Threat-actor profile

← Back to main site

Home/ Threat Actors/ APT10

🇨🇳APT10

🇨🇳 APT10 is a tracked threat actor in the Clankerusecase corpus. Attributed to CN. Primary motivation: State. We map 26 detection use cases to this actor across 60 MITRE ATT&CK techniques, with 1 threat-intel article citing them. Active in our corpus from 2026-02-26 to 2026-02-26.

crit 1

View full actor card → All threat actors MITRE ATT&CK group spec (G0045) ↗

26Use cases

1Articles

60Techniques

5IOCs

Known aliases

APT10Stone PandaMenuPassCloudhopperPotassiumBronze RiversidemenuPassCicadaPOTASSIUMRed ApolloCVNXHOGFISHBRONZE RIVERSIDE

Top techniques

T1027 · Obfuscated Files or Information T1190 · Exploit Public-Facing Application T1195.002 · Compromise Software Supply Chain

All other tracked techniques

T1003.002 · Security Account Manager T1003.003 · NTDS T1003.004 · LSA Secrets T1005 · Data from Local System T1016 · System Network Configuration Discovery T1018 · Remote System Discovery T1021.001 · Remote Desktop Protocol T1021.004 · SSH T1027.013 · Encrypted/Encoded File T1036 · Masquerading T1036.003 · Rename Legitimate Utilities T1036.005 · Match Legitimate Resource Name or Location T1039 · Data from Network Shared Drive T1046 · Network Service Discovery T1047 · Windows Management Instrumentation T1049 · System Network Connections Discovery T1053.005 · Scheduled Task T1055.012 · Process Hollowing T1056.001 · Keylogging T1059.001 · PowerShell T1059.003 · Windows Command Shell T1059.005 · Visual Basic T1070.003 · Clear Command History T1070.004 · File Deletion T1071 · Application Layer Protocol T1071.001 · Web Protocols T1074.001 · Local Data Staging T1074.002 · Remote Data Staging T1078 · Valid Accounts T1083 · File and Directory Discovery T1087.002 · Domain Account T1090.002 · External Proxy T1105 · Ingress Tool Transfer T1106 · Native API T1119 · Automated Collection T1127.001 · MSBuild T1140 · Deobfuscate/Decode Files or Information T1199 · Trusted Relationship T1204.001 · Malicious Link T1204.002 · Malicious File T1204.004 · Malicious Copy and Paste T1210 · Exploitation of Remote Services T1218 · System Binary Proxy Execution T1218.004 · InstallUtil T1547.001 · Registry Run Keys / Startup Folder T1553.002 · Code Signing T1560 · Archive Collected Data T1560.001 · Archive via Utility T1566 · Phishing T1566.001 · Spearphishing Attachment T1566.002 · Spearphishing Link T1568.001 · Fast Flux DNS T1573.002 · Asymmetric Cryptography T1574.001 · DLL T1574.002 · T1574.002 T1583.001 · Domains T1588.002 · Tool

Detection use cases (26)

APT10 / MenuPass DLL sideloading: signed host EXE pairing with trojanised sibling DLL from user-writable path (LODEINFO / ANEL / PlugX) AI · profile SΣDD APT10 / Cloud Hopper MSP-style RDP fan-out followed by AD reconnaissance (csvde / adfind / nltest / net group) AI · profile SΣDD PlugX phishing lure — 'Meeting Invitation' email linking to gesecole.net ZIP Bespoke Renamed MSBuild.exe executing inline .csproj from user-writable path Bespoke PlugX DLL side-load — G DATA Avk.exe running from C:\Users\Public\GDatas\ Bespoke PlugX persistence — Run key 'G DATA' pointing to C:\Users\Public\GDatas\Avk.exe Bespoke PlugX C2 egress — connections to decoraat.net / decoorat.net / gesecole.net Bespoke Phishing-link click correlated to endpoint execution Internal Email attachment opened from external sender Internal Office app spawning script/LOLBin child process Internal Fake CAPTCHA / clipboard-injected PowerShell (ClickFix / FakeCaptcha) Internal Trusted vendor binary / installer launching unusual children Internal Network connections to article IPs / domains Internal File hash IOCs — endpoint file/process match Internal 1Password impossible-travel sign-in MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match Package manager lifecycle hook spawns network-fetching shell or runtime MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match

Threat-intel articles (1)

crit PlugX Meeting Invitation via MSBuild and GDATA · 2026-02-26

Tracked indicators

Domains (5)

decoorat.net decoraat.net gesecole.net onedow.gesecole.net onedown.gesecole.net