Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ admin@338

🌐admin@338

🌐 admin@338 is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 12 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0018) ↗
14Use cases
0Articles
12Techniques
0IOCs

About this actor (MITRE)

[admin@338](https://attack.mitre.org/groups/G0018) is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as [PoisonIvy](https://attack.mitre.org/software/S0012), as well as some non-public backdoors. (Citation: FireEye admin@338)

Known aliases

admin@338

Top techniques

T1007 · System Service DiscoveryT1016 · System Network Configuration DiscoveryT1036.005 · Match Legitimate Resource Name or Location

All other tracked techniques

T1049 · System Network Connections DiscoveryT1059.003 · Windows Command ShellT1069.001 · Local GroupsT1082 · System Information DiscoveryT1083 · File and Directory DiscoveryT1087.001 · Local AccountT1203 · Exploitation for Client ExecutionT1204.002 · Malicious FileT1566.001 · Spearphishing Attachment

Detection use cases (14)

admin@338 (G0018) cmd.exe-driven host-triage burst — canonical recon command sequence AI · profile S admin@338 weaponised Office attachment → child process from user-writable directory AI · profile SΣ Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match Package manager lifecycle hook spawns network-fetching shell or runtime MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match Service-process parent spawns subprocess containing CLI-argument-injection tokens MITRE match Abnormal Security: malicious email opened MITRE match Email attachment opened from external sender MITRE match Attacker Tools On Endpoint MITRE match Cisco ASA - Reconnaissance Command Activity MITRE match