Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ APT3

🇨🇳APT3

🇨🇳 APT3 is a tracked threat actor in the Clankerusecase corpus. CN-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 44 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0022) ↗
14Use cases
0Articles
44Techniques
0IOCs

About this actor (MITRE)

[APT3](https://attack.mitre.org/groups/G0022) is a China-based threat group that researchers have attributed to China's Ministry of State Security.(Citation: FireEye Clandestine Wolf)(Citation: Recorded Future APT3 May 2017) This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.(Citation: FireEye Clandestine Wolf)(Citation: FireEye Operation Double Tap) As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.(Citation: Symantec Buckeye)

Known aliases

APT3Gothic PandaPirpiUPS TeamBuckeyeThreat Group-0110TG-0110

Top techniques

T1003.001 · LSASS MemoryT1005 · Data from Local SystemT1016 · System Network Configuration Discovery

All other tracked techniques

T1018 · Remote System DiscoveryT1021.001 · Remote Desktop ProtocolT1021.002 · SMB/Windows Admin SharesT1027 · Obfuscated Files or InformationT1027.002 · Software PackingT1027.005 · Indicator Removal from ToolsT1033 · System Owner/User DiscoveryT1036.010 · Masquerade Account NameT1041 · Exfiltration Over C2 ChannelT1049 · System Network Connections DiscoveryT1053.005 · Scheduled TaskT1056.001 · KeyloggingT1057 · Process DiscoveryT1059.001 · PowerShellT1059.003 · Windows Command ShellT1069 · Permission Groups DiscoveryT1070.004 · File DeletionT1074.001 · Local Data StagingT1078.002 · Domain AccountsT1082 · System Information DiscoveryT1083 · File and Directory DiscoveryT1087.001 · Local AccountT1090.002 · External ProxyT1095 · Non-Application Layer ProtocolT1098.007 · Additional Local or Domain GroupsT1104 · Multi-Stage ChannelsT1105 · Ingress Tool TransferT1110.002 · Password CrackingT1136.001 · Local AccountT1203 · Exploitation for Client ExecutionT1204.001 · Malicious LinkT1218.011 · Rundll32T1543.003 · Windows ServiceT1546.008 · Accessibility FeaturesT1547.001 · Registry Run Keys / Startup FolderT1552.001 · Credentials In FilesT1555.003 · Credentials from Web BrowsersT1560.001 · Archive via UtilityT1564.003 · Hidden WindowT1566.002 · Spearphishing LinkT1574.001 · DLL

Detection use cases (14)

APT3 (Gothic Panda / Buckeye) accessibility-feature backdoor via Image File Execution Options debugger AI · profile SΣ APT3 RDP-pivot lateral movement preceded by LSASS credential extraction (Pirpi/SHOTPUT chain) AI · profile S Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Hook Spawns Scripting Interpreter Then Touches Credential Files or Egresses Off-Registry MITRE match Package-install lifecycle script harvests local credentials and beacons to a non-baselined domain MITRE match