. This report ...
Project CAMERASHY
This report by ThreatConnect and Defense Group Inc outlines activities by the Naikon APT (advanced persistent threat) group and attributes them to ...
Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day
Reporting from Mandiant which discusses the exploitation of Pulse Secure VPN devices in 2021 and 12 malware families associated with the campaign. ...
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
This report from Recorded Future's Insikt Group outlines activity by the Red Hotel intrusion set. RedHotel is identified as a prominent Chinese ...
Earth Lusca Uses Geopolitical Lure to Target Taiwan Before Elections
Blog post from researchers at Trend Micro discussing Earth Lusca and potential links to Chinese contractor I-Soon. Earth Lusca is a China-linked ...
Evasive Panda leverages Monlam Festival to target Tibetans
This report by researchers at ESET describes a campaign which they attribute to the China-aligned APT Evasive Panda. The report describes a ...
I-Soon leak: KELA’s insights
This blog post outlines KELA's analysis of the 2024 I-SOON data leak. According to the article, I-Soon had relationships with Chinese governmental ...
People's Republic of China-Linked Cyber Actors Hide in Router Firmware
This Cybersecurity Advisory from CISA and partners details activities of the People's Republic of China (PRC)-linked cyber actors known as ...
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
This article by researchers at Trend Micro discusses an Advanced Persistent Threat (APT) group they name Earth Krahang who have been observed ...
Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect
This blog post by researchers at Mandiant describes how the threat actor UNC5174 exploited vulnerabilities in F5 BIG-IP appliances and Connectwise ...
MITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by China.