Home/ Threat Actors/ APT19

🇨🇳APT19

🇨🇳 APT19 is a tracked threat actor in the Clankerusecase corpus. CN-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 21 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0073) ↗

14Use cases

0Articles

21Techniques

0IOCs

About this actor (MITRE)

[APT19](https://attack.mitre.org/groups/G0073) is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. (Citation: FireEye APT19) Some analysts track [APT19](https://attack.mitre.org/groups/G0073) and [Deep Panda](https://attack.mitre.org/groups/G0009) as the same group, but it is unclear from open source information if the groups are the same. (Citation: ICIT China's Es

Known aliases

APT19CodosoC0d0so0Codoso TeamSunshop Group

Top techniques

T1016 · System Network Configuration Discovery T1027.010 · Command Obfuscation T1027.013 · Encrypted/Encoded File

All other tracked techniques

T1033 · System Owner/User Discovery T1059 · Command and Scripting Interpreter T1059.001 · PowerShell T1071.001 · Web Protocols T1082 · System Information Discovery T1112 · Modify Registry T1132.001 · Standard Encoding T1140 · Deobfuscate/Decode Files or Information T1189 · Drive-by Compromise T1204.002 · Malicious File T1218.010 · Regsvr32 T1218.011 · Rundll32 T1543.003 · Windows Service T1547.001 · Registry Run Keys / Startup Folder T1564.003 · Hidden Window T1566.001 · Spearphishing Attachment T1574.001 · DLL T1588.002 · Tool

Detection use cases (14)

APT19 (Codoso) Squiblydoo: regsvr32 fetching remote .sct via scrobj.dll AI · profile SΣ APT19 macro chain: Office app -> hidden PowerShell with base64 payload AI · profile SΣ Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match Package manager lifecycle hook spawns network-fetching shell or runtime MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match Abnormal Security: malicious email opened MITRE match Beaconing — periodic outbound to small set of destinations MITRE match Command injection exploited (WAF detection) MITRE match