Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ APT1

🌐APT1

🌐 APT1 is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 23 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0006) ↗
14Use cases
0Articles
23Techniques
0IOCs

About this actor (MITRE)

[APT1](https://attack.mitre.org/groups/G0006) is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)

Known aliases

APT1Comment CrewComment GroupComment Panda

Top techniques

T1003.001 · LSASS MemoryT1005 · Data from Local SystemT1007 · System Service Discovery

All other tracked techniques

T1016 · System Network Configuration DiscoveryT1021.001 · Remote Desktop ProtocolT1036.005 · Match Legitimate Resource Name or LocationT1049 · System Network Connections DiscoveryT1057 · Process DiscoveryT1059.003 · Windows Command ShellT1087.001 · Local AccountT1114.001 · Local Email CollectionT1114.002 · Remote Email CollectionT1119 · Automated CollectionT1135 · Network Share DiscoveryT1550.002 · Pass the HashT1560.001 · Archive via UtilityT1566.001 · Spearphishing AttachmentT1566.002 · Spearphishing LinkT1583.001 · DomainsT1584.001 · DomainsT1585.002 · Email AccountsT1588.001 · MalwareT1588.002 · Tool

Detection use cases (14)

APT1 (Comment Crew / Unit 61398) canned domain-recon batch chain AI · profile S APT1 RAR staging for exfiltration — password-protected, multi-volume archive in user-writeable path AI · profile SΣ Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match Service-process parent spawns subprocess containing CLI-argument-injection tokens MITRE match Abnormal Security: malicious email opened MITRE match Click on URL whose host doesn't match the sender domain MITRE match Crypto-wallet file/keystore access by non-wallet process MITRE match Email attachment opened from external sender MITRE match LSASS process access / dump (credential theft) MITRE match Phishing-link click correlated to endpoint execution MITRE match