Home/ Threat Actors/ APT18

🇨🇳APT18

🇨🇳 APT18 is a tracked threat actor in the Clankerusecase corpus. CN-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 12 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0026) ↗

14Use cases

0Articles

12Techniques

0IOCs

About this actor (MITRE)

[APT18](https://attack.mitre.org/groups/G0026) is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical. (Citation: Dell Lateral Movement)

Known aliases

APT18TG-0416Dynamite PandaThreat Group-0416

Top techniques

T1027.013 · Encrypted/Encoded File T1053.002 · At T1059.003 · Windows Command Shell

All other tracked techniques

T1070.004 · File Deletion T1071.001 · Web Protocols T1071.004 · DNS T1078 · Valid Accounts T1082 · System Information Discovery T1083 · File and Directory Discovery T1105 · Ingress Tool Transfer T1133 · External Remote Services T1547.001 · Registry Run Keys / Startup Folder

Detection use cases (14)

APT18 (Dynamite Panda) legacy at.exe scheduled-task persistence chained to cmd.exe payload AI · profile SΣ APT18 dropper-in-user-path → Run-key persistence → external HTTP beacon (HTTPBrowser/Gh0st chain) AI · profile S 1Password impossible-travel sign-in MITRE match Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Edge-service post-exploitation chain: internet-facing daemon → child shell or token redemption within 10 min of external request MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Self-hosted application service spawns shell or SSH within seconds of inbound unauthenticated API write MITRE match